Table of Contents
Hello everyone! Welcome all of my viewers, to this brand-new video. In today's tutorial, we will be dealing with a vulnerable machine, categorized as " Easy " in terms of difficulty.
To begin with, you'll need to download the vulnerable image from the VulnHub website. If you're not familiar with VulnHub yet, feel free to check out these videos on the VulnHub playlist.
Vulhub - Vulnerable By Design
Vulhub is a collection of pre-built vulnerable docker environments that are designed for learning and practicing security testing. It provides various intentionally vulnerable web applications and services for hands-on security training.
Settings Up
After you've successfully downloaded the image, it's time to
set up the server using VirtualBox, which is a straightforward process.
1. Launch VirtualBox, Go to the "File" menu, and select "Import Appliance".
2. Import the downloaded OVA file.
Browse your computer to locate the download file and click "Next."
3. Review the appliance details and settings.
You can keep the default settings or make adjustments based on your needs.
4. Click "Finish" to begin importing.
Once the import is done, the “EvilBox one” vulnerable machine will appear in the VirtualBox Manager.
5. Select the virtual machine and click "Settings", and change the network adapter to " Host-only adapter ".
Make sure that both your Kali Linux Machine, which is used for performing attacks, and your vulnerable machine must be connected to the same network.
Once the setup is done, it's time to start the Virtual Machines.
You'll notice that our Vulnerable Machine is all set, and we now have a login prompt waiting for us.
Let's dive into the fun!
Enumeration
Enumeration is the first process of our attack, aimed at identifying the IP Address of our Target Machine using NetDiscover. To do this, open a terminal, and run the following command:
From the scan result, we have obtained our target IP
address, which is, "
192.168.95.115
".
Performing Network Scans with Nmap
Next, we perform a network scan to detect what ports are open. Scanning the Network is an essential part of the enumeration process. This allows us to understand the attack surface and plan targeted attacks. For this purpose, we'll use the popular Nmap tool. Use the following command on the terminal:
Where,
- -sC is used to perform a script scan using the default set of scripts, and
- -sV is used to enable version detection, which will detect, what versions are running on what port.
From the Network scanning, we have spotted two open ports.
- The Port 22/TCP runs an SSH service, indicating that with valid credentials, gaining login access to the server will be straightforward
- Port 80/TCP runs an HTTP service, suggesting a vulnerable website is being hosted.
Web Enumeration and Directory Discovery with Gobuster
Now, let's explore the content of the website running on
Port 80. To look at the contents ourselves, open a web browser of your choice,
and navigate to the target’s IP address in the URL bar at the top of the
window.
Apache2 Debian default Webpage |
Upon visiting the webpage, we discovered " Apache2 Debian default Webpage ." Unfortunately, there doesn't seem to be any valuable information visible on the page. To dig deeper, we can inspect the page's source code by right-clicking on the page.
View-Source Mode |
There is nothing valuable information. To further investigate the target URL, we will conduct directory busting to uncover hidden or difficult-to-access directories and pages. For this task, we'll use the " gobuster " tool with the following command:
Where,
- gobuster dir is used to instruct gobuster to perform directory busting.
- -u is used to specify the target URL we want to explore.
- -w is used to provide the path to the wordlist containing common directory names to try.
Using the directory-busting tool, we have identified two crucial directories. One of them is named " /secret," and it returns a status code of 301.
The HTTP code 301 signifies a "Moved Permanently" response, indicating that the URL has been permanently redirected.
Upon exploring the " /secret " web directory, we encountered an empty page.
Let’s enumerate further to gather more information.
To gather more information, we can view the page's source code by right-clicking on the page and selecting the "view page source" option.
Unfortunately, we haven't come across any useful information
at this point. However, our investigation is ongoing, and we may need to
explore further to uncover potential vulnerabilities or sensitive data.
Let's continue our investigation by using "gobuster" to perform directory busting, which helps us uncover hidden or challenging-to-access directories and pages. Here, I suspect there might be PHP, HTML, or other text files of interest. To delve deeper, let's run another round of directory busting with the "-x" flag.
Where,
- -x flag enables us to focus our search on specific file types, as needed.
Upon completing the modified directory busting, we made a significant discovery. We stumbled upon a webpage named " evil.php " with a status code of 200.
The status code 200 , indicates that the request was successful, and the web page's content is available in the message body.
As we visited the "
/evil.php
" webpage, we found it
to be empty. To gain more insights, let's analyze the webpage's source code by
right-clicking with the mouse and selecting "view page source."
Although we didn't find any valuable information at first glance, a closer examination suggests that the webpage might be susceptible to LFI (Local File Inclusion) .
