Thursday, December 6, 2018

DC416-fortress


DC416-FORTRESS

- Layout for this exercise:





1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine DC416-fortress

DC416-fortress can be downloaded from here:

https://www.vulnhub.com/entry/dc416-2016,168/


- Once downloaded and extracted with VirtualBox:





2 - ENUMERATION

- Searching for the IP with netdiscover:





- Scanning with Nmap we discover that there are 3 open ports (22, 80 and 443):




- Going to the web server it is redirected to HTTPS, informing us that there are 3 flags to be found:




- Using dirbuster against the web server with the small size wordlist:










- A file called scanner.php is detected:




- Same result with dirb and the wordlist big.txt:




- Let's see how scanner.php works:




- Trying to bypass the scanner with ; | & there is no result, probably they are filtered characters:

















3 - INTERCEPTING WITH BURP

- Intercepting the scan with Burp and sending to Repeater:





- We discover that a "carriage return" allows to bypass the filter for the scanner, for instance using the command id the response is successful:







- Reading the file scanner.php we understand the details about how the filters are implemented:


 




- Also, we can find some flag text files:







- Even the content of the 1st flag:







- Although it is possible to go further with the Burp attack, we decided to take another way.



4 - EXPLOITATION WITH COMMIX (COMMAND INJECTION EXPLOITER)

- commix helps us to run an automated Command Injection attack:


https://github.com/commixproject/commix


- Some options for commix:










- In our case let's provide as options the URL to be attacked and the data string 'host=127.0.0.1' sent trough POST:




- The pseudo terminal allows us to achieve inner information from Fortress in an easy way:




- Listing content:





- Code from scanner.php:




- Checking what type of file is s1kr3t, it is a directory, and listing its content we have access to the 1st flag:





- Doing same thing with the directory k1ngd0m_k3yz and its content:






- Reading text files master and passwd:






- Although we could try to decrypt password for user craven, let's dig into its /home directory for now:





- For any unknown reason flag.txt is not accesible:





- hint.txt describes how to achieve craven's password:




- reminders.txt tells us that craven's pet's name is qwerty:





5 - CRACKING THE SSH PASSWORD WITH CRUNCH / MEDUSA / HYDRA / JOHN THE RIPPER

- Following instructions from hint.txt and reminders.txt we can use crunch to build a list of passwords with the pattern %%%qwerty^ where % represents all possible numbers and ^ represents a symbol:





- Creating a passlist of 33000 lines:




- Both medusa and hydra with passlist are able to find SSH credentials for user craven:













- Also John The Ripper can help us to decrypt the password. 


- First, unshadowing:










- Applying john over u and passlist:






6 - LIMITED REMOTE SHELL


- Connecting to craven's SSH we achieve a limited remote shell:






- There are two /home directories:








- First, inside user craven's home directory we are able to find the 2nd flag:











- Then, going to /vulnhub we cannot open the 3rd flag:












- ./reader is an executable file that could help to open flag.txt:






- That is not possible at the moment:











- strings on reader gives us a clue about symlinks:






7 - SYMLINKS


-  Creating a soft link we cannot read the flag:






- However, a hard link is accesible from ./reader and eventually we have the 3rd flag: