AdSense

Friday, January 14, 2022

Misdirection

 

MISDIRECTION

- Layout for this exercise:










1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Misdirection, from the VulnHub pentesting platform.

- Misdirection can be downloaded from here:

https://www.vulnhub.com/entry/misdirection-1,371/


- Once downloaded Misdirection and extracted with VmWare:



2 - ENUMERATION

- netdiscover helps to identify Misdirection's IP 192.168.1.28:














- Scanning with Nmap:











- Browsing ports 80 and 8080:






























- Dirbusting  web server at port 8080:





















- After browsing some webpages we find a management shell at webpage /debug:




















3 - EXPLOITATION

- Setting a Netcat listener at port 5555:





- Sending a reverse shell command from Misdirection to Kali:


- Finally a remote shell is triggered:








- Improving the shell:




- Going to folder /home we discover the user brexit:









4 - CAPTURING 1st FLAG

- Trying to read user.txt the access is denied:





















- Checking www-data's sudoer privileges we discover he can run /bin/bash as user brexit:



- Switching to user brexit:







- Now we can read user.txt:





5 - PRIVILEGE ESCALATION

- Finding that file /etc/passwd is writable:







- Creating an encrypted password for a new user:







- Adding this new line to /etc/passwd:








- Now switching to newuser we have a root shell:








6 - CAPTURING THE 2nd FLAG

- Reading root.txt:










Thursday, January 6, 2022

Mercy v2

MERCY v2 

- Layout for this exercise:



1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Mercy v2, from the VulnHub pentesting platform.

Mercy v2 can be downloaded from here:

https://www.vulnhub.com/entry/digitalworldlocal-mercy-v2,263/

- Once downloaded Mercy v2 and extracted with VirtualBox:






2 - ENUMERATION

- netdiscover helps to identify Mervy v2's IP 192.168.1.25:


- Scanning with Nmap:













- Scanning deeper port 8080 we notice the existence of robots.txt and /tryharder/tryharder:


- Going to robots.txt:









- Going to /tryharder/tryharder we find a Base64 encoded text:


- Decoding from Base64:




















- Let's enumerate the SMB server running at port 445:










- So we have found 4 users.

- Remembering the text decoded with Base64:



- Trying credentials qiu:password to access the SMB server we are successful:







- Examining content:














- After downloading content and not finding anything of great interest, we go to folder .private and download its content:


















- Reading the 3 files:









































- So we can read references to Port Knocking Daemon Configuration and sequences of numbers to open ports both 80 and 22:




- Using command knock to open services HTTP and SSH:





















- Now port 80 is working normally:



- From Nmap we learn that there is robots.txt and two available directories: /mercy and /nomercy:









- Browsing /mercy:
























- Browsing /nomercy we find RIPSa popular static code analysis tool to automatically detect vulnerabilities in PHP applications:



3 - EXPLOITATION

- Looking for exploits related to RIPS we find that it is vulnerable to Multiple Local File Inclusions:



















- Taking advantage of the vulnerability and reading /etc/passwd:




























- From enumeration we know that there is a Tomcat server running:





- So let's try to access Tomcat's tomcat-users.xml, where we can find interesting credentials:


























- Metasploit helps to get a shell using these Tomcat credentials:

















- Improving the shell:







- Trying to switch to the first user is unsuccessful:



- However we can switch to user fluffy:




4 - PRIVILEGE ESCALATION

- Looking into the folder .private there are some interesting files:



- Reading .secrets:






- File timeclock is owned by root, and it seems to be a script to read time hosted at web page /time:















- So one idea to get a remote root shell could be to add a bash command to timeclock:



- Now, setting a Netcat listener at port 3333:



- After timeclock is run, we have a remote root shell:









5 - CAPTURING THE FLAG

- Reading proof.txt: