A walkthrough from VULHUB -- > Skytower

-

A walkthrough from VULHUB -- > Skytower 

Credit goes to Telspace Systems who made this machine..  :)

Task: To Enumerate the Target Machine and Get the Root flag.txt

Penetration Methodologies

  • Network Scanning
    • Netdiscover
    • Nmap Scan
  • Enumeration
    • Browsing HTTP Service
    • Sql-Injection
    • Setting proxychains to connect to ssh
    • Getting ssh connection using credentials
  • Exploitation
    • Enumerating login page -> getting login credentials
  • Privilege Escalation
    • Using su permissions (accounts) 

Walkthrough

IP address discover 

Using nmap i found the host IP :







Now we have the target machine IP.It's time to have fun penetrating this box using our mindblowing skills...ohhh yes ... :)

using Nmap :

:: nmap -sSVC -S 192.168.1.9 -o nmap

nmap  is the output file of nmap and SVC and A you can be guided by nmap




As, the nmap run it's script let's surf the in browser whether it have server or it



There was nothing interesting in source code.
That's login page and quite interesting .hmmm.I tried sql injection and got access to john account BOOOOOOOOOOOOM....
sql injection
for user name = '*'
and password also same ='*'








That's fast Woooooow
let's see the nmap result




















Hmmmm ... ssh http and proxychains port detected

Let's try SSH to access the server account john using credentials that we found using using SQL injection





Seems like we cannot connect to the ssh .Let's try using proxychains but first of all we have to add config the proxy

use your favrouite text editor and go to /etc/proxychains.config




and add in last line

http 192.168.1.9 3128



Now try login to ssh john usng
proxychains ssh john@192.168.1.9 /bin/bash
and password hereisjohn

BoooooooM we got the ssh connection.quite easy now we have to enumerate the box



I tried to exploit box but that was not the method.Therefore, i go to /var/www/
and i found a login.php where i found the msql login credential


So, i quickly login to mysql.



and got the Table SkyTech database
show database;



So, i select the SkyTech and then ,



List the tables using 
show tables;


I found the unencrypted credentials for sara and william and without wasting time i login to sara using ssh but using proxychains

As , i login into the sara account using credentials



Then i enumerate and did not found anything interesting and then i check the permission and sudo -l and found some accounts which can be run as sudo without password


 Finally the flag.txt
wow that's pretty easy box




Author: Codiebruh is an Tech guy and has a keen interest in technology. contact Contact here

Comments

Post a Comment

Popular posts from this blog

Wordpress Reverse Shell

-
Image
Wordpress Reverse Shell This post is related to WordPress security testing to identify what will be possible procedure to exploit WordPress by compromising admin console. We have already setup WordPress in our windows 7 machine. Table of Content 1) Metasploit Framework 3) Upload PHP reverse shell 4) Getting reverse shell connection Requirement: Host machine: WordPress Attacker machine: Kali Linux WordPress Credential: admin: password Let's begin 1) 1st Method  The site which we are going to test is: i login into the wordpress admin Now i check upload the reverse shell (PHP) using metasploit BOOOOOOM : I got the interactive shell of windows 7 machine Let's breach in another way 2) 2nd Method I have already done login into wordpress using admin and password So, Create a PHP code file using msfvenom Now Go to the Apprereance -> Theme editor -> 404.php templetes past a php code ...
Read more

EVM: 1 Vulnhub Walkthrough

-
Image
Penetration Methodologies: Finding IP Nmap Enumeration Browsing HTTP Service Directory Bruteforce using dirb Enumeration Using WPScan Password Bruteforce using WPScan Getting Login Credentials Exploitation Exploiting using Metasploit  Getting a reverse connection  Spawning a TTY Shell  Enumeration for Root Credentials Privilege Escalation  Getting Login Credentials Logging in as root Reading the Final Flag Let's Breach:     First of all finding IP for the machine i use bridge connection.The IP of machine was 192.168.1.5 I quickly nmap the website found 80 open Then i browse the server and found that apache default page and phpinfo() Nothing interesting then i bruteforce the directory you can use gobuster and nikto also While scan is complete i found a wordpress directory that leads me to an another website Then i quickly browse the http://192.168.1.5/wordpress then i found the page d...
Read more

Chanakya Vulnhub Walkthrough

-
Image
It was the box where you have to have knowledge about using Nmap , dirb or nitko or gobuster ,ftp, ssh and metasploit .In this box we analyze the ftp connection using wireshark and got credentials and after that we gain access shell using ssh and exploit root permission using metasploit. Breaching Process  Finding IP Nmap Enumeration Nmap Deep scan Browsing HTTP service Enumerating directory ftp login Exploitation Generating ssh authorize key Gaining access to shell (ashoka) Reading chrootkit logs (using metasploit) Privilege Escalation chkrootkit Let's Breach  Using nmap we scan the network ip in our network nmap -sn  ip_range (use root permission to scan ) After sanning there are only five ip that was not hard for me to find we are using NAT in virtualbox after finding the ip we go for Enumeration (this is the phase where you have to see every single piece of information) Browsing the ip we get ...
Read more