Posts

Gaara:1 - Walkthrough [Vulnhub]

Image
Here's  my solution for Gaara:1. The machine can be downloaded from here. Service Discovery Using nmap to scan all TCP ports. $ nmap -sC -sV -p- 192.168.1.149 We find 2 ports open. Enumeration Browsing the web. Checking the page source did not reveal any hint/information. Running gobuster to scan for directories. $ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.1.149 -t 100 This felt like we got something, but it's a blank page.  After playing around for a while, since ssh port is open just guessed that the username can be the machine's name i.e gaara. Why not try brute forcing. $ hydra -l gaara -P /usr/share/wordlists/rockyou.txt 192.168.1.149 ssh And yes, it worked. Now we have the credentials as- Username: gaara Password: iloveyou2 Initial Access Accessing SSH. $ ssh gaara@192.168.1.149 Password: iloveyou2 User Flag Privilege Escalation From Gaara > Root Checking for SUID permissions. Lets escalate and get the root flag.

Odin:1 - Walkthrough [Vulnhub]

Image
Here's  my solution for Odin:1. The machine can be downloaded from here. Service Discovery Using nmap to scan all TCP ports. $ nmap -sC -sV -p- 192.168.1.106 We find only 1 port open. Enumeration We map ip to host by editing the /etc/hosts file. Lets browse the web. We find that the web in built on CMS - Wordpress. Scrolling down, we see some base32 encoded text.    We can browse CyberChef to decode it.   This seems like a hint-  To use rockyou wordlist. We run wp-scan to enumerate all plugins and users. $ wp-scan --url http://odin -e ap,u No plugins were found but we found a user- odin. When we try to manually verify the user- odin, it says- unknown username. Now we enter a default user name - admin and a random password. After reading the error we confirm that the user- admin exits. Since we do not have the password for the user. We user wpscan to brute force the password. $ wpscan --url http://odin/ -U admin -P /usr/share/wordlists/rockyou.txt We get the password as- qwerty Let

Kira:CTF - Walkthrough [Vulnhub]

Image
Here's my solution for Kira:CTF. The machine can be downloaded from here. Service Discovery Using nmap to scan all TCP ports. $ nmap -sC -sV -p- 192.168.1.105 We find only 1 port open. Enumeration Browsing the web, We see an upload option, lets go for it. We try to upload the php reverse shell file. Seems there's some kind of validation which does not allows php files. Now we upload the same php reverse shell file by adding an image extension to it. i.e rshell.php > rshell.php.jpeg Seems that we have successfully upload the file. We navigate to /uploads and here we find the uploaded reverse shell file. Back to the main web page, here we find a language button. We click the language button. Again we click the language button. We find that the lang= parameter is vulnerable to LFI. Initial Access Now to run the php reverse shell file we simply browse the location of the file. And on the other hand we start the netcat listener. We get the shell. Privilege Escalation From www-dat

Hemisphere:Gemini - Walkthrough [Vulnhub]

Image
Here's my solution for Hemisphere:Gemini. The machine can be downloaded from here. Service Discovery Using Nmap for scanning all TCP ports. $ nmap -sC -sV -p- 192.168.1.132 We find 5 ports open. Enumeration Browsing the web. Using gobuster to scan directories. $ gobuster dir -w /usr/share/wordlists/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.1.132/ -t 100 -x php,txt,html Browsing /Portal We click on CONTACTO, we find that the view= parameter is vulnerable to LFI. By looking at the contents we find a user- william. By exploting the LFI we try to get the william's ssh key. We copy the ssh key to a file. Initial Access Before accessing ssh. We change the permission of the key file. $ chmod 600 key $ ssh -i key william@192.168.1.132 User Flag. Privilege Escalation Checking the permissions on /etc/passwd file, shows that we have full privileges. Lets change the root user password. On our machine we create the password as- pass On target machine we c