Tag: writeup

Pwning Pwned
Overview:
```
Pwned Machine IP Address: 192.168.56.37
My Machine IP Address: 192.168.56.20
```
Mission:
```
To gain access to root and read the flag file Flag.txt.
```
Download:
```
You can download the machine from here.
```
************************************

To know the IP address of the Target Machine:
```
 sudo arp-scan --interface=vboxnet0 192.168.56.1/24
```
Scanning:
```
nmap -sC -sV  -p- 192.168.56.37 -o nmap.log
```
Output:
```
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
```
Let’s get a glimpse of the website first because the machine is running an apache web server.

Attacker name:
```
Annlynn
```
After the attacker’s name, I didn’t get any. So, usually, I like to check robots.txt

http://192.168.56.37/robots.txt

It redirects to some files and I won’t go through it here because it was a rabbit hole.

I did run Nikto scanner and got a little information but it was nothing special, as it just gave me things which I got earlier. (The folder called nothing. That’s all)

Gobuster Scanner:
```
dir -u 192.168.56.37 -w /usr/share/wordlists/directory-list-2.3-medium.txt -o gobuster.log
```
We got a new file, called hidden_text. This experience taught me an important lesson, i.e. never depend on a single tool for everything.
```
http://192.168.56.37/hidden_text/
```
I tried every parameter and, I thought to automate the process either through Burp Suite or a shell command. Perhaps, after this task is over, I will write a script to automate this task for us.
```
http://192.168.56.37/pwned.vuln/
```
View source code:
```
ftpuser' && $pw=='B0ss_B!TcH'
```
Exploitation:

Well, credential didn’t work with about login panel, so let us try with FTP (we know the machine is running FTP through Nmap scan.)

Yes, I was able to log into the machine by using the above credentials

However, I think it is important to pass -a as argument along with the command dir -a. Because although I was not able to see anything despite the command executed successfully.

I found two files in there. It looks like important because one file is an ssh key and other note content username. Probably we could get access by using this information.

username: ariana

password: ssh private key

Remember before using an SSH key, set the permission to either 400 or 600. (usually, I like 400 on production and 600 when I am trying something like a pwning machine).
```
chmod 600 id_rsa
```
```
ssh ariana@192.168.56.37 -i id_rsa
```
Yes, we got a shell here. Usually, as soon as I get a shell, I like to try some low hanging fruits first. Like what is shown in the screenshot.

So far we got this information:

User ariana may run the following commands on pwned:
(selena) NOPASSWD: /home/messenger.sh
```
cat /home/messenger.sh  (make a mental note)
```
```
congratulations you Pwned ariana

Here is your user flag _______

fb8d98be1265dd88bac522e1b2182140

Try harder.need become root
```
To be honest, I am yet to have breakfast and thought to grasp some but because of this flag, I am gonna stick with the machine sometimes more.

I found a diary called ariana-personal.diary

It was written

It’s Ariana personal Diary :::

Today Selena fight with me for Ajay. so i opened her hidden_text on server. now she resposible for the issue.

I didn’t get anything special, so how about we run the script that we got from above? /home/messenger.sh
```
sudo -u selena /home/messenger.sh
```
I struggled a little here and need to have a peek on other people’s walkthrough (it is here.)

yes, it is perfect time to get an interactive shell.
```
python3 -c 'import pty; pty.spawn("/bin/bash")'
```
```
id 

docker images 

docker run -v /:/mnt --rm -it privesc chroot /mnt sh
```
I got root here, however, I was not happy because I don’t know what this script (docker run -v /:/mnt –rm -it privesc chroot /mnt sh) does. So gonna do little research after breakfast…

Wish you all a productive day!!

Some Rabbit holes while I was digging the account of ariana.

Other things, what I did

I thought to find some SUID and SGID file manually, however, since I have linpeas.sh on my Kali Machine (192.168.56.33). So I am going to upload the shell from there to the target machine. That way, it will do everything automatically.

chmod +x linpeas.sh (on target machine /tmp folder)

While I was going through the extensive report from the linpeas.sh, I can definitely conclude that the machine is running an outdated docker container.
```
ps aux | grep "docker"
```
1. Result excerpt from linpeas.sh

2. Result excerpt from linpeas.sh
July 19, 2020
Will I able to pwn “Lord Of the Root” ?
Hello there,

I hope you are all safe and doing well. I am not sure whether it is a good idea however, instead of prayer all the time why not I volunteer to do the errand of old people around the place I stay, to purchase groceries and basic necessary things during the lock down period. So I am going to make few notice page and leave my contact there provided anybody require my help. Yes, my parents are in Tibet which I can’t physically help them but I do believe in karma. If I help the people in here, there will be kind and compassionate people over there who will assist my parent 🙂 (Even if it is just a fallacies, I am gonna believe it :))

OK. Today, I am going to do a very challenging box (at least to me lol). Hopefully, it won’t beat me black and blues lol

Step 01:
```
ifconfig
```
Kali Linux IP: 192.168.56.11

Step 02:

Target machine IP: 192.168.56.19

You can try any methods

(more…)
March 27, 2020
Me and My Girl Friend – This is the machine name lol
Today is 22nd March and we are having all India curfew to “stay at Home” from the COVID-19. Had a good breakfast and by the time I was washing my face, a kettle of water is already boiled. So, everything set to pwn the machine.

