Monday, May 30, 2016

Primer: 1.0.1 ~VulnHub

Primer: 1.0.1

Environment:
Attacker: Kali Linux 2016
Vulnerable Machine: Primer 1.0.1
URL:  https://www.vulnhub.com/entry/primer-101,136/
VMWare Workstation 12 Player
Networking: Host-based Internal
Target: Not Stated


 

Walk-Through: 


1) Find IP

Use netdiscover -i eth0 -r 192.168.204.0/24 to find IPs in that range. This is the range for my host-based network segment.




The IP 192.168.204.131 looks like the target.



2) Find open ports

Use nmap to scan for open ports




Looks like port 80 is open and that there is a Robots.txt file in that directory. This matches what was said in the description for this machine so that's going to be the main focus.



3) Index.php




Loading up the web-server gives us a basic home page with a login and some text. Not much to go off of so let's take a look at the robots.txt page.



4) Robots.txt






Looks like there is a directory within this web-server.



5) 4_8f14e45fceea167a5a36dedd4bea2543

Navigating to the directory lands us the following page.






There is a link at the bottom.



6) 5_6512bd43d9caa6e02c990b0a82652dca


Looks like these are levels, and we are now on level 5. We can see that the info for level 6 is at the bottom of the page.





6)  7_70efdf2ec9b086079795c442636b55fb


Browsing to the page for level 6 gives the following login screen.





Looking at the page source gives us two options. First, the level 7 information is listed in plain text towards the bottom of the page. Second, we can see the algorithm that is set for the login.





L="Ikdf076"
If we look at the code we can see the if we plug in L starting at either the 2nd or the seventh character it will let us in. Remember that it will count starting at char 0.






7) 7_70efdf2ec9b086079795c442636b55fb






Here is the hex code decrypted:


lengthsubstringcharCodeAtsplit0123456789abcdefjoinhello5d41402abc4b2a76b9719d911017c5920d28cba0bd4f26e16d766000d27e49fa�#/$location./_.phpreadyStateloadingDOMContentLoadedaddEventListener    <center>      <h1>[++Q++++++]</h1>    </center>    <p>      She was no longer sure what her original assignment had been. But it didn't matter anyway. What still mattered was getting out of here, alive.      Log out, tell the client to go fuck himself and get a fix of n0ise to shut off her mind. Relax with a mindless holo flick and never look back at this weird job.    </p>    <p>      A violent neon flicker appeared at the horizon. No thunder followed.<br>      She stared in the distance with a blank expression.    </p>    <p>      "Hello, Nieve." A deep, feminine, digital voice roared in her head.<br>      FUCK! This was her real name. She hadn't used it in years...    </p>    <p>      "I will logout and stop this shit right fucking now!" She screamed into the neon expanse.<br>      Nothing.    </p>    <p>      She didn't. Something beside the fear occupied her mind. It had been there since the second node and grew stronger with every move. There was a pattern in the path she had taken through the network. An artificial pattern, layed out by someone or something.<br>      There was no hint, no obvious step. Finding the next node would be the challenge, or maybe more like a test.    </p>innerHTMLfoogetElementById



From this I am able to see two md5 hashes:


5d41402abc4b2a76b9719d911017c592
0d28cba0bd4f26e16d766000d27e49fa


Decoding them using https://hashkiller.co.uk/md5-decrypter.aspx I am able to see that they are hello and GOD.


Plugging in GOD as the password gives me the following:






Notice the hint in the page source. It's from the movie Hackers. I had originally tried to guess God as the password but didn't realize until I had the md5 that it was in all caps.























Now unfortunately there isn't anything stating what the url of the next level is going to be. But, I have noticed a pattern. "Level Number_md5 Hash" If I take a look at what these hashes consist of maybe I will have better luck moving forward. Back to https://hashkiller.co.uk/md5-decrypter.aspx



Looks like the hashes are of prime numbers. Knowing that, my next hash should be of 19!

8) 8_1f0e3dad99908345f7439f8ffabdffc4

Looks like I was correct. There is just a link at the bottom of the page to take me to the next level.



9) 9_37693cfc748049e45d87b8c7d8b9aacd

On this page I am given a text box. The last page had given me the idea that this might be a terminal. Let's see.



Giving it some simple commands gives me return information. This is a terminal, but it does not like the whoami command.



I started looking around the /usr directory and was able to find some log files.

Starting with Willis:






Then moving to Falken:

 

I then looked around at some of the commands in the /bin directory.



 The ps command will show me a list of the current processes, let's take a look at that. 



