Thursday, December 6, 2018
DC416-fortress
DC416-FORTRESS
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine DC416-fortress
- DC416-fortress can be downloaded from here:
https://www.vulnhub.com/entry/dc416-2016,168/
- Once downloaded and extracted with VirtualBox:
2 - ENUMERATION
- Searching for the IP with netdiscover:
- Scanning with Nmap we discover that there are 3 open ports (22, 80 and 443):
- Going to the web server it is redirected to HTTPS, informing us that there are 3 flags to be found:
- Using dirbuster against the web server with the small size wordlist:
- A file called scanner.php is detected:
- Same result with dirb and the wordlist big.txt:
- Let's see how scanner.php works:
- Trying to bypass the scanner with ; | & there is no result, probably they are filtered characters:
3 - INTERCEPTING WITH BURP
- Intercepting the scan with Burp and sending to Repeater:
- We discover that a "carriage return" allows to bypass the filter for the scanner, for instance using the command id the response is successful:
- Reading the file scanner.php we understand the details about how the filters are implemented:
- Also, we can find some flag text files:
- Even the content of the 1st flag:
- Although it is possible to go further with the Burp attack, we decided to take another way.
4 - EXPLOITATION WITH COMMIX (COMMAND INJECTION EXPLOITER)
- commix helps us to run an automated Command Injection attack:
https://github.com/commixproject/commix
- Some options for commix:
- In our case let's provide as options the URL to be attacked and the data string 'host=127.0.0.1' sent trough POST:
- The pseudo terminal allows us to achieve inner information from Fortress in an easy way:
- Listing content:
- Code from scanner.php:
- Checking what type of file is s1kr3t, it is a directory, and listing its content we have access to the 1st flag:
- Doing same thing with the directory k1ngd0m_k3yz and its content:
- Reading text files master and passwd:
- Although we could try to decrypt password for user craven, let's dig into its /home directory for now:
- For any unknown reason flag.txt is not accesible:
- hint.txt describes how to achieve craven's password:
- reminders.txt tells us that craven's pet's name is qwerty:
5 - CRACKING THE SSH PASSWORD WITH CRUNCH / MEDUSA / HYDRA / JOHN THE RIPPER
- Following instructions from hint.txt and reminders.txt we can use crunch to build a list of passwords with the pattern %%%qwerty^ where % represents all possible numbers and ^ represents a symbol:
- Creating a passlist of 33000 lines:
- Both medusa and hydra with passlist are able to find SSH credentials for user craven:
- Also John The Ripper can help us to decrypt the password.
- First, unshadowing:
- Applying john over u and passlist:
6 - LIMITED REMOTE SHELL
- Connecting to craven's SSH we achieve a limited remote shell:
- There are two /home directories:
- First, inside user craven's home directory we are able to find the 2nd flag:
- Then, going to /vulnhub we cannot open the 3rd flag:
- ./reader is an executable file that could help to open flag.txt:
- That is not possible at the moment:
- strings on reader gives us a clue about symlinks:
7 - SYMLINKS
- Creating a soft link we cannot read the flag:
- However, a hard link is accesible from ./reader and eventually we have the 3rd flag: