Covfefe: 1 Walkthrough

Lab Environment


Attacker’s Machine : Linux kali 4.18.0-kali2-amd64 #1 SMP Debian 4.18.10-2kali1 (2018-10-09) x86_64 GNU/Linux
Vulnerable Machine : Covfefe: 1
Let’s start hacking and breach the security of this machine


Scanning Phase : Let’s start with knowing our attacking machine’s ip
        Syntax used : ifconfig
                Results : 192.168.169.129


Now let’s scan our local network to which attacking machine and vulnerable machine is connected.
      Syntax used : arp-scan --local




Enumeration Phase : Now using nmap to scan the services running on ports .
    Syntax used : nmap -p- -A 192.168.169.132 -Pn
Results : http service is running on port 80 and 31337
Now browsing ip in desired browser to see the webpage on port 80


Browsing on port 31337 we found nothing .
Finally we fired dirb to list the directories on port 31337


Tried opening robots.txt and we got 3 disallowed entries on opening one of them we got our first flag
Url : 192.168.169.132:31337/taxes


Now opening another directory listed in robots.txt ie .ssh
Url : 192.168.169.132:31337/.ssh
Results : id_rsa , authorized_keys , id_rsa.pub
Downloaded id_rsa and authorized_keys




Now opened the authorized_keys file and we got username for ssh login


Now tried to login ssh with id_rsa and username




But no use it again asked us for passphrase which we don’t have




Now generating rsa file for john with id_rsa so that we can get our passphrase


Now cracking password with john
Syntax used : zcat /usr/share/wordlists/rockyou.txt.gz | john --pipe --rules rsacrack
    Results    : starwars


Now entered starwars as passphrase we successfully get entered to the target machine remotely


Now we are not able to read the flag file




Now we tried to find the files which we can access to take root of the machine
Syntax used : find / -perm -4000 2>/dev/null
 
And we saw one file i.e read_message which is taking user input and interacting .
So tried this to take root , but failed




We have one .c file which we can read by doing  cat read_message.c
Results : we found that at 21st byte buffer will take place




So we triggered buffer to overflow by giving input as SimonAAAAAAAAAAAAAAA/bin/sh in read_message prompt
Results : and got root finally




Finally read the flag.txt and it’s done !!

Popular posts from this blog

Calculat3 M3 | CTF Learn

Image
This walkthrough will demonstrate the simple challenge based on command injection Calculat3 M3 This is the challenge page we got after visiting the given link. I provided random input in this calculator and intercepted the request with BurpSuite I got one parameter "expression" taking the values  Tried for command injection with ";ls" Forwarding the above request finally Got the Flag
Read more

TryHackme: Blue Walkthrough

Image
Task 1: Recon After we've connected to the tryhackme network the first task is to enumerate the target. We use Nmap for scanning the target IP. Command Used : nmap -sS -Pn <target-ip> -sS : Scan using TCP SYN scan -Pn : Treats all host as online --skip host discovery Next we used a command to find the vulnerability on the target machine. Command Used : nmap --script vuln <target-ip> --script : Specify the --script option to choose your own scripts to execute by providing categories , script file names, or the name of directories full of scripts you wish to execute. vuln : These scripts check for known vulnerabilites and generally only report results if they are found. Below, we see that nmap is indicating the target may be vulnerable to ms17-010(on the left0 and we can verify this using metasploit. To start Metasploit use command "msfconsole" We start by simply doing a search for ms17-010 Here we use module 2 i.e. exploit/windows...
Read more

HackTheBox-Traceback Walkthrough

Image
I started with scanning the IP Addr with nmap using the simple command. Command Used: nmap IP Addr of machine -Pn  nmap 10.10.10.181 -Pn  Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-15 02:27 IST Nmap scan report for 10.10.10.181 Host is up (0.18s latency). Not shown: 998 closed ports PORT   STATE SERVICE 22/tcp open  ssh 80/tcp open  http Now only two things were in my mind and those were what should I enumerate first ssh or http. SSH can only be bruteforced and this point and bruteforce on the online machine doesn't works or we can say that most online hosted machines are not made to be bruteforced. So, I started  with HTTP. I fired up directory burster to find juicy directories if any and mean while I decided to browse the IP Addr since HTTP Service is active and running. I was presented with the below screen  dirb was not able to find any directories ...
Read more