Touch
Data Analyst
LEVEL 1
400 XP
Gears of War: EP#1 VM is made by eDu809. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.
Level: Intermediate
Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.
Penetration Testing Methodology
Network Scanning
Enumeration
Exploiting
Privilege Escalation
Walkthrough
Network Scanning
Let’s start by scanning the network for targets using Netdiscover.
We found the target IP Address 192.168.1.184. Let’s begin with basic port scanning with NMAP.
Enumeration
For more details, we will need to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service since port 80 is open.
Since HTTP service was not much of a help. On the other hand, we can clearly note from the nmap scan that we have the SMB service running, and we don’t have any credentials for the ssh so we went directly on with SMB. We logged in using the command mentioned. There is a list of shared directories. We tried accessing LOCUS_LAN$ directory and enumerated it. We find a notes.txt file and msg_horda.zip file. Let’s transfer these files on our machine to read their contents.
We tried opening the msg_horda.zip file but it seems password protected.
We thought of reading the contents of SOS.txt file and it was a success. It surely gave us a hint about the characters of the password for ZIP file.
Exploiting
It’s time to FIRE UP!! Crunch and generate a wordlist as per the combination of the password we have fetched from the SOS.txt file.
Once the wordlist is all set up, we have used FCRACK TOOL to crack the password for the ZIP file as shown below.
The password for the ZIP file is r44M. We also found a key.txt file inside the ZIP file.
After reading the key.txt file, we got another credential which could be useful for SSH login but we still need a username. Bring up HYDRA.
We have brute forced the username for SSh Login using hydra with password 3_d4y.
After successfully logged into SSH, we try enumerating the /etc directory but couldn’t because user Marcus doesn’t have the privileges to access the /etc directory.
Privilege Escalation
Since our target machine is in a bash shell. We will be using a command to force SSH for TTY allocation. This will help us run commands as an administrator. Finally, we are able to access the /etc directory.
On reading the passwd file which was not much help, but we got an idea what we can do next.
On checking the SUID bit for all the readable files under /bin directory, we came to know that the current user can use the cp command. This is going to be interesting.
Without any further waiting, we need the password hash for the user that we are going to create on the target machine by making an entry in the /etc/passwd file. We are going to use the openssl to generate a salted hash.
Now back to our user marcus on the target machine. Here we are going to use the hash that we generated in the previous step and make a user raj which has the elevated privilege. We have to use nano command to make an entry in the /tmp directory. After making an entry we checked the entry using the tail command. cd /tmp
Now all we to do login using username and password, we just created to get our root shell. On enumeration we found flag.txt.
Time to Read our Final Flag!!
Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Security Analyst. Contact Here
Level: Intermediate
Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.
Penetration Testing Methodology
Network Scanning
- Netdiscover
- Nmap Port Scan
Enumeration
- Browsing HTTP Service
- SMB Login
Exploiting
- Using Crunch to generate a wordlist
- Using Fcrack to bruteforce ZIP file password
- Using Hydra to bruteforce SSH Login
Privilege Escalation
- Reading /etc/passwd File
- Getting SUID bit files
- Using Openssl for generating a password hash
- Adding User to /tmp file
- Reading Final Flag
Walkthrough
Network Scanning
Let’s start by scanning the network for targets using Netdiscover.
Code:
netdiscoverWe found the target IP Address 192.168.1.184. Let’s begin with basic port scanning with NMAP.
Code:
nmap -A -p- 192.168.1.184Enumeration
For more details, we will need to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service since port 80 is open.
Since HTTP service was not much of a help. On the other hand, we can clearly note from the nmap scan that we have the SMB service running, and we don’t have any credentials for the ssh so we went directly on with SMB. We logged in using the command mentioned. There is a list of shared directories. We tried accessing LOCUS_LAN$ directory and enumerated it. We find a notes.txt file and msg_horda.zip file. Let’s transfer these files on our machine to read their contents.
Code:
smbclient -L 192.168.1.184
smbclient //192.168.1.184/LOCUS_LAN$
get msg_horda.zip
get SOS.txt
lsWe tried opening the msg_horda.zip file but it seems password protected.
We thought of reading the contents of SOS.txt file and it was a success. It surely gave us a hint about the characters of the password for ZIP file.
Exploiting
It’s time to FIRE UP!! Crunch and generate a wordlist as per the combination of the password we have fetched from the SOS.txt file.
Code:
crunch 4 4 -t @%%, -o wordlistOnce the wordlist is all set up, we have used FCRACK TOOL to crack the password for the ZIP file as shown below.
Code:
frackzip -D -u -v -p wordlist msg_horda.zipThe password for the ZIP file is r44M. We also found a key.txt file inside the ZIP file.
After reading the key.txt file, we got another credential which could be useful for SSH login but we still need a username. Bring up HYDRA.
We have brute forced the username for SSh Login using hydra with password 3_d4y.
Code:
hydra -L /usr/share/wordlists/rockyou.txt -p 3_d4y -T4 192.168.1.184 sshAfter successfully logged into SSH, we try enumerating the /etc directory but couldn’t because user Marcus doesn’t have the privileges to access the /etc directory.
Code:
ssh [email protected]
id
cd /etcPrivilege Escalation
Since our target machine is in a bash shell. We will be using a command to force SSH for TTY allocation. This will help us run commands as an administrator. Finally, we are able to access the /etc directory.
Code:
ssh [email protected] -t "bash --noprofile"
cd /etc
Code:
pwdOn reading the passwd file which was not much help, but we got an idea what we can do next.
Code:
cat passwdOn checking the SUID bit for all the readable files under /bin directory, we came to know that the current user can use the cp command. This is going to be interesting.
Code:
find /bin -type f -perm -u=s 2>/dev/nullWithout any further waiting, we need the password hash for the user that we are going to create on the target machine by making an entry in the /etc/passwd file. We are going to use the openssl to generate a salted hash.
Code:
openssl passwd -1 -salt raj pass123Now back to our user marcus on the target machine. Here we are going to use the hash that we generated in the previous step and make a user raj which has the elevated privilege. We have to use nano command to make an entry in the /tmp directory. After making an entry we checked the entry using the tail command. cd /tmp
Code:
nano passwd
cat passwd | tailNow all we to do login using username and password, we just created to get our root shell. On enumeration we found flag.txt.
Code:
su raj
whoami
cd /root
ls -alTime to Read our Final Flag!!
Code:
cat flag.txtAuthor: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Security Analyst. Contact Here