Skip to main content

54 VM W1R3S: 1.0.1

Walkthru
A. https://github.com/nbrisset/CTF/tree/master/CTF-VulnLabs/w1r3s [local file inclusion, ftp, Cuppa CMS vulnerability , LFI working using CLI but not browser, john, sudo su for privilege esclation ]

B. https://blog.barradell-johns.com/index.php/2018/06/25/w1r3s-writeup/ [ I was getting the same response from server for LFI . looks like it needed encoding. "After a bit of research I found I may have better luck with encoded url (url encoding) params, so I utilised cURL"]


Notes:

Comments

Post a Comment

Popular posts from this blog

28 VM SecOS-1

Walkthru: Notes: A. https://c0d3g33k.blogspot.com/2017/01/secos.html [capture admin cookie using 127.0.0.1 in a code  test.html  with cross site scripting vulnerability,  CSRF attack, use exploit 37088 for priv escalation ] B. http://oldsmokingjoe.blogspot.com/2016/01/walkthrough-secos-1.html [ Hacking Node.js and MangoDB   ] c. http://oldsmokingjoe.blogspot.com/2016/01/walkthrough-secos-1.html [use wget to post data from CLI. Add other cmds to ping cmd using curl and wget] D. https://chousensha.github.io/blog/2015/02/04/pentest-lab-secos/ [SSH tunnel so we can access the ping site from Kali and dont have to pass via CLI] Notes: # Nmap 7.70 scan initiated Thu Jul 19 09:26:05 2018 as: nmap -sV -O -oN ../reports/192.168.117.6/192.168.117.6.nmap 192.168.117.6 Nmap scan report for 192.168.117.6 Host is up (0.00042s latency). Not shown: 998 closed ports PORT     STATE SERVICE VERSION 22/tcp   open  ssh     OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0) 8081/tc
1 comment
Read more

VM 19 : Trollcave: 1.2

Walkthru A. https://davidyat.es/2018/04/08/walkthrough-trollcave/ [stealing cookie but not working as expected. Getting info at the NC prompt but unable to reuse it to get admin web access] B. https://www.youtube.com/watch?v=gfh7wHhMlWg [ruby on rails site/vulnerabilities, dir traversal, login with public key, exploiting vulnerability and adding public keys as authorized_keys in victims computer ,exploiting calculator application/program which is running as root, passing another set of commands as parameters to calc to chown and reverse shell,  netcat without netcat: ] C. https://ohexfortyone.com/2018/03/trollcave-boot-to-root-vm-walkthrough-part-one.html [bash  script to enumerate all users   ] D. https://reedphish.wordpress.com/2018/04/29/trollcave-1-2-walkthrough/ [ linux/x64/meterpreter_reverse_tcp metasploit using an ELF based shell genereated from MSFVenom] E. https://vulniverse.blogspot.com/2018/04/trollcave-1.html [Text walktru of B] F. https://hackso.me/trollcave-1
Post a Comment
Read more

38 VM : d0not5top: 1.2

https://www.vulnhub.com/?q=D0Not5top&sort=date-des&type=vm Walkthru: A. https://github.com/Hamza-Megahed/CTFs/blob/master/d0not5top/README [  burp proxy, adding hostnames to /etc/host shows following but not working for me. Not showing localhost stuff, $ dirb http://172.16.34.163/control/ -X .txt,.php,.html     + http://172.16.34.163/control/hosts.txt     127.0.0.1 localhost     127.0.0.1 D0Not5top.ctf     #127.0.0.1       MadBroAdN1n.ctf ## AD105 M0F05] B. https://adaywithtape.blogspot.com/2017/04/vulnhub-d0not5top-writeup.html [use nc cmd to get the flag and echo cmd to decode the flag, wfuzz, virtualhost, partially binary string, google language translate, curl  -header  host request, additional domains, OWSAP ZAP, exiftool, HD, hash64,] wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 192.168.56.102/FUZZ Changing the syntax just a tad to only show html 200 codes and be recursive down to 3 directories gives a clearer view of none
Post a Comment
Read more