AdSense

Wednesday, January 16, 2019

Mirai


MIRAI

- Layout for this exercise:





1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Mirai, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu/


2 - ENUMERATION

- Mirai's IP is 10.10.10.48:





- Scanning with Nmap:




- Scanning deeper ports 22,53 and 80:



- Dirbusting the web server we find the folder /admin:





- Connecting with the browser:





- Pi-hole is a network-wide ad blocker used by Raspberry Pi to block advertisements on all devices connected to a home network:

https://www.raspberrypi.org/blog/pi-hole-raspberry-pi/


3 - EXPLOITATION

- Default credentials for SSH to Raspberry Pi are pi:raspberry

https://www.raspberrypi.org/documentation/linux/usage/users.md





- In this case there is no need of exploitation because SSH connection with default credentials is successful:








4 - CAPTURING THE 1st FLAG

- Reading user.txt:





5 - PRIVILEGE ESCALATION

Checking sudoer privileges:




- Starting a bash shell as a root user:





6 - CAPTURING THE 2ns FLAG

- Reading root.txt there is a hint about the original root.txt:





- df displays the amount of available disk space for file systems:




- Going to /media/usbstick there is a text file that probably holds interesting information:








- So it seems that the original root.txt was been accidentally deleted.

- Reading the content of the disk b we find the 2nd flag:







- Also, strings helps to provide the 2nd flag:










Tuesday, January 15, 2019

Blue


BLUE

- Layout for this exercise:





1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Blue, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu/


2 - ENUMERATION

- Blue's IP is 10.10.10.40:




- Scanning with Nmap:





- Scanning deeper ports like 135, 139 and 445:







- This Nmap script discovers that Blue is vulnerable to SMB MS17-010 at port 445:





- Metasploit helps to confirm SMB and Operating System versions:





3 - EXPLOITATION

- Looking for information about the vulnerability MS17-010:




- There is an associated Metasploit exploit with MS17-010 vulnerability:





- Launching Metasploit and using exploit/windows/smb/ms17_010_eternalblue:




- Setting Blue's IP as RHOST:





- Setting Meterpreter as payload, Kali's IP as LHOST (interface tun0 with IP 10.10.14.2), and port 5555 as LPORT:





- Running the exploit we get a Meterpreter session with System privileges:



.... etc ....





- So in this case there is no need of Privilege Escalation.



4 - CAPTURING THE FLAGS

- Reading the 1st flag:





- Reading the 2nd flag:









Monday, January 14, 2019

Optimum


OPTIMUM

- Layout for this exercise:





1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Optimum, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu/



2 - ENUMERATION

- Optimum's IP is 10.10.10.8:





- Scanning with Nmap:




- Going deeper with port 80:






3 - EXPLOITATION

- Looking for exploits related with HttpFileServer HFS 2.3:





- Launching Metasploit and using the exploit  rejetto_hfs_exec:




- Setting Optimum's IP as RHOST:




- Setting Kali's IP as LHOST:





- Running the exploit we get a Meterpreter session:





- The user is kostas:




- Running a shell:




4 - CAPTURING THE 1st FLAG

- Reading user.txt.txt from user kostas' Desktop:







5 - PRIVILEGE ESCALATION

- Access to Administrator's desktop is denied:





- Looking for local Privilege Escalation exploits for Windows architecture x86-64:













- Reading instructions to download the executable 41020.exe:





- Downloading 41020.exe to our Kali machine:









- Uploading 41020.exe to Optimum:





- Getting a shell, let's confirm the presence of 41020.exe at Optimum:





- Remembering that the current user is kostas:




- Running the exploit we achieve System privileges:




6 - CAPTURING THE  2nd FLAG

- Finally, reading root.txt from Administrator's Desktop: