Hacking Metasploitable Enumeration & vsFTPd vulnerability

Featured

In this series, I plan to show how I owned Rapid7’s vulnerable Virtual Machine, Metasploitable2.

When hacking computer systems, it is essential to know which systems are on your network, but also know which IP or IPs you are attempting to penetrate. In Metasploitable that can be done in two ways, first, you can quickly run the ifconfig command in the terminal and find the IP address of the machine or you can run a Nmap scan in Kali. I will attempt to find the Metasploitable machine by inputting the following stealth scan.

The SYN scan is the default scan in Nmap. It is also a quick scan and stealthy because it never completes TCP connections. This scan specifically searched all 256 possible IP addresses in the 10.0.2.0-10.0.2.255 range, therefore, giving me the open machines. In my test lab, I had four computers running, one being my Kali box, I was able to find the Metasploitable2 box and all of the open ports.

The next step thing I want to do is find each of the services and the version of each service running on the open ports. Again I will use Nmap for this by issuing the following command.

This scan is again doing the Stealth Scan, but also the -sV flag is verifying the versions of the services, and the -O flag is verifying the operating system running on the machine.

So, what type of information can I find from this scan?

Now I know the operating system s Linux version 2.6.9-2.6.33, the host is running Telnet, which is vulnerable. Also older versions of Apache web server, which I should be able to find a vulnerability for, I see that port 445 is open, this is the SMB or server message block port, I know these are typically vulnerable and can allow you to enumerate the system reasonably easy using Nmap. These are the ones that jump out at me first. I know these will likely give me some vulnerabilities when searching CVE lists.

Next, since I saw port 445 open, I will use a Nmap script to enumerate users on the system.

I decided it would be best to save the results to a file to review later as well. I receive a list of user accounts. Here is where I should stop and say something. You should never name your administrator accounts anything like admin, It is easy for an attacker to determine which username is the administrator and then brute force that password and gain administrator access to that computer.

We found a user names msfadmin, which we can assume is the administrator.

Next, I am going to run another Nmap script that will list vulnerabilities in the system.

Using this script we can gain a lot of information. I saved the results to a text document to review later, and I’m delighted I did. I knew the system was vulnerable, but I was not expecting the amount of information I got back from the script. The script gives a lot of great information, below I am showing the first line I was able to retrieve.

As you can see, the script gives me a lot of information. It tells me that the service running on port 21 is Vulnerable, it also gives me the OSVBD id and the CVE id, as well as the type of exploit. This is very useful when finding vulnerabilities because I can plan an attack, but also, I can see the exact issue that was not patched and how to exploit it.

I decided to go with the first vulnerable port. As the information tells us from the Nmap vulnerability scan, by exploiting the vulnerability, we can gain access to the server by creating a backdoor. I decided to find details on the vulnerability before exploiting it. I followed the blog link in the Nmap results for scarybeastsecurity and was able to find some information about the vulnerability. From reading the documentation, I learned that vsFTPd server is written in the C programming language, also that the server can be exploited by entering a : ) smiley face in the username section, and a TCP callback shell is attempted.

I used Metasploit to exploit the system. The first step was to find the exploit for the vulnerability. I did this by searching vsFTPd in Metasploit.

Searching for the exploit returned the above exploit for the service, so the next steps were pretty simple. In Metasploit, I typed the use command and chose the exploit. Next, I ran the command show options, which told me I needed to provide the remote hosts (RHOSTS) IP address; this is the target machine’s IP address. After that, I just had to set the RHOSTS value to the 10.0.2.4 IP address and type exploit in the command prompt.

From there, a remote shell was created and I was able to run commands.

Next, I wanted to set up proof that I had access. So I decided to write a file to the root directory called pwnd.txt.

I went to the Metasploitable server and changed my directory to the root directory; from there, I was able to see the pwnd.txt file and read the data.

I was left with one more thing. I wanted to learn how to exploit this vulnerability manually. So I tried it, and I sort of failed. First, I decided to use telnet to enter into the system which worked fine, but then I ran into some issues. I assumed that the username could be a smiley face; however, after searching on the web, I found out I needed to have a smiley face after the user parameter.