Detecting Local File Inclusion (LFI) Vulnerabilities with FFUF
LFI (Local File Inclusion)
vulnerability could potentially allow us to
access sensitive files from the server. To verify this, we'll need to conduct
further tests to identify any LFI vulnerabilities present in the URL.
Let's proceed with identifying any potential
Local File
Inclusion (LFI)
vulnerabilities in the URL if any exist in the URL.
Firstly, we need to identify the parameters used in the URL.
Parameters are usually denoted by a
question mark (?)
followed by key-value
pairs.
After manual testing, we have not yet successfully gained any valuable information.
To further investigate, we'll use "ffuf," an automatic fuzzing tool. We'll test various payloads in the parameters to identify potential vulnerabilities.
Use the following command to perform fuzzing against the specified URL.
In this command,
- -u is used to specify the target URL for fuzzing,
- -w is used to specify the wordlist containing the payloads to be tested,
- -c is used to color output for better readability,
- -r is used to follow redirects while fuzzing
- -fs is used to filter responses based on HTTP status code 0 (that is, show all responses).
Upon completion of the fuzzing, we discovered that the target URL is vulnerable to LFI, and the output parameter is "command". Let's return to the web browser and test the newly discovered parameter.
After attempting to access it, we found sensitive files including the "/etc/passwd" file. After examining the contents of the "/etc/passwd" file, we came across a username associated with the vulnerable machine, namely "mowree."
Gaining SSH Access by Extracting Private Key via LFI
From Nmap, we have discovered that the vulnerable machine has Port 22 open with an SSH service, which means, that obtaining both the username and password would provide us with foothold access to the server.
As we don't currently possess a valid password, we need to
explore alternative methods to access the vulnerable machine through SSH.
Fortunately, we have identified a potential approach – utilizing the
"id_rsa" file.
SSH (Secure Shell) relies on key-based authentication, and having the "id_rsa" file grants us a significant advantage. This file contains the private key necessary for authentication without requiring a password. By leveraging this private key, we can potentially gain access to the SSH service running on the vulnerable machine.
After conducting a search on Google for the default file path of SSH in Linux, we uncovered the standard location for the SSH private key, (i.e., ~/.ssh/id_rsa).
This valuable information enables us to target and access the
private key associated with the SSH service on the vulnerable machine. Armed
with this knowledge, we can proceed with our efforts to gain entry into the
system.
To access the SSH private key, we can confidently navigate to the user's home directory, " /home/mowree ." It is common knowledge that the /.ssh file, which houses the SSH private key, is often stored within the user's home directory.
By accessing this location, we are one step closer to obtaining the crucial private key required for SSH access to the vulnerable machine.
Returning to the browser, we can now navigate to the file path of the SSH private key, which is located at " /home/mowree/.ssh/id_rsa ."
Upon reaching this path, we successfully discover the SSH private key. To preserve its contents, we copy the key and paste it into a text editor, saving it with the filename " id_rsa ."
Having obtained the private key, we can now proceed to gain
access to the server effortlessly using an SSH client tool. The private key
will serve as the authentication mechanism, allowing us to establish a secure
and privileged connection to the vulnerable server.
Foothold
Now that we have the " id_rsa " private key, we can use it to gain access and establish a foothold on the server. However, before running the SSH command, we need to ensure that the permissions on the "id_rsa" file are set correctly.
To do this, we will use the " chmod " command-line utility to modify the file's read and write permissions. Type the following command: " chmod 600 id_rsa ".
This will set the file's permissions to allow read and write access only for the owner of the file, and no access for any other users or groups.
By setting these permissions, we enhance the security of the private key and ensure that only the appropriate user can access it. Now, we are ready to use the " id_rsa " key with the SSH client tool to gain entry into the server.
Let's proceed with the SSH connection. Type the following command:
This will instruct SSH to use the "id_rsa" private key for authentication.
Upon initiating the SSH connection, you may be prompted to provide the passphrase for the "id_rsa" key.
Passphrases are an additional layer of security for private keys. If the private key was generated with a passphrase, you'll need to enter it before gaining access to the server.
Now, we encounter a challenge as the private key requires a passphrase, which we don't know. However, we have a potential solution by attempting to brute-force the passphrase using a password-cracking tool called John the Ripper.
You might be familiar with the process if you've watched a tutorial or video on cracking SSH keys.
Decrypting SSH Key Files with John The Ripper
Open a new terminal and use the " ssh2john " tool to extract the hash file from the " id_rsa " private key.
Next, type " john " followed by the hash file path and specify the " rockyou.txt " wordlist using the " --wordlist= " flag.
Upon executing the command, John the Ripper will start its password-cracking process. If successful, it will provide us with the passphrase for the private key, which will give us the access that we need.
