AdSense

Thursday, December 6, 2018

DC416-fortress


DC416-FORTRESS

 - Layout for this exercise:

1 - INTRODUCTION

 - The goal of this exercise is to develop a hacking process for the vulnerable machine DC416-fortress

 DC416-fortress can be downloaded from here:

 https://www.vulnhub.com/entry/dc416-2016,168/


- Once downloaded and extracted with VirtualBox:

2 - ENUMERATION

 - Searching for the IP with netdiscover:



- Scanning with Nmap we discover that there are 3 open ports (22, 80 and 443):
- Going to the web server it is redirected to HTTPS, informing us that there are 3 flags to be found:


- Using dirbuster against the web server with the small size wordlist:








- A file called scanner.php is detected:



- Same result with dirb and the wordlist big.txt:


- Let's see how scanner.php works:


- Trying to bypass the scanner with ; | & there is no result, probably they are filtered characters:















3 - INTERCEPTING WITH BURP

- Intercepting the scan with Burp and sending to Repeater:


- We discover that a "carriage return" allows to bypass the filter for the scanner, for instance using the command id the response is successful:






- Reading the file scanner.php we understand the details about how the filters are implemented:

  




- Also, we can find some flag text files:




- Even the content of the 1st flag:




- Although it is possible to go further with the Burp attack, we decided to take another way.
4 - EXPLOITATION WITH COMMIX (COMMAND INJECTION EXPLOITER)

 - commix helps us to run an automated Command Injection attack:

 https://github.com/commixproject/commix
- Some options for commix:




- In our case let's provide as options the URL to be attacked and the data string 'host=127.0.0.1' sent trough POST:


- The pseudo terminal allows us to achieve inner information from Fortress in an easy way:
- Listing content:


- Code from scanner.php:



- Checking what type of file is s1kr3t, it is a directory, and listing its content we have access to the 1st flag:


- Doing same thing with the directory k1ngd0m_k3yz and its content:




- Reading text files master and passwd:





- Although we could try to decrypt password for user craven, let's dig into its /home directory for now:



- For any unknown reason flag.txt is not accesible:




- hint.txt describes how to achieve craven's password:



- reminders.txt tells us that craven's pet's name is qwerty:



5 - CRACKING THE SSH PASSWORD WITH CRUNCH / MEDUSA / HYDRA / JOHN THE RIPPER

- Following instructions from hint.txt and reminders.txt we can use crunch to build a list of passwords with the pattern %%%qwerty^ where % represents all possible numbers and ^ represents a symbol:




- Creating a passlist of 33000 lines:


- Both medusa and hydra with passlist are able to find SSH credentials for user craven:










- Also John The Ripper can help us to decrypt the password. 

 - First, unshadowing:








- Applying john over u and passlist:



6 - LIMITED REMOTE SHELL

- Connecting to craven's SSH we achieve a limited remote shell:





- There are two /home directories:





- First, inside user craven's home directory we are able to find the 2nd flag:









- Then, going to /vulnhub we cannot open the 3rd flag:











- ./reader is an executable file that could help to open flag.txt:




- That is not possible at the moment:









- strings on reader gives us a clue about symlinks:




7 - SYMLINKS

-  Creating a soft link we cannot read the flag:





- However, a hard link is accesible from ./reader and eventually we have the 3rd flag:










Posted by at
Labels: