Tr0ll – VulnHub #4

First thing I did was run a netdiscover scan to find the IP.Screenshot from 2016-10-15 16-55-19.png
From there I ran Sparta.py for some recon…screenshot-from-2016-10-15-16-56-19I saw that anonymous FTP was enabled so I gave it a try.I found one PCAP file that I opened in Wireshark.I followed the TCP stream of ftp-data and found the contents of a text file that were talking about a directory.I assumed it was talking about port 80’s HTTP server.

My theory was confirmed.screenshot-from-2016-10-15-17-00-12I downloaded the file and found it was a executable.When I ran it it told me to find a address.I was kinda confused when I opened the file in edb and found that there was no such address.

This slideshow requires JavaScript.

I was thinking…what other kind of address could there be? Oh,I know a URL? It took me a while but I was correct.screenshot-from-2016-10-15-17-03-00Both of directories contained text files.

This slideshow requires JavaScript.

I tried to bruteforce SSH with “Good_job_:)” as a password, but after some trial and error I finally did it but with “Pass.txt” as the password.screenshot-from-2016-10-15-17-05-02I SSH’d to the box and found something very interesting…The kernel was vulnerable to privesc.

This slideshow requires JavaScript.

I fired up a Python HTTP server and used the exploit.It worked perfectly.screenshot-from-2016-10-15-17-11-20Since I got root I read the proof.txt and finished this VM.screenshot-from-2016-10-15-17-12-21This VM was really fun.It was different and I must say it really got me stuck sometimes but that’s the point of it not? I also hope you enjoyed.

DE-Ice S1.100 – VulnHub #3

DE-Ice Series are vulnerable VMs aimed towards beginners.They can be found at VulnHub(obviously).Let’s get crackin’.
I’ve fired up my trusty netdiscover and found the IP.
Screenshot from 2016-08-27 15-45-05I used zenmap to get open ports.It seems that something is wrong with the FTP server.Interesting but let’s continue.
Screenshot from 2016-08-27 15-46-25Since I didn’t have any usernames bruteforcing SSH was out of question.I navigated to port 80 and found a web page to No Security Corp’s Information Portal.

This slideshow requires JavaScript.


Here I found some usernames.I wrote them in a text file.Of course I put the sys admins first since they were the most likely to have a SSH account.

This slideshow requires JavaScript.


I fired up hydra too see if any users was dumb enough to have the same password as their username.Surprise, surprise.It was Bob Banter.An intern.
Screenshot from 2016-08-27 23-00-39I SSH’d to the box and found something rather…unusal.It seems that something within the FTP was encrypted using root password.My current user wasn’t in the sudoers…
Screenshot from 2016-08-27 23-02-23…so I tried priv-esc exploits.None of them worked so there was only one option.Bruteforce the Sr. Sys Admin, Adam Adams.

This slideshow requires JavaScript.


Since we had the username this would speed up the process a lot.I fired up hydra,went to sleep,had some breakfast and checked out the password.
Screenshot from 2016-08-28 10-33-01
Now I could read the shadow file…
Screenshot from 2016-08-28 10-33-54
I copied the shadow file and it was easy cracking the root password via Johnny.A GUI for John The Ripper.
Screenshot from 2016-08-28 10-36-26
I downloaded the encrypted file and decrypted it.It was encrypted with AES-128-CBC cipher and since the passwd file did say something about root password I assumed that was the key,and I was correct.

This slideshow requires JavaScript.


I hope you enjoyed 🙂

6Days Lab – VulnHub #2

6Days is another VulnHub VM which is a bit harder than the [PRIMER],but here we go.I started off with netdiscover to discover my victim IP.Screenshot from 2016-08-26 14-49-54Then I ran nmap to search or open ports.
Screenshot from 2016-08-26 14-50-53
I immediately started scanning port 80 with nikto to see if I can find anything useful.Sadly nothing was helpful.The filtered proxy will come in handy later.
Screenshot from 2016-08-26 14-52-23Since nikto didn’t help me I navigated to the site iteself and was greeted with a nice webpage.I actually like the design and everything.
Screenshot from 2016-08-26 15-03-47
I tried the discount code.It expired.
Screenshot from 2016-08-26 15-04-04
I thought this was the perfect situation for SQLi but the IPS stopped me.
Screenshot from 2016-08-26 15-04-16
While checking out the source of index.php I noticed something very unusual.The image was actually being loaded from a PHP script called image.php
Screenshot from 2016-08-26 15-04-37
I intercepted the request via Burp and found the PHP source.SQLi was confirmed but IPS was making it impossible.

