Hack the Quaoar VM (CTF Challenge)

Once again we are with the Vulnhub labs tutorial; this article is related to CTF lab where you will face three challenges to complete the task. This lab is pretty good for beginner as they have to seize only three flag: 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box. You can download this VM from here.

Let’s start..

Firstly, scan the target IP with aggressive scan using Nmap tool as given in the image.

nmap -p- -A 192.168.1.24

With the nmap result you can see that port 22, 53, 80, 110, 139, 143, 445, 993 and 995 are open with the services like SSH, HTTP and many others.

Since port 80 is working, open the victim IP 192.168.1.24 in the browser. You can see its home page in the image below :

Nmap scan also shows that robots.txt. Once accessed robots.txt it will show you that website is in wordpress, which is exploitable to in this scenario.

Let’s check out wordpress directory in the browser once.

Further, when I explored the following path: 192.168.1.24/wordpress/wp-login.php in the browser, I found a WordPress administrator console.

To breach administrator console of the WordPress we can use WPScan tool; now type the following command to start wpscan enumeration.

wpscan --url http://192.168.1.24/wordpress/ --enumerate u

WPScan’s result will show two users as you can see in the image below. We will move forward with admin user.

I used default log in credentials i.e. admin:admin and therefore I was logged in as Admin. Now, under the console we can upload any theme, taking advantage of the rights we have obtained, we will try to upload the malicious script to achieve reverse connection from victim’s system. The script we will use can be downloaded from : http://pentestmonkey.net/tools/web-shells/php-reverse-shell 

Now copy the PHP text from *  and paste it as new theme under selected 404.php template.

Now type the following commands to have session through netcat :

nc –lpv 1234

Once you have the session, use the following commands to navigate around :

cd /home

ls

In /home I found wpadmin folder which is obviously important so let’s check it for a flag using following commands :

cd wpadmin

ls

cat flag.txt

This way, in the above image you see that we have found our first flag.

Another important file in wordpress is Wp-config.php. Therefore, after  exploring this file I found MYSQL Setting. This contained credentials for root. If you notice the image below you’ll observe that the username and password i.e. root: rootpassword

Let’s switch the user to root and then in the root folder you will find the second flag too. So, use the  following commands for the said task :

su

rootpassword!

cd /root

ls

cat flag.txt

Now, we all know that cron.d is an important linux directory and I just checked it for the sake of it and there I found our last and third flag. Use the following commands to achieve that :

cd /etc

cd cron.d

ls

cat php5

Ohh-Yah!  We have successfully captured all 3 flags. Hence, we have successfully completed the CTF.

 Author: Arpit Pandey is a Certified Ethical Hacker, Cyber Security Expert, Penetration Tester. Contact here

Bypass Windows Login Password using Android Phone with DriveDroid

Drive Droid is an Android application that allows you to boot your PC from ISO/IMG files stored on your phone. This is ideal for trying Linux distributions or always having a rescue-system on the go... without the need to burn different CDs or USB pen drives.

Drive Droid also includes a convenient download menu where you can download USB-images of a number of operating systems from your phone. You can also create USB-images which allow you to have a blank USB-drive where you can store files in. Blank images also allow you to use tools on your PC to burn images to the drive and create a bootable USB disk that way.

You can manually download it from google playstore.

Note: need root privilegde means you need rooted phone.

Let’s start!!!

Install DriveDroid app on your smartphone and run the application.

Click on plus sign at the lower right corner to add any iso image file.

Under preference here we need to select image directories so that we can browse konboot iso image file.

Further it will move into internal storage to let you choose your iso file, I have opt for konboot.iso and click on select (Please note that the kon-bootCD.iso file should exist on your phone)

Selected the koonboot iso file and it will get mounted

Tap on the mounted file and we can see three boot options as shown in the figure below Select the third option of CD-ROM and connect the smart phone with the system and reboot the system

Now plug the USB cable between phone and system for booting it from your phone and restart the system (pc) then continuously press function key of your desktop system.

