System-Pentesting || Hard

Ahmet Göker
11 min readOct 15, 2023

Hello everyone,

Welcome to our new educational blog post on Python penetration testing. In this blog, we will explore techniques for uncovering and securing credentials that may be susceptible to hacking. If you’re ready, let’s dive in!

This blog is divided into three essential phases, each of which presents unique challenges and opportunities for successfully exploiting a targeted system. Throughout this blog, you’ll gain valuable insights into how to exploit these phases using three distinct approaches. Our goal is to equip you with the knowledge and skills needed to understand and secure systems from potential threats. So, let’s begin our journey of exploration and learning!

Gathering Information/Flag-1

It is always important to gather as much information as you can in vulnerable systems. Without this technique you will never be able to get information and finding exploits. In this phase; we will scan the machine, finding some ports, protocols and websites so, as much as you can.

I have patiently waited for an extended duration due to an in-depth system scan. My anticipation is to discover the potential outcomes and benefits I can obtain from this machine.

To begin our exploration of network ports, it’s essential to systematically identify and examine the services associated with them. We will initiate this process by focusing on two significant ports: 80 and 22. Port 80 is our initial choice because it often hosts a web server, potentially yielding valuable information that can be leveraged for SSH access. SSH (Secure Shell) is a secure communication protocol used for remote administration, and understanding the web service on port 80 may provide insights into the system, helping us in our later efforts to establish an SSH connection. password and username .

We were redirected to this page on port 80 It seems that some filters have been blacklisted so when we will try to use reverse shell server/client it shall not work! We need to find out bypass techniques.

Sign-up does not work! It says that only admins have access to this page. We will use other techniques to enumerate this site, such as directory scans. With the help of Gobuster, we may be able to find some useful directories.

Remember, “Sorry, but due to some recent security issues, only admins can use the site right now. Don’t worry, the developers will fix it soon :)” this was the output! It is possible to use admin.html it is also written in html Lets give a try!

Awesome! We can search for any SQL injection.

Hmm… Access denied! we know that this page is written in html can we look at the source code?

Awesome! Before diving into this whole source code, I will explain some useful syntax that appeared to us.

This JavaScript code snippet is designed to handle form submissions and perform specific actions when a form is submitted. Let’s break down what it does:

  1. document.forms[0].onsubmit = function (e) {: This line attaches an event handler to the submit event of the first form on the page, indicated by [0]. When the form is submitted, the function inside the brackets will be executed.
  2. e.preventDefault();: This code prevents the default behavior of form submission, which is to send the form data to the server and refresh the page.
  3. if (document.getElementById('username').value !== 'connor') {: This condition checks whether the value of the input field with the id 'username' is not equal to 'connor'.
  4. document.getElementById('fail').style.display = '';: If the value in the 'username' input field is not 'connor', this code sets the display style of the element with the id 'fail' to an empty string. This likely makes an element with the id 'fail' visible on the page, showing an error message or some other content.
  1. const hash = int_array_to_text(string_to_int_array(int_array_to_text(string_to_int_array(chosenPass)))));: This line creates a hash by applying a sequence of operations to the chosenPass (presumably the user's input).
  • chosenPass is first converted to an integer array using string_to_int_array.
  • The resulting integer array is then converted back to a string using int_array_to_text.
  • This string is then converted back to an integer array once again.
  • Finally, the last integer array is converted to a text representation.
  1. if (hash === 'dxeedxebdwemdwesdxdtdweqdxefdxefdxdudueqduerdvdtdvdu') {: This condition checks whether the hash is equal to a specific hardcoded string. If they match, it suggests that the user has entered the correct password.
  2. window.location = 'super-secret-admin-testing-panel.html';: If the hash matches the expected value, the code redirects the user to a super-secret admin testing panel page.
  3. else { document.getElementById('fail').style.display = ''; }: If the hash does not match the expected value, it makes an element with the id 'fail' visible on the page, typically showing an error message to indicate that the password is incorrect.

Awesome! We know the username connor, and we have a secret page called super-secret-admin-testing-panel.html

Hmm! Are we able to use reverse-shell ?

This is the source code of this page!

Do you remember? The server says to us: “With our new, foolproof blacklist, no one can break into our servers, and we can all enjoy the convenience of running our python code on the cloud!” We ought to use some bypass technique to get the reverse shell.

Decoding hash/Flag-2

The first step is done. The second is to decoding the hash which we found earlier. In order to decode the hash we need to understand the code properly:

We need to understand this code properly to crack the hash. The hash was already given to us. I believe when we decode the hash we will also automatically have the password of SSH.

We need to focus on:

“int_array_to_text(string_to_int_array(int_array_to_text(string_to_int_array(chosenPass))));”

  1. string_to_int_array()
  2. int_array_to_text()

We divide this in 2 parts, and I will explain each part to you.

