The Ether – A New Boot 2 Root Hacking Challenge

Introduction

Lately, I’ve been enjoying creating hacking challenges for the security community. This new challenge encapsulates a company, entitled – The Ether, who has proclaimed an elixir that considerably alters human welfare. The CDC has become suspicious of this group due to the nature of the product they are developing.

The Goal

The goal is to find out what The Ether is up to. You will be required to break into their server, root the machine, and retrieve the flag. The flag will contain more information about The Ether’s ominous operations regarding this medicine.

Any Hints?

This challenge is not for beginners. There is a relevant file on this machine that plays an important role in the challenge, do not waste your time trying to de-obfuscate the file, I say this to keep you on track. This challenge is designed test you on multiple areas and it’s not for the feint of heart!

Last Words

Whatever you do, do not give up! Exhaust all of your options! Looking forward to have OSCPs take this challenge. As always, good luck, have fun, God bless, and may the s0urce be with you.

http://www.mediafire.com/file/502nbnbkarsoisb/theEther.zip

f1re_w1re

Advertisements

LazySysAdmin Hacking Challenge

Introduction

Welcome back, everyone. On this new thread I will be posting my solution to the LazySysAdmin hacking challenge found in Vulnhub and my overall thoughts about it. I have to be honest, I struggled with completing this challenge primarily because I spend countless of hours looking for web applications flaws and inspecting every single avenue of exploitation. In hindsight, the challenge could have been completed in a matter of minutes, but of course the reality of arriving to such solution takes…hours.

The description of the challenge follows – The story of a lonely and lazy sysadmin who cries himself to sleep. According to the author, enumeration was key to solve this puzzle.

Tools used:
– Hydra
– SMBClient
– Dirbuster (or alike tools)
– Python, for automating tasks on the fly (more on this later).

Target Enumeration

There were a couple of open ports upon scanning the target, your standard HTTP port, SMB port, and SSH port. At first, the service on port 80 looked promising! I was wrong, big time. I spend a couple of hours a day looking at directory listings, analyzing WordPress install files, and PHPInfo(), however, this was a huge diversion. After giving up, I took another approach and was curious what the SMB daemon offered.

smbclient -L 192.168.0.14

I saw a couple of shares, 2 of which could not be used to leverage a vulnerability. I was able to connect to the share$ share and list the files on the document root.

smbclient '\\192.168.0.14\share$'

The deets.txt file grabbed my attention so I decided to download it and find its contents:

CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

Brute Forcing Fun and Flag

I knew that 12345 was the password to something, but I was not sure what. Based on my research on the WordPress site previously, possible users were Admin, togie, or root. In context with the challenge (a lazy admin), I was positive that root login was enabled on the SSH daemon. The first thing I tried, despite having a possible password, was to brute force the root SSH account. I was shocked to find the following:

hydra -l  root -P cracker/rockyou.txt 192.168.0.14 ssh

The root password was indeed 12345. I was able to sign in via SSH and retrieve the flag.

After I completing this challenge, I had questions and I was wondering how secure the WordPress site was, after all it was running the latest version. After doing some recon on the file system, I placed the Admin’s password in one of my word lists to see if local brute force protection was enabled.

After 50 password attempts, I was able to brute force the admin page through XMLRPC. This password grants you access to the WP dashboard and MySQL database. What I found aligns with the context of a lazy system admin.

Conclusion

What did I learn? Well at first, I got lost in the sea of files and checking to see which ones were world-readable. I got very frustrated and I knew my last ditch was a brute force attempt – little did I know that was the fastest way to solve this challenge. A SSH brute force attack would have gotten you root access and the solution to this challenge. Once everything was figured out, everything looked simple, but I cannot hide the fact that this took me a couple of days to riddle! What was your solution?

Until next time,
May the s0urce be with you.