I did a Nmap scan before trying the manual exploit and found that the port at 6200, which was supposed to open was closed, after running the manual exploit the port is open.

The next step was to telnet into port 6200, where the remote shell was running and run commands.

In conclusion, I was able to exploit one of the vulnerabilities in Metasploitable2. Next, I will look at some of the websites offered by Metasploitable, and look at other vulnerabilities in the server.

Bandit Walk Through 4

Featured

Bandit Level 9

This challenge wanted us to read the file data.txt and find the human readable strings beginning with several equal signs. Since there was non-human readable code in there, I knew that I could use the strings command to get the readable code. I also used grep to find only the lines that matched the === pattern.

Password = truKLdjsbJ5g7yyJ2X2Ro3a5HQJFuLK

Bandit Level 10

This time the flag is again stored in a data.txt file, but the data is encoded using base64. For this challenge I need to read the data using echo and pipe it to decode using base64 decoder.

Password = IFukwKGsFW8M0q3IRFqrxE1hxTNEbUPR

Bandit Level 11

This time the flag is again stored in a data.txt file, but this time the encoding method is ROT13. I looked up how to encode ROT13 in linux and found a command using the translate command. I echoed the data from the file and piped the translate code.

Password = 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Bandit Level 12

This one was very tedious. I am sure there was a much simpler way than the way I did, it but I will have to find out later. Essentially this time the data.txt file has been compressed several times. The objective is to decompress the file every time by determining the name of the file, renaming it, then decompressing the file. This was done in several steps so I will not explain how I did it but will show it all below.

Password = 8ZjyCRiBWFYkneahHwxCv3wb2a10RpYL

Bandit Level 13

This time the challenge required us to use ssh from the level 13 server and log on as the level14 user using a private key. I had to look up how to use private keys in ssh and was able to find ample information. I’m becoming a Google Fu blackbelt!  I used the below command to do so.

Then it was as simple as reading the etc/bandit_pass/bandit14 file to get the flag.

Password = 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Bandit Level 14

For level 14 the requirement was to send the password for level 14 to port 30000 to retrieve the next flag. I used netcat and then put the current password in. That gave me the next flag

Password = BfMYroe26WYalil77FoDi9qh59ek5xNr

PicoCTF 2019 Part 2

Extensions
This flag gives a weird Text File that has the flag hidden inside. At first glimpse, without downloading the file, I figure it must be hidden as a txt file, but it is another file type. After downloading the file, I use the file command to read the kind of file it is. Upon reading the output, I notice that flag.txt is a PNG image file, so I changed the extension to png and used eye of gnome to view the png file and get the flag.


Flag = picoCTF{now_you_know_about_extensions}

First Grep
The title of this challenge gives an obvious hint as to what the command we are going to use is. Grep is going to be piped into the reading the file to find an expression that is being passed. I am going to use the cat command to read the file, then pipe grep and search the file for anything that begins with pico. So the command would look like this “cat file | grep pico”. Which gives the flag.


Flag = picoCTF{grep_is_good_to_find_things_eda8911c}

Netcat
In this challenge, we are being challenged to use Netcat to comment to the shell server on port 32225 to get the flag. Netcat is used to read and write to TCP and UDP listening ports. When using the command, I am given the correct flag.


Flag= picoCTF{nEtCat_Mast3ry_b1d25ece}

Practice-run-1
This challenge required me to connect to the shell server using SSH and then to run a program. The knowledge necessary to run this challenge is how to run a program on a Linux environment. First, I connected using ssh to the shell server. Then I used the listing command ls to view the files in the directory. I noticed that a file named run_this is in the directory, so I ran the program using the command “./run_this.” Running that command returned the flag.


