Monday, January 3, 2022

Torment

 TORMENT

- Layout for this exercise:










1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Torment from the VulnHub pentesting platform.

- Torment can be downloaded from here:

https://www.vulnhub.com/entry/digitalworldlocal-torment,299/

- Once downloaded Torment and extracted with VMware:



2 - ENUMERATION

- netdiscover helps to identify Torment's IP 192.168.1.24:




- Scanning with Nmap we see a lot of open ports:


- Going deeper with port 21 there is an Anonymous FTP server:









- Connecting to the FTP server:











- Looking for content, there are some hidden interesting directories:












- Most of the directories are empty, with the exception of .ngircd and .ssh.

- Getting channels from .ngircd:













- Getting id_rsa from .ssh:



- Transfers are successful:








- Reading channels:



- Reading id_rsa:

























3 - EXPLOITATION

- ngircd is an IRC chat server that is listening at port 6667:


















- To access ngircd we can use client HexChat:



















- Installing HexChat:




- Launching HexChat:



- Adding server torment:

















- Configuring torment at IP 192.168.1.24 and port 6667 (important: uncheck tab Accept invalid SSL certificates). Also, using default password wealllikedebian:

https://git.in-ulm.de/cbiedl/ngircd/raw/master/debian/ngircd.conf








- Connecting to server torment:

















- Joining channel tormentedprinter:











- We have found this password for configuration purposes:

mostmachineshaveasupersercurekeyandalongpassphrase


- CUPS is a printing server that is running at port 631:



- Connecting to the CUPS server at port 631:


















- Clicking tab Printers we find a list of printing services users:


- Gathering all potential usernames:















- Msfconsole helps to enumerate SMTP service, passing file u and discovering that Patrick and Qiu are essential and real users:










- Also, we could know about Patrick and Qiu from Torment's login screen:










- SSH-ing as user Patrick, with id_rsa and password mostmachineshaveasupersercurekeyandalongpassphrase:













- Sudoer privileges for Patrick include poweroff and reboot services with command systemctl:



4 - PRIVILEGE ESCALATION

- Looking for files with write and execute permissions for all users, we find that apache2.conf is writable:





- Adding user qiu to Apache configuration:








- Now, let's use webshell php-reverse-shell.php, adapting it to our needs and renaming as myshell.php:



- Setting a web server at Kali:






- Transferring myshell.php from Kali to Torment:










- Executing /bin/sytemctl/reboot as a sudoer we ensure that user qiu runs service apache2:











- Setting a listener at port 1234:





- Running myshell.php:
























- A reverse shell is triggered:










- We check that user qiu can run /usr/bin/python as a sudoer with root privileges and no password:



- Using qiu's sudoer privileges we get a root shell:







5 - CAPTURING THE FLAG

- Reading proof.txt:






at