*********************************************************************************************

Description og the Game:

This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, “Ceban Corp“, something has changed from Alice’s attitude towards Bob like something is “hidden”, And Bob asks for your help to get what Alice is hiding and get full access to the company!

Difficulty Level: Beginner

Notes: there are 2 flag files

Learning: Web Application | Simple Privilege Escalation

Download the Machine from this link: Click Here

********************************************************************************************************************************************

Step 01:
```
sudo ifconfig
```
My Kali Linux Machine IP address is: 192.168.56.11

Step 02:
```
nmap 192.168.56.11/24 > target_ip.log 

cat target_ip.log
```
I know save this output because I get confused with different IP addresses (recently I been playing with couple of machines)

So the Target Machine IP address is: 192.168.56.17

Step 03:

Let’s find what services, service version and port numbers is currently running on it.
```
nmap -sC -sV -p- 192.168.56.17 -oN nmap.log
```
Step 04:

It is confirmed that a webserver (Apache) is running on it. Besides, result of step 03 is very important. If we can’t find anything useful, we will have to go through it again and attack another services etc.. So keep this in mind.

Let’s find files in the webserver.. Which usually you can do with nikto or gobuster. I do both.
```
nikto -h 192.168.56.17 > nikto.log
```
Visit the website and files we found through nikto scanner

1.1 Visit website.

“The site can only be accessed local” which is very important hint. (localhost or 127.0.0.1)

1.2. Source code: Ctrl+U (on firefox)

very important hint “use x-forwarded-for”

To be honest, I know it will act as redirection but I don’t know the syntax so I googled and I got this ..

So the syntax is
```
x-forwarded-for localhost
```
1.3 At this time, I just fire-up my burp suite and modified the request. (let me know if you don’t know how to use burpsuite or configure it, in the comment).

I had to manually put the custom header value there on each request (x-forward-for: localhost) However, I am very happy with the result and perhaps when time permits me today, I will read more on how to automate this, so that I won’t have to spend that much time for such task 🙂

Yes, when I see the login page I felt very excited and google few sql cheat sheet right away and start experimenting. Nevertheless, I was no luck. However, if you have read the last couple of post, I did LFI to one of the box. So, I thought why not I open an account and upload my shell in there. (usually this is done during the bug bounty too)

So I began to messing with the ID values up in the URL location. I place 1 there and checked, then 2, and then 3… I enumerate till 6 and I got all the user registered on this website with their password.

If you do remember the game description which is at the very beginning of this write up, our person of the interest is alice.

Yeah, we got the password of user alice.
```
username: alice 
password: 4lic3
```
As per the nmap result, we know that the SSH protocol is running on the box.
```
ssh alice@192.168.56.14
```
Usually, I used to think how come those blogger knows everything about the box.. Now I realized it. I tried SUID binaries and tried and ran into my rabbit holes, but I didn’t write it here lol

While I was solving the previous box, the author trolled me to wait for password (although there isn’t one) and the user itself is sudo user so no complex exploit is required to root that. Therefore, in this box, I would like to test whether the current user has sudo on it. So I googled the syntax and guess what I got?
```
Yes, /usr/bin/php has root privilege enabled on it.
```
I know through python, we can escalate the privilege by writing three lines of code (to set value for setuid, setgid). However, I have no idea with PHP. So I googled a little and thought it will be faster to ask some pointer from OSCP STUDY GROUP.

Indeed I got help and I was able to root it within few seconds. (using this link)

So I will not write details of it, because everything is there in that link. Probably you should read a little too 🙂

As per the requirement, we need to get two flags and root the system.

So far we root the system and got one flag.

However, another one I am not sure where it is. Let’s use the power of find command lol

find / -name gfriEND*

No, I didn’t find anything. Let’s enumerate again carefully this time…

Yes, indeed.. it is here… fishhhhhhh lol

Flag 01 is here:

Final Assign and message which Bob wish to know is here.

Going to prepare lunch now.. Hopefully I could take down another box today 🙂
March 22, 2020