Flag = picoCTF{g3t_r3adY_2_r3v3r53}

Robots
This challenge required me to find a site that is not allowed to be seen by web scrapers. This challenge was named aptly for the type of file we are looking. When someone does not want google or other scrapers to find a site they may be hosting on their servers they use a file called robots.txt. This file is typically found by inputting the directory of the website and appending robots.txt at the end. I tried this and was given the robots.txt file. From there, we can view the file that is not allowed. As seen in the picture below, a file named 0194a.html is being disallowed.


When going to the file in question, the flag is seen.


Flag = picoCTF{calculating_Mach1n3s_0194a}

So Meta
In this challenge, we are given an image file that contains the flag. According to the name of the challenge, it is safe to assume that the flag is hidden in the metadata. I used a tool called exfiltool to extract the metadata out of the image file, and from there was able to see the flag under the artist’s header.


Flag = picoCTF{s0_m3ta_dc38ce45}


Strings it
In this file, we are given a program that has the flag hidden inside. The object is not to run the file, but to find it in the source code. Because the challenge is called strings it, I assume that I must have to use the strings command to find the data. The strings command shows the human-readable content within a file. What I decide to do is use strings to copy the information to another file that I can use grep. I use the strings command and the > operator to move all human-readable characters to a text document. This allows me to use grep to read anything that starts with pico from the text file.


Flag = picoCTF{5tRIng5_1T_d5b86184}


Vault Door Training
This challenge gives us a java program that is hiding the password. The java file is supposed to be used to determine if the user has input the correct password. If they have not, they are denied access. The password is hardcoded into the program, and the program is attempting to determine if the user input matches the hardcoded password. For this file, it is simple, read the source code and find the hardcoded password.


Flag = picoCTF{w4rm1ng_Up_w1tH_jAv4_3b50073Bc12}

Vault-Door-1
This challenge is very similar to the vault door Training challenge; however, the programmer thinks they have hidden the password much better in the program. They have used the java charAt() command to hid the password. The charAt() command specifies the location of the character. If I wanted to construct the word pizza and I were to use the function charAt() with a parameter of 0, charAt(0) == ‘p’ && charAt(1) = ‘I’ and so forth I could spell out pizza. The developer has tried to use these out of order. The first thing I did was I used grep to find all of the lines that start with password.charAt. Then moved that to a file called vault.txt.


Next, I want to cut the file so that I can sort it. I use the bash command cut to cut out anything before the opening parenthesis.


Next. I use the bash command sort to sort the contents by number, and I have to write out the flag


Flag = picoCTF{d35cr4mbl3_tH3_cH4r4cT3r5_03f841}

picoCTF 2019 part 1

2Warm

In the 2warm challenge, we are given a base 10 number, 42, and we have to change it to a binary base 2 number. I decided to use a python script to complete this challenge. Created an input that saves the number, converted the number to binary, and took out the leading two characters. Then I printed that to the command line, and it gave us the solutions.

Flag = picoCTF{101010}

13

This next challenge gives the flag encoded using ROT13 encryption. I decided to use python again for this operation. I created an input for the flag that stored the encrypted flag in a variable called rottenCode. Then decoded rottenCode using the codecs library in python and stored that in a variable called ripecode. I added a new step here where I added pyperclip to copy the code straight to the clipboard so that I could paste it much easier.

Flag = picoCTF{not too bad of a problem}

Glory of the Garden

At first, I tried to use hexedit to view the file. However, the file was too large to look through and view the flag. Even when I moved it to a text document it was not easy to grep. Instead I used Strings, and I pasted placed the output into a text file so that I could grep the output. I then grepped the output looking for the line that started with pico, which gave me the flag.

Flag = picoCTF{more_than)m33ts_the_3y31e0af5C7}

Lets Warm Up

This challenge requirement is that a hexadecimal value is converted to ASCII. This is another challenge that is great to solve with python. I imported codecs, saved the hex value into a variable called hexInput. Then decoded the hexInput using codecs. The string needs to be converted from bytes to UTF-8. Then printed the flag.

