Chuyển đến nội dung chính

Hack the NullByte VM (CTF Challenge)

This is our article of root2boot penetration testing challenge. We will walk through a exploitable framework of NullByte VM. Breaking into it isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. We have to find “Proof.txt” and follow the further steps.
 WalkThrough
 Start off by finding your target.
netdiscover
Our target is 192.168.1.142. And now that we know our target, we will scan it using nmap.
nmap -p-  -A 192.168.1.142

Scanning the IP, we will know that the port number 80, 111, 777, 44607 are open. Please observe here that the service of SSH is forwarded from 22 to 777 port. This port may come in handy in the future to gain access.
Now we will try and open the targeted IP in the browser.
There is an image and a quote on the page. You will find nothing on the page source or otherwise. But there might be something hidden in the image and so, we will read the image using exif tool.
exiftool main.gif
There you will find a comment kzMb5nVYJw. Now this might be a directory and there is no harm in opening it the browser so let’s do that
Our assumption was right as it opened in the browser. But it is asking for a key. And we have no idea what the key is so therefore we will use dictionary attack to find the key using BurpSuite and rockyou.txt.
Through the dictionary attack you will find the key i.e. elite.

Enter the key where it was asking and the following page will open.

It is asking for username now which again we do not know. So, we will find it in its Database using sqlmap. And for this type:
sqlmap -u http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch=1 –dbs
It will give you the name of the databse i.e. seth.  Now further we will find columns and tables and for that type:
sqlmap -u http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch=1 –dump –columns –tables -D seth
Once command executes, it will show you the table name along with column and password as shown:
As a result we have username and password but the password is in MD5 so we need to crack it and there are many online tools to do so. Therefore to crack it go to md5coder.org and give the md5 value there and click on ok and it will show you the original word i.e. omega
Now we will SSH to log in and for that type:
ssh ramses@192.168.1.142 -p 777
And then give omega as password. And you are logged in. As you are now logged in type the following command to see the list of directories:
ls -lsa
Then read .bash_history file by typing:
cat .bash_history
As we found nothing in there, we will move onto /var/www/backup by typing:
cd /var/www/bakcup/
ls -lsa
./procwatch

After much more exploring here and there and after number of useless attempts we had an idea that if we change the path of ps file to sh so that procwatch runs sh file instead of ps. And if we achieve this, we will directly reach root. Therefore, to achieve this we will have to manipulate the environment and for this we will copy the current shell executable (/bin/sh) into /tmp and for this follow the steps below:
 cd /tmp
cp /bin/sh /tmp/ps
export PATH=/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
cd /var/www/backup
./procwatch
With us execution of above commands we will enter root and then further type ;
 id
cd /root
ls
cat proof.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast

Bài đăng phổ biến từ blog này

Pentest lab - Metasploitable 2

Today I will walk through different ways of exploiting Metasploitable 2, the newer release of Rapid7’s popular vulnerable machine. First, what is Metasploitable? Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. In my lab environment, the IP of the attacker machine is 192.168.127.159, and the victim machine is 192.168.127.154. Since this is a test lab, I won’t be concerned about stealth. Instead, I will try to get the most information out of the scans. Let’s start by port scanning the target with nmap. I did a full port, aggresive scan against the target. Here are the results. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 ...

Metasploitable 2 vulnerability assessment

A vulnerability assessment is a crucial part in every penetration test and is the process of identifying and assessing vulnerabilities on a target system. In this part of the tutorial we will be assessing the vulnerabilities available on the network side of the Metasploitable 2 virtual machine. We will be assessing the web applications on the Metasploitable 2 machine in a later tutorial. In the previous Metasploit enumeration and fingerprinting tutorial we’ve learned that the Metasploitable 2 machine contains a lot of vulnerabilities. We have collected valuable information about the target system which we will be using to find known vulnerabilities both on- and offline. Exploitation of these vulnerabilities will be demonstrated in the next exploitation tutorial. In this tutorial we will be looking at a few different ways to perform vulnerability analysis. We will be manually searching for exploits, use scanning tools like Nmap with scripts and we will be...

CEH v9 (CEHVIETNAM.COM) - Hacking Metasploitable Lab

CEH v9 : Hacking Metasploitable VM In this guide, I will demonstrate how to root a Metasploitable 2 virtual machine. Metasploitable is an intentionally vulnerable Ubuntu machine. I’ll explore just a few of the many ways Metasploitable can be attacked, from vulnerabilities in common services to little known exploits and web vulnerabilities. I’ve set up Kali Linux and Metasploitable VMs in VirtualBox on the same network (bridged mode). Kali – 192.168.56.101 Metasploitable – 192.168.56.102 - Hãy thay IP của bạn cho thích hợp Contents   1 Footprinting 1.1 Ping 1.2 Traceroute 2 Scanning 2.1 Port Scanning 2.2 OS Fingerprinting 2.2.1 nmap 2.2.2 xprobe2 3 Enumeration 3.1 FTP (TCP 21) Enumeration 3.2 Telnet (TCP 53) Enumeration 3.3 SMTP (TCP 25) Enumeration 3.4 VNC (TCP 5900) Enumeration 3.5 X11 (TCP 6000) Enumeration 3.6 RLogin (TCP 513) Enumeration 3.7 IRC (TCP 6667) Enumeration 4 Exploitation 4.1 FTP Exploit 4.2 VNC Password Cracking 4.3 IRC E...