1
  1. const intArr = []: This line initializes an empty array intArr where the integer values will be stored.
  2. The function then enters a loop using for to iterate through each character in the input string str.
  3. const charcode = str.charCodeAt(i): For each character in the string, it calculates the Unicode character code using the charCodeAt method. This code represents the character as an integer.
  4. const partA = Math.floor(charcode / 26); and const partB = charcode % 26;: The function breaks down the character code into two parts: partA and partB. partA is calculated by dividing the character code by 26 and taking the integer part using Math.floor. partB is obtained as the remainder when dividing the character code by 26.
  5. intArr.push(partA) and intArr.push(partB): The partA and partB values are then pushed into the intArr array. This effectively converts each character into two integer values and stores them in the array.
  6. After processing all characters in the input string, the function returns the intArr array, which now contains the integer representation of the original string.
1. Python
  1. let txt = '';: This line initializes an empty string variable txt. This variable will be used to store the resulting text.
  2. for (let i = 0; i < int_array.length; i++) {: This is the beginning of a for loop that iterates over the int_array. It starts with i set to 0 and continues until i is less than the length of the int_array.
  3. txt += String.fromCharCode(97 + int_array[i]);: Inside the loop, the code appends characters to the txt string. It uses the String.fromCharCode function to convert a character code to a string character. The character code is calculated as 97 (the Unicode code for 'a') plus the value at the i-th position in the int_array.

This will be written in Python.

  1. The decode function takes one parameter, hash, which is a string to be decoded.
  2. Inside the function, two empty strings, txt and final, are initialized. These strings will be used to store intermediate and final decoded results, respectively.
  3. The function performs a double-decoding process on the hash string. This process reverses the encoding algorithm that was previously applied to the input hash.

First Decoding:

  • The hash string is iterated over in steps of 2, meaning it processes every pair of characters at a time.
  • For each pair of characters in the hash:
  • parta is calculated by taking the ASCII code of the first character and subtracting the ASCII code of 'a'. This result is then multiplied by 26. This process effectively reverses the division and multiplication by 26 applied during encoding.
  • partb is calculated by taking the ASCII code of the second character and subtracting the ASCII code of 'a'. This reverses the encoding process where a number was converted into two parts.
  • parta and partb are then combined by adding them together.
  • The result of this addition is converted back into a character using the chr function.
  • The character is added to the txt string, forming an intermediate result.

Second Decoding:

  • After the first decoding, the intermediate result in txt is further decoded. This is done using a process similar to the first decoding, where parta and partb are calculated and combined for every pair of characters in txt. The result of this second decoding is stored in the final string.
  1. Finally, the final result is returned as the output of the function, which represents the fully decoded original data.
  2. The code includes a conditional check using if __name__ == '__main__':, which ensures that the code inside this block is executed when the script is run directly (not when it's imported as a module).
  3. The code calls the decode function with a sample hash ("dxeedxebdwemdwesdxdtdweqdxefdxefdxdudueqduerdvdtdvdu") and prints the result, which is the decoded password.

In summary, the decode function reverses the encoding process applied to the input hash by calculating the original values from the encoded pairs of characters. The function performs two decoding steps to obtain the final, fully decoded result.

We get the password:

System-Abusing/Flag-3.txt

We got already the password, so we should try to reverse it again.

Boom! We got the shell.

It is important to enumerate the machine, we can see that its mounted.

We can see that docker is running. We can take look at /mnt/log :

In Linux, the “/mnt/log” directory is a location where you might store log files or other data.

It’s important to note that the usage and meaning of directories like “/mnt/log” can vary depending on the specific system and its configuration. The actual purpose and usage of this directory may be defined by the system administrator or user to meet their particular needs for managing log data or other types of information.

ROOT
CONNOR

We can see that root’s directory have been mounted to conner. We can just cp /bin/sh to our current directory.

Is it possible to create a shell that grants normal users the same level of access as the root user in a Linux or Unix environment?

root
connor

what does chmod u+s mean?

The chmod u+s command is used to set the "Set User ID" (SUID) permission on a file in a Unix-like operating system, such as Linux. This permission has a special significance:

  • Set User ID (SUID): When the SUID permission is set on an executable file, it allows a user to execute the file with the permissions of the file’s owner, rather than their own permissions. In other words, if the SUID bit is set on a file, running that file will give the user the same level of access and privileges as the owner of the file, which is often the root user. This can be useful for certain system programs that need elevated permissions to perform specific tasks.

For example, if you set the SUID bit on a file owned by the root user and then a regular user runs that file, it will execute with the root user’s privileges. This is a way to delegate certain administrative tasks to regular users without giving them full root access.

Awesome! If you run ./sh -p you will be a root user. -p refers in privilege mode.

Thank you for taking the time to explore this technical blog! I hope you found it both informative and engaging. I aimed to provide practical explanations in an accessible manner. Should you have any questions or require further clarification on any topic discussed, please don’t hesitate to reach out to me via social media.

Social Media

Twitter: https://twitter.com/lockpin010_

LinkedIn: https://www.linkedin.com/in/ahmetgoker/

Ahmet | Security Researcher | Sociologist

--

--