AdSense

Thursday, March 21, 2019

Tenten


TENTEN

- Layout for this exercise:




1 - INTRODUCTION

-  The goal of this exercise is to develop a hacking process for the vulnerable machine Tenten, what is a retired machine from the Hack the Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

- Scanning with Nmap, there are just two open ports 22 and 80:




- Scanning deeper those two ports it seems that the web server is running WordPress 4.7.3:





WPScan is a WordPress Security Scanner:







- Launching WPScan against Tenten to enumerate users we discover user takis:






- Same thing for plugins we discover Job Manager and one associated vulnerability:







- Checking the last reference:

https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/






- So this vulnerability allows to enumerate the CV filename and bruteforce the upload directory structure, where sensitive information can be found: 





- The Wordpress directory structure for uploaded files is like this:




- Now, dirbusting /wp-content/uploads to discover year (from 2010 to 2019) and month (from 01 to 12) where any upload is available:











- So finally we know that April 2017 is the date when uploads are available.

- Exploring jobs, for instance the 1st one:





- Viewing the source, the job application identification name (Hello World! for 1st job) is after the tag <title>:




- Extracting all job names the 13rd one is called HackedAccessGranted:






3 - EXPLOITATION

3.1 - Exploiting WordPress

- Copying the exploit and expanding to file extensions jpeg, jpg and png:

https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/






- Giving execution permissions:




- Running the Python script exploit against Tenten:





- Finally we have found the URL where a picture HackerAccessGranted.jpg is located, what was uploaded on April 2017, as we already knew.



3.2 - Exploiting Stenography inside a picture

- Downloading the image HackerAccessGranted.jpg:

 




 


steghide is a steganography program that is able to hide/unide data in various kinds of image and audio files:

http://steghide.sourceforge.net/


- Applying steghide over HackerAccessGranted.jpg and using blank password:




- The private key id_rsa is extracted from the .jpeg image:

 


3.3 - Cracking an encrypted Private Key

- However id_rsa is encrypted:

 



- The Python script sshng2john.py helps to adapt id_rsa to John The Ripper's format:

https://github.com/stricture/hashstack-server-plugin-jtr/blob/master/scrapers/sshng2john.py

http://grayhat.shoutwiki.com/wiki/SSH_tricks

 


- Applying sshng2john.py over id_rsa the result is id_rsa_hashed:






- Now, passing id_rsa_hashed to John The Ripper the password superpassword is discovered just in seconds:




- Giving reading and writing permissions to the owner for id_rsa:

 



3.4 - Getting a remote shell

- We already know from before that there is an user called takis:





- Connecting to Tenten with SSH by providing id_rsa plus password for user takis:





4 - CAPTURING THE 1st FLAG

- Reading user.txt:





5 - PRIVILEGE ESCALATION

Privilege Escalation is easy because user takis has got some sudoer privileges:

 


- Reading content and searching information about file fuckin:




- Running fuckin eventually we get a root shell:

 




6 - CAPTURING THE 2nd FLAG

- Reading root.txt:

 
Posted by at
Labels:

Cronos


CRONOS 

- Layout for this exercise:




1 - INTRODUCTION

-  The goal of this exercise is to develop a hacking process for the vulnerable machine CronOS, what is a retired machine from the Hack the Box pentesting platform:

https://www.hackthebox.eu



2 - ENUMERATION

CronOS' IP is 10.10.10.13:




- Scanning with Nmap there are 3 open ports 22, 53 and 80:




- Scanning deeper:





- Transferring DNS zone with dig:




- Adding cronos.htb and admin.cronos.htb to /etc/hosts:




- Connecting with the browser to cronos.htb





- For admin.cronos.htb there is a login form:




3 - EXPLOITATION

- Trying a very simple SQL injection the attack is successful:




- After authentication with the SQL injection we find a Net Tool application to perform networking commands:





- For instance let's try ping, pwd, id, ls -la, cat /etc/passwd, cat config.php:























- The last screenshot shows credentials for database admin, however we were not successful when trying to connect to the database, so it is a dead end vector attack.


 - Msfconsole provides the module web_delivery to get a remote Meterpreter session:






- Setting options:




- Now the exploit is ready to be run:




- Executing the exploit a PHP command is provided to be run on the target machine:




- Copying and pasting the command at the Net Tool application:




- After clicking Execute! a successful Meterpreter session is achieved at Kali:







4 - READING THE 1st FLAG

- Reading user.txt:





5 - PRIVILEGE ESCALATION

- Checking the existence of any crontab job we find artisan:




- Reading artisan:




- Downloading artisan to Kali:







- Copying to a local folder the webshell php-reverse-shell.php:



 - Adapting the webshell to our needs:






- Copying content of the webshell to artisan:




- Now, setting a Netcat listening session at port 5555:




- Uploading artisan (the new modified file) from Kali to Cronos:




- After a while (the moment the crontab task is performed) a remote root shell is achieved:





6 - READING THE 2nd FLAG

- Reading root.txt:
Posted by at
Labels:
Subscribe to: Posts (Atom)