Skip to main content

36 VM :CTF_2017_online

Walkthru

A. https://prasannakumar.in/infosec/vulnhub-ctf-usv-2017-writeup/ [javascript Obfuscated  which is currently one of the best methods for protecting JavaScript code from reverse engineering. The "var _0xbb15=" gives us a hint . It’s in the obfuscated way. Deobfuscating using JS Beautifier, vulnerability with https: site, decode or reverse engineer the math manually, curl to download an html page using --data (POST) request, LFI or local file inclusion , curl to read /etc/passwd due to LFI,
wfuzz to fuzz/customize the dir structure to download, one can use wget to download the files from door and vault folders by selecting '--no-directories  options so it doesn't create ten thousand directories but wget didnt stop automatically, it kept on going , may be does multiple iteration not sure ,aircrack-ng, looks like a blind sql injection and we are not getting response from the SQL injection error or select statement in that case we know the sql injection worked if we see output and when con content is shows means it is false or didn't work or doesnt exist , possible firewall blocking union based statements, limit SQL function, SQL union queries]


B. http://snhconsultingltd.com/2018/01/08/pentesting-write-upusv-2017/ [binwalk,exiftool ]

Notes:


Comments

Post a Comment

Popular posts from this blog

VM 13 : Basic Pentest 1 csec

Notes: Walkthru: 1. https://medium.com/@evire/basic-pentesting-1-7251fb3e3f9e [ w/metasploi t using Wordpress t] 2. https://prasannakumar.in/infosec/vulnhub-basic-pentesting-1-writeup/ [ w/metasploit using ftp ] 3.  https://www.ceos3c.com/hacking/basic-pentesting-1-walkthrough/ [ by uploading php-reverse-shell in wordpress ] 4. http://k3ramas.blogspot.com/2018/02/basic-pentesting-1-walkthrough.html [  access wordpress config file to get pwd and access the DB ] 5.  https://cowsayroot.com/walkthrough-basic-pentesting-1/ [ Wpscan, ftp metasploit vulnerability, phpbash ] 6.   http://www.hackingarticles.in/hack-the-basic-penetration-vm-boot2root-challenge/    [use msfvenom to create  to create php shell to be uploaded in Wordpress ] 7.   https://d7x.promiselabs.net/2018/01/30/ctf-basic-pentesting-a-guide-for-beginners/ [adding command using using PHP] Notes:  Ports - 21...ProFTPD 1.3.3c - 22 openSSH 7.2p2 ubuntu ...
2 comments
Read more

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote  host.Now that we have a specific username we can use it in order to obtain more information about this user with the command  finger root@host . -  Another effective use of the finger...
Post a Comment
Read more

VM: pWnOS 2.0

Walkthru A. http://defsecurityjam.blogspot.co.uk/2015/07/pwnos-version-2-walkthrough.html [reading source page, Simple PHP Blog Perl exploit, Python revershell using oneliner, looking around ] b. https://blog.g0tmi1k.com/2012/09/pwnos-2-php-web-application/ [metasploit using PHP Blog exploit] c. http://netsec.ws/?p=430 [burpsuite, sql porxy] d. https://blog.g0tmi1k.com/2012/09/pwnos-2-sql-injection/ [sql injection, union. Very good explanation of the process of what is being done. Didnt try cmds] e. https://www.youtube.com/watch?v=ytzZfI27ueU [sql injection, sqlmap read file and upload reverse shell using sqlmap] f. https://ub3rsec.github.io/pages/2016/pwnosv2-sqli.html [sql injection, union using burp Very good . It list all email field that we are passing and modifying thru burp suite/proxy/intercept. One could enter those union statements in the email field but in this case, the field truncates and remove the later part of union statment which is why we...
Post a Comment
Read more