Flag = picoCTF{p}

Numbers

This challenge offers a picture that has a bunch of numbers that needs to be converted to letters to find the flag. First look I noticed that it had the curly braces that are typical of the picoCTF flag, so I noted that it was likely the entire flag. Since each of the numbers was under 23 I figured it must be the location of the letter in an alphabet array. I used python to convert this one, as well. Using python I started by placing the alphabet into the variable alphabet. I set up two arrays, one to start the first half of the flag before the curly braces and the second array for the second half of the array. I iterated through the alphabet variable to find the letter that was at each spot in the alphabet variable. I realized that the variable would start at the location of zero, so I had to subtract one from each number in the arrays. Then I concatenated the values of the flag with the curly braces and printed the value of the variable picoFlag.

Flag = PICOCTF{THENUMBERSMASON}

Unzip

This was an easy flag that I was able to do in the terminal. First, I used wget to download the zipped file into my folder. I Unzipped the folder, then noticed there was a png file inside the zipped folder. Sometimes the file may be a png file, but upon further inspection you can notice that the file is something different. So I checked the file to ensure it was a png file, which was then used Eye of Gnut to open the image, which gave me the flag.

Flag = picoCTF{unz1pp1ng-1s3a5y}

Warmed up

In this challenge, the flag is a base 16 converted to a base 10. In other words a hexadecimal value needs to be converted into a decimal. I used python to find this flag, as well. I stored the value in a hexstring variable. Converted the hexstring to an integer, then printed the concatenated the flag wrappers with the value of the hexString variable and printed that to the command line, and copied it using pyperclip.

Flag = picoCTF{61}

Inspector

This flag gives a website that you need to inspect to find the flag. The first thing I noticed was that the website mentioned HTML, CSS, and JS. This made me automatically think that the flags were going to be hidden in all three of the files in the source code.

I first checked the HTML source code and found the first 1/3 of the flag.

Next I viewed the CSS file and found the middle section of the flag.

Lastly, I found the last portion of the flag in the JavaScript file.

Flag = picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?1638abde7}

Bandit Walk through 3

Level 5:

This level required me to find the password stored in the inhere directory that had three properties; it had to be human readable, 1033 bytes in size, and not an executable. For this, I decided to use the find command. I knew I would need to give it a few other flags, so I started by changing the directory to the inhere directory. I constructed the command to look for the size of 1033c ensure it was readable with the readable flag and not an executable by inputting the special character for not in front of the flag for executable. This returned a directory and file; I used the cat command to read the file, notice the file has a period in front of it, so I had to use an escape character to get to it.

The password for level 6: DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6:

Level six’s password was stored somewhere on the server and had to be owned by the user bandit7 and the group bandit6 and had to be 33 bytes in size. Using the find command, I searched the entire server by inputting /. Then looked for a file type of f for file and inputted a couple of flags for size, the user and the group. Initially, when I did this it returned so much information, I got a headache. I wanted to figure out how to only return the one location that met all these parameters. I came across the Linux documentation and saw the final command in the string 2>/dev/null. This specific string returns only the correct location because it stores all the errors (stderr) I was seeing earlier into the dev/null file. Once I got that information, I was able to cat the file and receive the password.

Password for level 7: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7:

I got Occupy the Web’s book “Linux Basics for Hackers” for Christmas, when reading that book I learned a lot about grep, I had used it previously but was not very familiar with it prior. As soon as I saw this challenge I knew how to figure this one out. Level 7 stores the password in a data.txt file next to the word millionth. I know I could pipe grep millionth into a cat command call and it would return the password.

Password for level 8: cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 8:

Level 8 had a password stored in the data.txt file, but it was the only line of text that was unique. I decided to read the file, sort it by piping the sort command, and then identify the unique line of text by using the uniq -u command. That inevitably returned the password.

Password for level 9: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Over the Wire Bandit Walk-through 2

Level 4:

This level required that I find the flag in the only human readable file in the Inhere directory. I thought about trying a few other ways of doing this, but I found out on my first attempt that what I had intended, worked, and I did not go any further. For this one, I used the cat command with an asterisk at the end of the file. The asterisk is a wildcard that searched through each of the files that start with file, no matter what is at the end. When I used this command in that sequence, it worked, and I was able to sort through just a little bit of junk to find the password.