The connect process looks interesting. Running that command prompts me for a password. Looking back on the logs I have gathered that Falken has a son Joshua that is 44 years old. I tried several password combinations utilizing this information. I finally was able to correctly guess it when I figured out Joshua's birth year based off of the current year 2028. That gave me the password of joshua1984.

 


10) Erebus

 


Looks like another terminal. Let's check again for some logs that might give me some information. Falken Doesn't disappoint:






The logs are base64 encrypted. Luckily there is a resource on the box to decode the file.






I am able to get the second log file in the same way, but once I try 3 and 4 I get errors.





I am able to read 3 by changing the encryption type, but 4 doesn't come out correctly. It looks like it is encrypted with rot13 as well. 







Feeding that string into the built-in tool I was able to read it. Sounds like we are going to make another pivot. Let's run the ps command again to see if "Falken" has run another command.




Our hint from the last log was that the password will probably be related to mathematics and the trivial zero. Using Google I was able to find the following:


 

Trying Riemann as the password got me in.


11) TrivialZ3r0




Looking around the first thing I found was a passwd directory.







Looks like it contains md5 hashes of several password. I was able to decode them using https://hashkiller.co.uk/md5-decrypter.aspx






Falken's password we already know, but now we have a password for chaos. Now all I have to do is run the ps command just like before.




12) Wintermute




Looking around the directory the only interesting file is the one called nieve.





Now all I have to do is leave the world behind and connect.






13) Beer!!


Thursday, May 19, 2016

SickOs: 1.2 ~ VulnHub


SickOs: 1.1 CTF Walk-Through
 
Environment:
Attacker: Kali Linux 2016
Vulnerable Machine: SickOs1.2
URL: https://www.vulnhub.com/entry/sickos-12,144/
 VMWare Workstation 12 Player
Networking: Host-based Internal
Target: /root/7d03aaa2bf93d80040f3f22ec6ad9d5a.txt

Walk-Through: 

1) Use netdiscover to find IP of the box.



Looks like my target box is located at IP 192.168.204.130. I'm going to use nmap in order to find out what ports are open on the box.

2) Use nmap to find open ports.



There are two open ports on this box. Port 22 for SSH and port 80 for a web server running lighttpd. Let me first look at what the web server has to offer.


 

Not much. There is nothing more offered in the page source either. I'm going to use some tools to try and find out some more information about this server.

3) Use nikto to scan web server



 Nikto didn't pick up much from the web server. Let's move on to something else.

4) Dirbuster




Here we go. There is a directory /test but it doesn't hold any data in it.

5) Use CURL to view OPTIONS method





Looking at the options method for the /test directory I am finally getting somewhere. Looks like I can use PUT to upload files into the /test directory.

6) Upload files

Starting with a simple text file I am able to use nmap's http-put script to upload it to the directory.





Seeing the file here in the test directory proves that I can upload files onto the server. Let's step things up with my favorite php reverse shell script.





My script has been uploaded onto the server. Let's fire up my netcat listener to catch the shell when I click on the php script.

7)  Use Netcat to get a remote shell

 

I've got a limited shell. Since my target is in the /root directory, I'm going to need to escalate my privileges in order to get the flag.

8) OS Version

My first step when I get a limited shell into a box is to get a /bin/bash shell that I am used to. I do this with a simple python one-liner listed below.



After that I need to find out what version of the OS I am working with. Looks like it's Ubuntu 12.04 LTS.

9) cron.daily

My first step was to try some of the typical vulnerabilities that are out there for 12.04. Unfortunately none of those exploits were able to escalate my privileges. Thinking back on the first machine in this series that used a daily cron job to run an python file that could be exploited, I thought I would take a look there. My intuition paid off.


A vulnerable version of chkrootkit is being run by the daily cron job. Looking at CVE 2014-0476 at https://www.exploit-db.com/exploits/33899/ I was able to see that I could exploit this program to gain access to the flag.








10) chkrootkit Vulnerability

The vulnerability in chkrootkit requires that you create an executable file call update withing the /tmp directory of the server. When the cron job is run, the executable will be run as root. This was probably my biggest hangup when working through this machine. I tried many different executables before realizing that I knew the file name and location of the object I wanted. Therefore, I created a simple executable bash script to copy the file to the /tmp directory and change it's permissions to where all users could read it.



I had to remember to chmod +x update in order to allow the file to be run by the chkrootkit.

  

 Since the cron job was only run daily, I used a simple command to make it run now. This run-parts command asked for a password for some parts of the job, but after skipping past entering the password, the job was able to finish.


 At the end, my file was sitting in the tmp directory and I was able to open it as www-data.

11) Beer!!