Now that we have successfully obtained the passphrase for the private key, let's make another attempt to establish an SSH connection.
As you can see, we have gained access to the Evilbox vulnerable machine.
To proceed further, let's locate the user flag, which is typically found in the same directory. You can use the "ls" command to verify its presence.
Once you identify the user flag, you can utilize the " cat " command to view its contents and accomplish the next step in our exploration.
As you can see, we have successfully obtained the user flag. Now, our primary focus is to acquire the root flag.
Upon navigating to the root directory to obtain the root flag, we need
root
permission.
It appears to be like that, we lack the necessary
permissions to access the root directory. Therefore, let's proceed with
Privilege Escalation to elevate our privileges and gain access to the root
flag.
Privilege Escalation
During privilege escalation, the first step is to gather
information about the system and identify potential vulnerabilities or
misconfigurations that could allow us to elevate our privileges to gain access
to the root level.
Firstly, Enumerate User Permissions to check, the user's
privileges and rights on the system. This can be done by running commands like
"
sudo -l
" or "
id
" to see what commands the current
user can run with elevated privileges.
Let me run the “id” command to find the user and group names, and numeric IDs like UID, or group ID of the current user or any other user on the server.
Upon running the "id" command, we discovered
that both the UID and group belong to the user "mowree".
Let's check the rights and privileges of the current user by running the " sudo -l " command.
After executing the command, we
discover that the user "
mowree
" does not have any special sudo
privileges or orders available to them.
Privilege Enumeration with LinPEAS
Now, our best option is to use LinPEAS.
As mentioned
earlier, LinPEAS is a powerful tool used to extract various information,
including SUID binaries, vulnerabilities, and more, which can aid in privilege
escalation.
To get started, you need to download LinPEAS from its GitHub repository.
PEASS-ng - Privilege Escalation Awesome Scripts SUITE new generation
PEASS-ng is a collection of privilege escalation scripts for Windows and Linux. It provides a comprehensive set of tools and scripts to assist in identifying potential privilege escalation vectors during security assessments and penetration testing.
Once you have LinPEAS, initiate a " Python3 HTTP server ".
Now, we need to download LinPEAS on the target system. Let's switch back to the target server and navigate to the "/tmp" directory.
To download LinPEAS, we will use the " wget " command followed by the IP address of the machine running the Python3 HTTP server.
If you are unsure about the IP address of your host-only adapter, you can use the "ifconfig" command to find it.
After successfully downloading LinPEAS on the attack server, we can use the " ls " command to check, if the file exists.
Now, let's verify if LinPEAS has the necessary execution permissions.
It appears that LinPEAS lacks execution permission at the moment. We can grant the required permission by using the " chmod +x linpeas.sh " command.
Once the execution permission is granted, we can run the " linpeas.sh " file.
After running "linpeas.sh", this tool will generate its output, providing comprehensive information, including SUID binaries, vulnerabilities, and other relevant data, to aid in the privilege escalation process.
After analyzing the LinPEAS output, I made a significant discovery: the /etc/passwd file is writable. This presents an opportunity for Privilege Escalation as we can modify the /etc/passwd file.
By adding a new username and password, we might be able to elevate our privileges and gain higher access to the system.
Writable /etc/passwd Privilege Escalation
To do this, we'll use the openssl command line tool to
generate an encrypted password for the new user.
First, we'll display the contents of the " /etc/passwd " file by typing " cat " followed by the file path.
Next, we'll have to
copy the structure of the "
root
" user and paste it into a text
editor.
Text-editor |
Instead of "x" replace it with a dollar sign. Inside the brackets, we'll use the " openssl passwd -6 -salt <user_name> <password> ".
- Instead of " root," we'll use the new username for the user that we want to create.
Where,
- the " -6 " flag indicates an SHA-512 hash
- the "-salt" flag adds salt to the hash for security.
After that, we'll add the " echo " command to save the changes to the " /etc/passwd " file.
Finally, we'll copy the newly generated command, and paste the entire command into the terminal to add the new user.
You can verify, if our command was successfully executed or not, using the " cat " command:
With the newly created user, we can now switch to root privileges by running the "su" command.
Once we have successfully gained root access, we can verify it using the " whoami " command, which should display " root " as the current user.
Now, that we have root privileges, we can access the root flag. To check if the root flag exists, simply type the " ls " command.
Once confirmed, we can use the "cat" command to view the contents of the root flag.
By doing so, we have successfully acquired the root flag, indicating that we now have full control over the system.
If you have any questions or doubts, feel free to leave a
comment in the comment section below. I'll be happy to help and address any
inquiries you may have.