Hack-Nos (OS-HAX)

-

Hack-Nos is another boot-to-root vulhub machine Hack-Nos .This box i believe is an intermediate box.The flag was important then gaining root and i got flag from two ways that was fun.


Breaching Process 

Finding IP

  • Nmap

Enumeration

  • Browsing HTTP service
  • Enumerating directory
  • Got drupal (further enumerating version from change.log)

Exploitation

  • using metasploit
  • got reverse shell

Privilege Escalation

  • Gaining wget root access to change the passwd file

Let;s Breach :

First IP discovery was important where i use nmap to scan the network 
Use the root permission to scan for nmap the network.



The ip was 192.168.1.16.Then i go for surfing and use dirb at background 
so the page look like default apache



There was not any juicy thing so i see the dirb scan and found there was a drupal 


Then i go for the drupal page.
I cannot login in as james i tried different combination of text got failed. 
And then go for the version enumeration of drupal.That was preety easy googeling give me the answer.The version can be seen using 

192.168.1.16/drupal/CHANGELOG.txt
wow there was preety good vulnerability


I think about metasploit  then fire up the msfconsole and after checking all the drupal eploit one by one i found this was interesting that is giving me persistance shell

chaning the path,ip and port.



wow i got the shell of www-data 



Now let's hunt for the high privilege (root).I want to use shortcut key (CTRL + L) to clear screen so i import the XTERM haha (Just for fun).Now it's look like i complete the half task



after importing the xterm then i list the file  there was user.txt file 


without time consuming i go for the root permission check (which program can run as a root without password).Ka-Boooom the wget command can be run as root



There was an idea of importing any file using wget just using nc and you can catch the req from wget.so,

from victim machine i fire-up the wget (use root.txt file ) and listen in my machine

so the scenario look like this

Victim machine


My machine



Boom the task was completed.

But there was no fun of just going for flag so,i go for  the root access to that machine
by changing the passwd file i can get root access 

Let's begin the second method

Access the machine using msfconsole as same as above step

Read the passwd file and copy paste into your machine

cat /etc/passwd

(don't see the test file i have done it using test user previously)


pasting into my machine and save as passwd file

then i generate a password(password) and user (codie) in my machine 

openssl passwd -1 -salt codie password



then i fire-up the python server in port 80 (make sure the passwd file is in that directory)

python -m SimpleHTTPServer 80



And then import the passwd file into victim machine using wget which will ultimately changing  the passwd file which was astounding.



i check the passwd file whether the file was imported or not in victim machine
so, i got this a edited version of passwd file and there was my username as root


Now i use su - codie command to get access to codie account and got succesfull to run as a root



and now the cat /root/root.txt


Boom i got root access



Happy hacking :)

Comments

Post a Comment

Popular posts from this blog

Wordpress Reverse Shell

-
Image
Wordpress Reverse Shell This post is related to WordPress security testing to identify what will be possible procedure to exploit WordPress by compromising admin console. We have already setup WordPress in our windows 7 machine. Table of Content 1) Metasploit Framework 3) Upload PHP reverse shell 4) Getting reverse shell connection Requirement: Host machine: WordPress Attacker machine: Kali Linux WordPress Credential: admin: password Let's begin 1) 1st Method  The site which we are going to test is: i login into the wordpress admin Now i check upload the reverse shell (PHP) using metasploit BOOOOOOM : I got the interactive shell of windows 7 machine Let's breach in another way 2) 2nd Method I have already done login into wordpress using admin and password So, Create a PHP code file using msfvenom Now Go to the Apprereance -> Theme editor -> 404.php templetes past a php code ...
Read more

SAR1 VULHUB WALKTHROUGH

-
Image
SAR1 (Walkthrough) This Box Is From Vulhub You Can Download It From  Link .This Box is like OSCP box which i beleive is .I pwned this box using LFI leads to RCE. Breaching Process  Finding IP Netdiscover Enumeration Browsing HTTP  service Nmap scan Enumerating directory using nikto and dirb Found robots.txt and other useful directory Enumerating sar2HTML Exploitation using searchsploit for sar2HTML found RCE Injecting php code using (wget) Got reverse shell using NC Privilege Escalation Found crontab execute shell in 5 min. Add the sudoers permission for www-data. Got root permission  Let's Breach   Using netdiscover  i found the box ip address.The ip address was 192.168.248.136 Then i scan the IP using nmap The command is nmap -sSVC -A 192.168.248.136 | tee nmap.txt Here the scan shows only 80 port which was default page of apache There was no thing to see so,i need to dig d...
Read more

EVM: 1 Vulnhub Walkthrough

-
Image
Penetration Methodologies: Finding IP Nmap Enumeration Browsing HTTP Service Directory Bruteforce using dirb Enumeration Using WPScan Password Bruteforce using WPScan Getting Login Credentials Exploitation Exploiting using Metasploit  Getting a reverse connection  Spawning a TTY Shell  Enumeration for Root Credentials Privilege Escalation  Getting Login Credentials Logging in as root Reading the Final Flag Let's Breach:     First of all finding IP for the machine i use bridge connection.The IP of machine was 192.168.1.5 I quickly nmap the website found 80 open Then i browse the server and found that apache default page and phpinfo() Nothing interesting then i bruteforce the directory you can use gobuster and nikto also While scan is complete i found a wordpress directory that leads me to an another website Then i quickly browse the http://192.168.1.5/wordpress then i found the page d...
Read more