This slideshow requires JavaScript.


I also got the credentials for MySQL but they weren’t of any use since the MySQL port wasn’t open.
Screenshot from 2016-08-26 15-07-57
I read the /etc/passwd file and found out that the user andrea is using a custom shell,which redirects it’s output to /dev/null.This makes it so that when we type a command we can’t see any output.Let’s keep that in mind.

This slideshow requires JavaScript.


Having nothing else to do,I tried double-encoding the URL and amazingly enough it worked.I didn’t get blocked by the IPS.
Screenshot from 2016-08-26 15-27-14
Since I knew the database name I used the proxy to do manual SQLi.Oh,and also I guessed the table and column names.I had no clue about those.Pure luck.
Screenshot from 2016-08-26 16-02-18I tried SSH’ing to the box with the credentials and it worked.
Screenshot from 2016-08-26 16-02-47Remember the /bin/andrea sandboxed shell? All we had to do is redirect the output again to stdout.I used python to spawn my sh shell.
Screenshot from 2016-08-26 16-10-54Since the goal is to execute flag and I needed to be root I looked up some privilege escalation exploits for Linux 3.13.0 Ubuntu and ran a SimpleHTTPServer module for Python.
Screenshot from 2016-08-26 16-12-40I used wget to download the source and gcc to compile it.I got root.Now all we have to do is execute the flag.
Screenshot from 2016-08-26 16-12-55
Voila! Done.
Screenshot from 2016-08-26 16-15-18
That’s all for today folks,I hope you enjoyed.

[PRIMER] – VulnHub #1

PRIMER is a vulnerable VM which you can find on VulnHub.Anyways,let’s get started.

First off I ran a netdiscover scan.Since I’m using VirtualBox I know the MAC Vendor,so the IP is 192.168.1.6.Screenshot from 2016-08-26 01-10-40
I ran nmap to scan for open ports and got 3 open ports,but only 2 of them were of some value.I decided to lay off SSH for now and focus on port 80 instead.
Screenshot from 2016-08-26 01-11-18

This is the webpage.I noticed the login form and tried to bypass the login via SQLi but I’ve failed.
Screenshot from 2016-08-26 01-11-25Since I didn’t manage to bypass login I peeked at the robots.txt and found a interesting discovery.
Screenshot from 2016-08-26 01-11-39
I pasted the directory in the URL bar and got this page.
Screenshot from 2016-08-26 01-11-51Which lead me to this one…
Screenshot from 2016-08-26 01-12-01The next ‘node’ was a little bit different.It was just a prompt.First thing I did was view the source and there I found the next location.

This slideshow requires JavaScript.


The next node was a prompt also but the JavaScript was obfuscated.I didn’t bother decoding it since I noticed something very nice.

This slideshow requires JavaScript.


Every directory name is crafted in a special way…A number and a MD5 hash.
4_MD5(7),5_MD5(11),6_MD5(13) and 7_MD5(17)
Using this simple algorithm I figured out the next URL,
http://192.168.1.7/9_37693cfc748049e45d87b8c7d8b9aacd/
Screenshot from 2016-08-26 01-14-11
And I was correct.
Screenshot from 2016-08-26 01-14-19Click on the [EOF] link lead me to a page that seemed like a terminal.I ran the help command to see what commands I can use.
Screenshot from 2016-08-26 01-14-35
When I ran whoami the text went corrupt and red,but I could make out ‘nieve’ from it.
Screenshot from 2016-08-26 01-14-46
I refreshed the page and took a look at the running processes.
Screenshot from 2016-08-26 01-15-02
I assumed nieve,falken,root and c0re were all SSH users so I fired up hydra and found out the password for nieve.

This slideshow requires JavaScript.


I SSH’d to the box and took a look around.
Screenshot from 2016-08-26 01-17-47I navigated to the directories I haven’t been to and finally finished at the URL, http://192.168.1.6/10_23693cff748o49r45d77b6c7d1b9afcd ,which was the end screen signalizing my victory.Hooray!

This slideshow requires JavaScript.


I gotta admit this VM was very fun and I hope you enjoyed reading my walkthrough.Thanks to VulnHub and the creator of this VM,couchsofa or Arne Rick.