CTF - Billu Box Walkthrough

Lab Environment

 Attacker's Machine - Linux kali 4.13.0-kali1-amd64 #1 SMP Debian 4.13.10-1kali2 (2017-11-08) x86_64 GNU/Linux

 Vulnerable Machine - Billu Box

 Proof Of Concept

 Scanning Phase
  • Route -n (to know the gateway) i.e 172.16.60.2
  • arp-scan --local (to scan for the machines connected to the network)
  • vulnerable machine IP - 172.16.60.149



   Now i will use nmap for further scanning the machine's IP
  •    nmap -sS -sV -sC 172.16.60.149
 

    Port 80 is open and HTTP service is active . so i can browse the IP .

 
  
  I got the homepage and login panel . I have to scan more to get login credentials.
  • dirb http://172.16.60.149 /usr/share/wordlists/dirb/big.txt
        ( I have used dirb command to enumerate some url's by using another     wordlists named big.txt , the path for that wordlist is /usr/share/wordlist/dirb/big.txt)


 

   Highlighted url's gave me some result that seems to be interesting 

   URL's
  •    http://172.16.60.149/test
  •    http://172.16.60.149/phpmy/changelog
     Browsing to the “test” file returned that the “file” parameter is empty.

Second url gave me the login panel for phpmyadmin

With the Local File Read vulnerability we can potentially disclose sensitive           information/credentials used by the Phpmyadmin for set up.
 Since we know the web root directory, we can easily disclose the config file “config.inc.php” used by Phpmyadmin.
 web root directory - /var/www/phpmy/config.inc
 so i used  curl command for sending a POST request 
 command
  curl -X POST --data "file=/var/www/phpmy/config.inc.php" http://172.16.60.149
  I finally got the username and password and scanning phase already revealed     ssh service on open port 22.


    i logged in ssh service using - ssh root@172.16.60.149
   username - root
   password -roottoor
   and entered in machine as a root user

Popular posts from this blog

Calculat3 M3 | CTF Learn

Image
This walkthrough will demonstrate the simple challenge based on command injection Calculat3 M3 This is the challenge page we got after visiting the given link. I provided random input in this calculator and intercepted the request with BurpSuite I got one parameter "expression" taking the values  Tried for command injection with ";ls" Forwarding the above request finally Got the Flag
Read more

TryHackme: Blue Walkthrough

Image
Task 1: Recon After we've connected to the tryhackme network the first task is to enumerate the target. We use Nmap for scanning the target IP. Command Used : nmap -sS -Pn <target-ip> -sS : Scan using TCP SYN scan -Pn : Treats all host as online --skip host discovery Next we used a command to find the vulnerability on the target machine. Command Used : nmap --script vuln <target-ip> --script : Specify the --script option to choose your own scripts to execute by providing categories , script file names, or the name of directories full of scripts you wish to execute. vuln : These scripts check for known vulnerabilites and generally only report results if they are found. Below, we see that nmap is indicating the target may be vulnerable to ms17-010(on the left0 and we can verify this using metasploit. To start Metasploit use command "msfconsole" We start by simply doing a search for ms17-010 Here we use module 2 i.e. exploit/windows...
Read more

HackTheBox-Traceback Walkthrough

Image
I started with scanning the IP Addr with nmap using the simple command. Command Used: nmap IP Addr of machine -Pn  nmap 10.10.10.181 -Pn  Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-15 02:27 IST Nmap scan report for 10.10.10.181 Host is up (0.18s latency). Not shown: 998 closed ports PORT   STATE SERVICE 22/tcp open  ssh 80/tcp open  http Now only two things were in my mind and those were what should I enumerate first ssh or http. SSH can only be bruteforced and this point and bruteforce on the online machine doesn't works or we can say that most online hosted machines are not made to be bruteforced. So, I started  with HTTP. I fired up directory burster to find juicy directories if any and mean while I decided to browse the IP Addr since HTTP Service is active and running. I was presented with the below screen  dirb was not able to find any directories ...
Read more