Great!!! Successfully you will get administration console; now hit the enter button on the key board. This will bypass the admin console without entering password.

Capture VNC Session of Remote PC using Settoolkit

Today in this article we are going to compromise the target through VNC payload attack. It is a very simple method for beginners.

In this tutorial, we will learn how to create a VNC payload using Social Engineering Toolkit. We will try to achieve VNC shell of victim’s PC.

Let’s Start!!!

Open a terminal in Kali Linux, and type “setoolkit” on it to start the Social Engineering Toolkit Framework.

Select the first option to choose from the list of Social-Engineering Attacks.

Press '1'

To proceed further we will choose "Create a Payload and Listener" option.

Press '4'

This will show an arsenal of different payloads. As in this article our focus is VNC, hence we will select the VNC payload.

Press '3'

Next Step requires an IP address on which the payload listener is to be started. In our case it is 192.168.1.109(attacker's IP) and after that it will ask for the port for reverse listener. In our case it will be 4444

After setting up this, it starts generating VNC payload and save it under highlighted path. Explore /root/.set/payload.exe. Send the payload.exe file to the target.

Further it will ask to start payload listener Type "yes" and hit "Enter" this will start loading the Metasploit Framework.

After loading the Metasploit Framework, it runs the multi handler automatically; Now once the victim clicks on the payload file sent by the attacker, attacker will get a VNC shell.

Great!!!!

Our VNC attack using set toolkit is successful and we received the victim's VNC

shell on our system.

How to Delete Firewall Log in Remote PC using Metasploit

This article is only for tutorial purpose where we are trying to share our experience to enhance skills of IT researchers. This article will help attackers to protect themselves if they were caught by firewall. Usually when an attacker establish the connection with target’s system a log is generated having some details like time, ports, IP address and MAC address of attacker. So if you are not aware of such things then you might leave an evidence of your attacks in victim’s system. To prevent yourself you must go through this article where you will learn how to read the firewall logs as well as how to delete the logs from victim’s PC.

Being an intelligent attack once you have hacked the target then after fetching important data the most essential thing is to read and delete the log files from the target system.

First hack The Victim PC read Here

So now we are inside windows/system32 where we can perform admin level task. Type following command inside CMD shell to move inside the logs directory

cd logfiles/firewall

Type dir to observe the present directory of firewall.

Dir

From screenshot you can find that there are two files and two directories, therefore being an attacker I need to check the log firewall from target PC. Now Type following command to read firewall logs.

type pfirewall.log

So the highlighted log is showing MAC address of attacker system. Hence to protect yourself always delete these logs.

To delete pfirewall.log we must turn off firewall, type following command to disable firewall from victim PC.

Netsh firewall set opmode mode= DISABLE

Now type given below command to delete pfirewall.log

Del pfirewall.log

Now type given below command to verify pfirewall.log is still available or not in victim’s PC

type pfirewall.log

How to Enable and Monitor Firewall Log in Windows PC

LETS START!!!

Let have a look where you will learn more about firewall security. Open windows firewall then select advance setting on the left side under control panel home.

 Here we are at windows firewall advance setting; explore its property tab present on the right side of window’s frame.

Now you can see the local computer property dialog box has been opened, here select the private profile option.

Here another dialog box will get appear in front of you to configure private profile for firewall.

Only we need to manipulate two things in this profile without disturbing other settings. Change “NO (default)” into “YES” for log dropped packets and log successful connection as shown in given screenshot. At last click on OK.

Now again we are at advance security setting of firewall here bring your cursor down toward monitoring option.  From screenshot you can see window frame for firewall monitoring where it contains general and logging setting.  As we want to read firewall logs therefore now click on the blue link given as file name under logging setting.

GREAT!!! Finally we can read firewall log and can investigate firewall traffic in our network.