Chuyển đến nội dung chính

Hack the Seattle VM (CTF Challenge)

This is another article for Boot2Root series in CTF challenges. This lab is prepared by HollyGracefull. This is just a preview of the original lab which stimulates the Ecommerce web application which contains common security errors. Current vulnerabilities are listed below :
  • SQL Injection (Error-based)
  • SQL Injection (Blind)
  • Reflected Cross-Site Scripting
  • Stored Cross-Site Scripting
  • Insecure Direct-Object Reference
  • Username Enumeration
  • Path Traversal
  • Exposed phpinfo()
  • Exposed Administrative Interface
  • Weak Admin Credentials
WalkThrough
Firstly, let’s locate our target.
Our target is 192.168.1.8. Let’s scan it with nmap.
nmap –p- -A 192.168.1.8

The only port we found open was 80. Next we fire up the nikto.
nikto –h 192.168.1.8

Through nikto we discovered two directories : /admin/ and /images/. OK! We made its mental note and decided to move forward with opening our target in browser.

Opening it on the browser we found that it was ecommerce site as hinted by the author. We checked every tab but found nothing except in the blog tab.

In the blog tab, when you will hover your mouse arrow over the admin in the phrase ‘Hey Admin!’. It will change from arrow to a hand that indicates that means it will open as it a click on.

When you click on it, it will show a username of admin. Ok! I made a note of it. Let’s now check clothing tab.

There is nothing useful in this tab. As the author hinted that website is vulnerable towards SQL attacks so let’s try one. This time let’s try a different SQL attack using BurpSuite. Capture the cookies of the webpage through BurpSuite.

Copy the cooky string and paste it in a simple text file.

Then start the SQL attack by typing the following command in the terminal of Kali.
sqlmap –r /root/Desktop/sea.txt –dbs
Here,
/root/Desktop/sea.txt is the path of the text file in which we had saved t he cookies.

This command will give us the name of following database.

Out of these databases we will dump the tables of seattle with the following command :
sqlmap –r /root/Desktop/sea.txt –D seattle –tables

And with that we will have all the name of the tables as you can see in the following image.

Next we will dump the columns of the tables with the following command :
sqlmap –r /root/Desktop/sea.txt –D seattle –T tblMembers –columns

The execution of the above command will show the table names as following :

Now in the table names there is a table password. Now we already have the username of the admin and we just want the password. So now we will dump the contents of password table.
sqlmap –r /root/Desktop/sea.txt –D seattle –T tblmembers –C password –dump

And voila! We have the password i.e. Assasin1

Now in the browser, go to my account tab and there you will find a login portal. Give the username and password of the admin and click on Login.

And you will be logged in as the admin.

This CTF does contain any flag. All that required was to have admin access and yooohoooo!! We have that.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast
Nhãn:

Bài đăng phổ biến từ blog này

Pentest lab - Metasploitable 2

Today I will walk through different ways of exploiting Metasploitable 2, the newer release of Rapid7’s popular vulnerable machine. First, what is Metasploitable? Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. In my lab environment, the IP of the attacker machine is 192.168.127.159, and the victim machine is 192.168.127.154. Since this is a test lab, I won’t be concerned about stealth. Instead, I will try to get the most information out of the scans. Let’s start by port scanning the target with nmap. I did a full port, aggresive scan against the target. Here are the results. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 ...
Đọc thêm

Metasploitable 2 vulnerability assessment

A vulnerability assessment is a crucial part in every penetration test and is the process of identifying and assessing vulnerabilities on a target system. In this part of the tutorial we will be assessing the vulnerabilities available on the network side of the Metasploitable 2 virtual machine. We will be assessing the web applications on the Metasploitable 2 machine in a later tutorial. In the previous Metasploit enumeration and fingerprinting tutorial we’ve learned that the Metasploitable 2 machine contains a lot of vulnerabilities. We have collected valuable information about the target system which we will be using to find known vulnerabilities both on- and offline. Exploitation of these vulnerabilities will be demonstrated in the next exploitation tutorial. In this tutorial we will be looking at a few different ways to perform vulnerability analysis. We will be manually searching for exploits, use scanning tools like Nmap with scripts and we will be...
Đọc thêm

Hack the Gibson VM (CTF Challenge)

It’s a boot2root challenge and it does not get over with getting root access. You have to find flag also. So let’s start. First of all download lab from https://download.vulnhub.com/gibson/gibson.ova Now open kali terminal and like always start with first step i.e. netdiscover netdiscover it shows all the hosts those are up in our network and from here we get our target ip. Target IP: 192.168.1.6 As our target is all set we are going to scan it with nmap which will show all the open ports. In this case open ports are only two i.e. 22 and 80. nmap –p- -A 192.168.1.6 As from the above result we have got 80 port open so we will open target ip in browser. It shows an accessible directory. Let’s try opening it as we cannot see anything important here. Oh no such luck with this also. It’s written the result will be found by brute force but there is no place where we can apply brute force. As we do not have any other option so let’s just go to view page source to see if we could get a...
Đọc thêm