The password for level 5 is koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5:

I was incredibly surprised at how easily I figured this one out. I thought it would take me a long time. However, it only took me a few minutes with a little help from google. The point behind this challenge is to find a file in the inhere directory that is human-readable, 1033 bytes in size and not executable. In this challenge, I used the find command. I knew since I had some properties that I had to follow I would have to add a few extra flags to get to the file. Using the find command, I had to use the size flag to put the size of the file we wanted to see. Since the file size was 1033 bytes, we had to add the file size as -size 1033c and add a readable as well as an executable flag. The readable flag is simply -readable, but since the property has to be not executable a ! is required before the -executable flag. This tells the shell that we do not want to find a file that is executable. After running this command the file  ./maybehere07/.file2 is returned, so I run the cat command on that and the password for level 6 is returned.

Level 6 password is DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6:

Level 6 offered some challenges. This challenge was very similar to the last challenge; I had to look for a file that had three properties. This had to be owned by the user bandit7 and the group bandit6 and a size of 33 bytes. This initially I thought it would be very similar to the last challenge, except I would have to search the entire drive and add the owners and it would return the value I wanted. However, I kept getting stuck on a bunch of random characters and so forth. I googled how to sort through all of the information and figured out I could redirect my output from the command to dev/null, and it would return the name of the directory. From there I could cat the file. So I searched the entire drive by using. Instead of just the period like last time, then I wanted to view a file, that was 33 bytes in size, so I used the command -type f and -size 33c. Next, the user and group needed to be given, so I used the -user and -group flags and directed it to the dev/null. Then I was given the directory and was able to cat into it.

Password for Level 7: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7:

Level 7 was one that I was very familiar with the commands. The challenge requirement was to find the password in the data.txt file that was next to the word millionth. I knew from previous classes, and other endeavors that grep was the perfect tool for this one. I was able to pipe grep with the words millionth with the cat command and it worked. When used grep allows the user to locate specific information in a file.

Password for level 8: cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Over The Wire Bandit Walk-through 1

For the last few weeks I have been playing a war game at OverTheWire.org called Bandit. The game essentially teaches linux basics. I thought it would be a great opportunity to share what how I came to the results in my blog. This specific blog post goes through levels zero through 3.

Level 0:

This level is simple. The object is to login to the server using SSH, next look for the readme file that  has the password stored in it and read it.

First I log into the server then use the listing command ls to show the files. There is a file named readme so I use the cat command to print the contents of the readme file.

The password for level 1 is boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Level 1:

In level 1 I need to read a file that does not have a traditional filename, but it has a special character as the filename. When reading files in Linux it is necessary to use an escape character to read a file that uses special characters. This is done by using the string combination of ./

For this level I again used ls to read the listing of files in the directory. I see that the directory has a file named -, in order to read a file that is named using a special character I have to use the escape combination of ./ and the cat command.

The password for level 2 is CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2:

This level requires that I read a file that has spaces in it. Again an escape character is needed to do this, if an escape character was not used then cat would try to read each word in the filename as a different file and would likely give an error saying “spaces does not exist in this directory” or something to that degree. The solution to this problem would be to used the escape character \ after each word, and include the space. The command would look like that cat spaces\ in\ this\ filename

Since we use the escape character it continues to read through the file as  if it were one string.

The password for level 3 is UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3:

This level requires that I find a hidden file in the inhere directory. For this level it is necessary to use a few other commands. First I use the change directory to command to change to the inhere directory. Since the file is hidden if I were to ls I would not find any directories. So I have to use a special command that shows all files in a directory. I use the listing all command by using ls with a flag a. The command would be crafted as such ls -a. As can be seen in the screen shot below we see a .hidden file. In order to read the file an escape character is required because the file begins with a special character. I used the forward slash again for this so the command reads cat \.hidden

The password for level 4 is  pIwrPrtPN36QITSp3EQaw936yaFoFgAB