Chuyển đến nội dung chính

Hack the SpyderSec VM (CTF Challenge)

You are looking for two flags. Using discovered pointers in various elements of the running web application you can deduce the first flag (a downloadable file) which is required to find the second flag (a text file). Look, read and maybe even listen. You will need to use basic web application recon skills as well as some forensics to find both flags.
Level: Intermediate
Walkthrough
Let’s locate our target first.
netdiscover
Our target is 192.168.0.103. Now let’s fire up the nmap to know their services.
Nmap –A –p- 192.168.0.103

There are only two ports open i.e. 22 and 80 for SSH and HTTPS respectively. Next, I opened this page in browser.

There was nothing major on the page except for two images. There is a possibility about metadata behind these images. Therefore, I read these images with exif tool. One of the images which were saved by the name of “challenge” had a comment behind it. To read it type:
exiftool Challenge.png
If you observe closely the comment is in hexadecimal form. We need to convert it into readable form. No third party tool is required just go online to string-functions.com copy the string and paste it in the text box and then click the convert button.
After converting we again have hexadecimal string. No problem. Let’s convert it again as we did earlier.

This time we have base64 string. We convert it into non-cipher text by using HackBar. Paste the string and select Bsae64 decode option from the Encoding drop down menu.
Now finally we have a readable string. This can be a password or a directory. Note it down for future use. Moving on if you go through the source code of the page you will that evil function is quite unusual
I searched about eval function on google and found that it is a java script. There can be code hidden behind it. So let’s unpack it with the javascript unpacker.
After unpacking you will again come face to face with a hexadecimal string. Convert this string just like before.

After conversion the string became “alert(‘mulder.fbi);” .  I explored a lot and found a lot found nothing about it so decided to capture its cookies through BurpSuite. Now we are going to use Burpsuite that means we have to turn on manual proxy. And then turn on the interception on Burpsuite and then simply refresh the page and then with not much hard work cookies will be captured
In cookies I found a URI that means it’s a part of a link. Go to the params tab to see the proper link.

From here copy the link and open it in the browser.

Now when I opened it there was an error.  Then I explored a d bit and remembered that there was a mulder.fbi so I added that to the link.
After adding mulder.fbi to the link it asked me to download a file. Save it.

When you open the file that you just saved then it will play a video with different quotes. Now I was clueless about this so I started searching about it on google. And I found out that it was a truecrypt file. So to see what is hidden type:
python tcsteg2.py mulder.fbi
There was a whole drive hidden behind it. And using veracrypt you can see and open the drive.

When you open it will ask for a password and we have found the password beforehand. So give the password there.

Hence the drive will be unlcocked. Now open the drive. And you will find flag there.


Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast

Bài đăng phổ biến từ blog này

Pentest lab - Metasploitable 2

Today I will walk through different ways of exploiting Metasploitable 2, the newer release of Rapid7’s popular vulnerable machine. First, what is Metasploitable? Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. In my lab environment, the IP of the attacker machine is 192.168.127.159, and the victim machine is 192.168.127.154. Since this is a test lab, I won’t be concerned about stealth. Instead, I will try to get the most information out of the scans. Let’s start by port scanning the target with nmap. I did a full port, aggresive scan against the target. Here are the results. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 ...

Metasploitable 2 vulnerability assessment

A vulnerability assessment is a crucial part in every penetration test and is the process of identifying and assessing vulnerabilities on a target system. In this part of the tutorial we will be assessing the vulnerabilities available on the network side of the Metasploitable 2 virtual machine. We will be assessing the web applications on the Metasploitable 2 machine in a later tutorial. In the previous Metasploit enumeration and fingerprinting tutorial we’ve learned that the Metasploitable 2 machine contains a lot of vulnerabilities. We have collected valuable information about the target system which we will be using to find known vulnerabilities both on- and offline. Exploitation of these vulnerabilities will be demonstrated in the next exploitation tutorial. In this tutorial we will be looking at a few different ways to perform vulnerability analysis. We will be manually searching for exploits, use scanning tools like Nmap with scripts and we will be...

CEH v9 (CEHVIETNAM.COM) - Hacking Metasploitable Lab

CEH v9 : Hacking Metasploitable VM In this guide, I will demonstrate how to root a Metasploitable 2 virtual machine. Metasploitable is an intentionally vulnerable Ubuntu machine. I’ll explore just a few of the many ways Metasploitable can be attacked, from vulnerabilities in common services to little known exploits and web vulnerabilities. I’ve set up Kali Linux and Metasploitable VMs in VirtualBox on the same network (bridged mode). Kali – 192.168.56.101 Metasploitable – 192.168.56.102 - Hãy thay IP của bạn cho thích hợp Contents   1 Footprinting 1.1 Ping 1.2 Traceroute 2 Scanning 2.1 Port Scanning 2.2 OS Fingerprinting 2.2.1 nmap 2.2.2 xprobe2 3 Enumeration 3.1 FTP (TCP 21) Enumeration 3.2 Telnet (TCP 53) Enumeration 3.3 SMTP (TCP 25) Enumeration 3.4 VNC (TCP 5900) Enumeration 3.5 X11 (TCP 6000) Enumeration 3.6 RLogin (TCP 513) Enumeration 3.7 IRC (TCP 6667) Enumeration 4 Exploitation 4.1 FTP Exploit 4.2 VNC Password Cracking 4.3 IRC E...