AdSense

Showing posts with label CAPTURE THE FLAG - VULNERABLE MACHINES. Show all posts
Showing posts with label CAPTURE THE FLAG - VULNERABLE MACHINES. Show all posts

Tuesday, March 1, 2022

w34kn3ss

W34KN3SS

- Layout for this exercise:










1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine w34kn3ss, from the VulnHub pentesting platform.

w34kn3ss can be downloaded from here:

https://www.vulnhub.com/entry/1,270/

- Once the virtual machine downloaded and extracted with VirtualBox:








2 - ENUMERATION

- Looking for IP with netdiscover, it is 192.168.1.43:





- Scanning with Nmap:










- Scanning deeper both ports 80 and 443, we find domain weakness.jth:
























- Dirbusting the web server at port 80:


























- Nothing interesting at folders /blog, /test and /uploads:









































- Editing /etc/hosts by adding domain weakness.jth:



- Dirbusting weakness.jth we find /private:




- Going to http://weakness.jth it seems to be a rabbit hole, though there is a hint about a potential user n30:























- However http://weakness.jth/private provides interesting information:





















3 - EXPLOITATION

- Downloading mykey.pub and moving to the working directory it seems to be an encrypted key for SSH:












- Reading notes.txt we learn that the key was generated by openssl 0.9.8c-1:


- Looking for exploits related to openssl 0.9.8c-1:











- We are dealing with vulnerability CVE-2008-0166: "OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys."

http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-0166


- Copying and reading 5622.txt:







- Downloading and extracting 5622.tar.bz2:





















- Now we can look for the SSH private key by passing the encrypted key as parameter to grep, finding it inside /rsa/2048:











- SSH-ing the target with the private key for user n30:











4 - READING 1st FLAG

- Looking inside n30's home folder:












- Reading user.txt:





5 - PRIVILEGE ESCALATION

- Two interesting hints:

    a) there is a file .sudo_as_admin_successful

    b) n30 belongs to group sudo


- Unfortunately we cannot access to n30's sudoer privileges because we don't have the password:




- Regarding the file code we notice that it's Python 2.7 byte-compiled:





- Transferring code to Kali:






- Installing uncompyle6:




-Trying to uncompile code if fails because there is no extension .pyc:


- Adding extension .pyc:



- Running code.pyc there is nothing of interest:









- Now uncompyle6 reverses code.pyc into readable Python source code:



























-Focusing the attention on the column we have n30:dMASDNB!!#B!#!#33 

















- Finally we can try n30's sudoer privileges:








- We get a root shell:






6 - CAPTURING THE 2nd FLAG

- Reading root.txt:







Healthcare

HEALTHCARE

- Layout for this exercise:











1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Healthcare, from the VulnHub pentesting platform.

Healthcare can be downloaded from here:

https://www.vulnhub.com/entry/healthcare-1,522/

- Once the virtual machine downloaded and extracted with VirtualBox:














2 - ENUMERATION

- Discovering IP 192.168.1.46:













- Scanning with Nmap:


- Scanning deeper port 21:









- Scanning deeper port 80:












- Browsing the web server:





















- View-sourcing there are some misleading information:















- For instance folder /admin leads to nothing:














- Dirbusting with rockyou.txt:




- There is a hidden folder called openemr:



- Openemr is a medical management application:























3 - EXPLOITATION

- Looking for exploits for Openemr version 4.1.0:











- Reading 49742.py there is a vulnerable injection point that can be used with Sqlmap:

























- Looking for databases with Sqlmap:














- Looking for tables inside database openemr:










.....................................



- Dumping all about table users we find cleartext passwords for two users:









- So finally we have credentials admin:ackbar and medical:medical.

- Logging into Openemr as user admin:










- There is a management interface for user admin:












- Files at website are stored at /var/www/html/openemr/sites/default:






















- Let's create an exploit named myshell.php:




- Uploading myshell.php to /var/www/html/openemr/sites/default it's not allowed:




- However it is feasible to upload myshell.php to /openemr:










- Setting a listening session at port 3333:





- Now, just calling myshell.php with curl we have a remote shell:






4 - CAPTURING THE 1st FLAG

- Browsing the /home folder we find an additional user called almirant:









- Inside almirant's home folder we find user.txt and the 1st flag:










......................................













5 - PRIVILEGE ESCALATION

- Looking for files with setuid bit:






- For instance file healthcheck, owned by root, it can be run by user medical because of the setuid bit:








- Running healthcheck:






























- Applying strings to healthcheck we discover that it uses some commands like fdisk, ifconfig, du, ... without the whole path (/bin, /sbin):












- So moving to /tmp let's write a new script fdisk containing /bin/bash, and then let's update enviroment variable PATH pointing to /tmp:


- Now, when healtcheck (owned by root) calls to fdisk it will execute /bin/bash as a root.

- Running again healthcheck we have finally a root shell:


























6 - CAPTURING THE 2nd FLAG

- Reading root.txt: