Skip to main content

VM 12 : BTRSys: v2.1

Walkthru
1. https://w01fier00t.com/2018/01/01/btrsys2-walkthrough/ [ priv escalation using looking thru wp-config.php file. Got DB/user/pwd. Login to mysql D to get root pwd hash which will need to be unhashed]
2. http://www.hackingarticles.in/hack-btrsys-v2-1-vm-boot2root-challenge/ [wpsan, use msfvenom to create the shell, use wpscan -u http://1.2.3.4/wordpress -eu to perform username enumeration  -e [option(s)] Enumeration. option u is for username. source@https://wpscan.org/ ]

1.       Ran scans
a.       Shows robot.txt and wordpress dir
b.       Login to Wordpress with default user/pwd
c.    Added PHP revershell
d.    With this and a little help from PentestMonkey reverse php shell I edited the 404.php with this shell.
e.    Next we setup a listener.
                                  nc -nvlp 1234 [Re pasted the shell helped. It wasn't giving any error but just wasn't working. While going to the 404 page, it would show a white page but didn't give us a shell]
                   f. Now Browse to

http://192.168.0.29/wordpress/wp-content/themes/twentyfourteen/404.php

admin link http://192.168.0.29/wordpress/wp-admin/theme-editor.php

                   g. looked kernel vulnerabilities. Tried to copy first exploit and found out that gcc isnt present, also python not present so couldnt run priv cheker. Tried to compile the expoit on Kali and copied over and got system mismatch error. Tried  https://www.exploit-db.com/exploits/41458/ compiled it on Kali , upload and ran it and got the prompt. Also checked the searchsploit and same expoit was there too. VM appears to be loosing connection after getting root access. at the root prompt and getting no response from host now.


Comments

Post a Comment

Popular posts from this blog

VM 13 : Basic Pentest 1 csec

Notes: Walkthru: 1. https://medium.com/@evire/basic-pentesting-1-7251fb3e3f9e [ w/metasploi t using Wordpress t] 2. https://prasannakumar.in/infosec/vulnhub-basic-pentesting-1-writeup/ [ w/metasploit using ftp ] 3.  https://www.ceos3c.com/hacking/basic-pentesting-1-walkthrough/ [ by uploading php-reverse-shell in wordpress ] 4. http://k3ramas.blogspot.com/2018/02/basic-pentesting-1-walkthrough.html [  access wordpress config file to get pwd and access the DB ] 5.  https://cowsayroot.com/walkthrough-basic-pentesting-1/ [ Wpscan, ftp metasploit vulnerability, phpbash ] 6.   http://www.hackingarticles.in/hack-the-basic-penetration-vm-boot2root-challenge/    [use msfvenom to create  to create php shell to be uploaded in Wordpress ] 7.   https://d7x.promiselabs.net/2018/01/30/ctf-basic-pentesting-a-guide-for-beginners/ [adding command using using PHP] Notes:  Ports - 21...ProFTPD 1.3.3c - 22 openSSH 7.2p2 ubuntu ...
2 comments
Read more

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote  host.Now that we have a specific username we can use it in order to obtain more information about this user with the command  finger root@host . -  Another effective use of the finger...
Post a Comment
Read more

VM: pWnOS 2.0

Walkthru A. http://defsecurityjam.blogspot.co.uk/2015/07/pwnos-version-2-walkthrough.html [reading source page, Simple PHP Blog Perl exploit, Python revershell using oneliner, looking around ] b. https://blog.g0tmi1k.com/2012/09/pwnos-2-php-web-application/ [metasploit using PHP Blog exploit] c. http://netsec.ws/?p=430 [burpsuite, sql porxy] d. https://blog.g0tmi1k.com/2012/09/pwnos-2-sql-injection/ [sql injection, union. Very good explanation of the process of what is being done. Didnt try cmds] e. https://www.youtube.com/watch?v=ytzZfI27ueU [sql injection, sqlmap read file and upload reverse shell using sqlmap] f. https://ub3rsec.github.io/pages/2016/pwnosv2-sqli.html [sql injection, union using burp Very good . It list all email field that we are passing and modifying thru burp suite/proxy/intercept. One could enter those union statements in the email field but in this case, the field truncates and remove the later part of union statment which is why we...
Post a Comment
Read more