Tr0ll – VulnHub #4

First thing I did was run a netdiscover scan to find the IP.Screenshot from 2016-10-15 16-55-19.png
From there I ran Sparta.py for some recon…screenshot-from-2016-10-15-16-56-19I saw that anonymous FTP was enabled so I gave it a try.I found one PCAP file that I opened in Wireshark.I followed the TCP stream of ftp-data and found the contents of a text file that were talking about a directory.I assumed it was talking about port 80’s HTTP server.

My theory was confirmed.screenshot-from-2016-10-15-17-00-12I downloaded the file and found it was a executable.When I ran it it told me to find a address.I was kinda confused when I opened the file in edb and found that there was no such address.

This slideshow requires JavaScript.

I was thinking…what other kind of address could there be? Oh,I know a URL? It took me a while but I was correct.screenshot-from-2016-10-15-17-03-00Both of directories contained text files.

This slideshow requires JavaScript.

I tried to bruteforce SSH with “Good_job_:)” as a password, but after some trial and error I finally did it but with “Pass.txt” as the password.screenshot-from-2016-10-15-17-05-02I SSH’d to the box and found something very interesting…The kernel was vulnerable to privesc.

This slideshow requires JavaScript.

I fired up a Python HTTP server and used the exploit.It worked perfectly.screenshot-from-2016-10-15-17-11-20Since I got root I read the proof.txt and finished this VM.screenshot-from-2016-10-15-17-12-21This VM was really fun.It was different and I must say it really got me stuck sometimes but that’s the point of it not? I also hope you enjoyed.

6Days Lab – VulnHub #2

6Days is another VulnHub VM which is a bit harder than the [PRIMER],but here we go.I started off with netdiscover to discover my victim IP.Screenshot from 2016-08-26 14-49-54Then I ran nmap to search or open ports.
Screenshot from 2016-08-26 14-50-53
I immediately started scanning port 80 with nikto to see if I can find anything useful.Sadly nothing was helpful.The filtered proxy will come in handy later.
Screenshot from 2016-08-26 14-52-23Since nikto didn’t help me I navigated to the site iteself and was greeted with a nice webpage.I actually like the design and everything.
Screenshot from 2016-08-26 15-03-47
I tried the discount code.It expired.
Screenshot from 2016-08-26 15-04-04
I thought this was the perfect situation for SQLi but the IPS stopped me.
Screenshot from 2016-08-26 15-04-16
While checking out the source of index.php I noticed something very unusual.The image was actually being loaded from a PHP script called image.php
Screenshot from 2016-08-26 15-04-37
I intercepted the request via Burp and found the PHP source.SQLi was confirmed but IPS was making it impossible.

This slideshow requires JavaScript.


I also got the credentials for MySQL but they weren’t of any use since the MySQL port wasn’t open.
Screenshot from 2016-08-26 15-07-57
I read the /etc/passwd file and found out that the user andrea is using a custom shell,which redirects it’s output to /dev/null.This makes it so that when we type a command we can’t see any output.Let’s keep that in mind.

This slideshow requires JavaScript.


Having nothing else to do,I tried double-encoding the URL and amazingly enough it worked.I didn’t get blocked by the IPS.
Screenshot from 2016-08-26 15-27-14
Since I knew the database name I used the proxy to do manual SQLi.Oh,and also I guessed the table and column names.I had no clue about those.Pure luck.
Screenshot from 2016-08-26 16-02-18I tried SSH’ing to the box with the credentials and it worked.
Screenshot from 2016-08-26 16-02-47Remember the /bin/andrea sandboxed shell? All we had to do is redirect the output again to stdout.I used python to spawn my sh shell.
Screenshot from 2016-08-26 16-10-54Since the goal is to execute flag and I needed to be root I looked up some privilege escalation exploits for Linux 3.13.0 Ubuntu and ran a SimpleHTTPServer module for Python.
Screenshot from 2016-08-26 16-12-40I used wget to download the source and gcc to compile it.I got root.Now all we have to do is execute the flag.
Screenshot from 2016-08-26 16-12-55
Voila! Done.
Screenshot from 2016-08-26 16-15-18
That’s all for today folks,I hope you enjoyed.

[PRIMER] – VulnHub #1

PRIMER is a vulnerable VM which you can find on VulnHub.Anyways,let’s get started.

First off I ran a netdiscover scan.Since I’m using VirtualBox I know the MAC Vendor,so the IP is 192.168.1.6.Screenshot from 2016-08-26 01-10-40
I ran nmap to scan for open ports and got 3 open ports,but only 2 of them were of some value.I decided to lay off SSH for now and focus on port 80 instead.
Screenshot from 2016-08-26 01-11-18

This is the webpage.I noticed the login form and tried to bypass the login via SQLi but I’ve failed.
Screenshot from 2016-08-26 01-11-25Since I didn’t manage to bypass login I peeked at the robots.txt and found a interesting discovery.
Screenshot from 2016-08-26 01-11-39
I pasted the directory in the URL bar and got this page.
Screenshot from 2016-08-26 01-11-51Which lead me to this one…
Screenshot from 2016-08-26 01-12-01The next ‘node’ was a little bit different.It was just a prompt.First thing I did was view the source and there I found the next location.

This slideshow requires JavaScript.


The next node was a prompt also but the JavaScript was obfuscated.I didn’t bother decoding it since I noticed something very nice.

This slideshow requires JavaScript.


Every directory name is crafted in a special way…A number and a MD5 hash.
4_MD5(7),5_MD5(11),6_MD5(13) and 7_MD5(17)
Using this simple algorithm I figured out the next URL,
http://192.168.1.7/9_37693cfc748049e45d87b8c7d8b9aacd/
Screenshot from 2016-08-26 01-14-11
And I was correct.
Screenshot from 2016-08-26 01-14-19Click on the [EOF] link lead me to a page that seemed like a terminal.I ran the help command to see what commands I can use.
Screenshot from 2016-08-26 01-14-35
When I ran whoami the text went corrupt and red,but I could make out ‘nieve’ from it.
Screenshot from 2016-08-26 01-14-46
I refreshed the page and took a look at the running processes.
Screenshot from 2016-08-26 01-15-02
I assumed nieve,falken,root and c0re were all SSH users so I fired up hydra and found out the password for nieve.

This slideshow requires JavaScript.


I SSH’d to the box and took a look around.
Screenshot from 2016-08-26 01-17-47I navigated to the directories I haven’t been to and finally finished at the URL, http://192.168.1.6/10_23693cff748o49r45d77b6c7d1b9afcd ,which was the end screen signalizing my victory.Hooray!

This slideshow requires JavaScript.


I gotta admit this VM was very fun and I hope you enjoyed reading my walkthrough.Thanks to VulnHub and the creator of this VM,couchsofa or Arne Rick.