Vulhub : Kioptrix Level 2

 Hi all

 Today we are going to play with kioptrix level 2 from vulhub and try to explore differente way to get root access.

I used to start with nmaping the target :

For the SSH service i didn't see any thing that we can do with right now so i m going to explore the web server : 

 it's a login page and administrator can be as username so we have two way bruteforce or sql injection to bypass the authentication form the second one it will very quick so let's give a try :

Yes we have bypassed the login page this interface give us the possibility to run ping so the first thing that came to my mind is command injection so let's try : 

Now it's time to reverse shell (i used reverse shell cheat sheet from pentestmonky):

i fired the command nc -nlvp 1234 in my kali machine : 

That's greate i have shell now as apache user so it's time for privilege escalation enumeration : 

the kernel is vulnerable so i think we can exploit this part : 

  I m going to use this exploit for privilege escalation from exploit database : 

 i have set up and FTP server in my kali machine for file transfert into kioptrix 2 VM 

Now it's time to get root access : 

Mission achieved successfully

(I will update this article with other way to root this box)

Thank you for reading see you on another mission (kioptrix Level 3)

Abdelmouhsine Bouaouda

THM: Get Bounty Hacker

Hi All

Today we are going to play i new box the bounty hacker from Tryhackme

I used to start my enumeration process with nmap :

I discovered three services :

Nice let's see if we can access FTP with anonymous account :

Some juicy information :

here's a username the second file contain some password so i will try bruteforce ssh service :

Great i will access the server and get user flag :

Now i have to find the root flag :

Mission achieved it was simple with GTOFBIN.

I hope that you enjoyed reading.

Kind regards

Abdel 

THM: Get Smag Grotto

Hi All

Today i will Try to get Smag from THM :

I used to start with nmap :

Great we have ssh and a web server 80

so I m thinking directly to directory brute force  :

we have /mail directory here i m going to explore :

Another step n this box the pcap file :

Yes, you have to configure /etc/hosts :

that will give you access to login page :

login with credentials found in the pcap file :

so we have a possibility to run some system command to get shell :

After getting shell i used LinEnum script to enumerate the box i noticed :

so the authorized key are copied from another file just we have to check if we have writing right in this file :

Nice now it s piece of cake : i generated the public & private key with ssh-keygen

then transferred the content via netcat to the server finaly copied the public key into jake_id_rsa.pub.backup :

Yes I m in as jake user :

Let s try sudo -l :

GTFOBIN that all we have root access.

I hope that you enjoyed reading my write-up let's me a comment if you want.

Kind regards

 Abdel

THM : Get Brooklyn nine nine

Hi All

Today we are going to play with brooklyn from THM

I used to start with nmap the target :

Huuum Great , as nmap stat that i can access ftp  :

yeh their's a name of a user jake  ok maybe i will use it later

in the web page i found this comment :

HUmmm steganography maybe hint or rabbit hole : i tried to brute force with the strings found in the picture but not working so my last resort will be rookyou.txt

Nice, password found it was easy let's login

Now it s clear and easy to get the user and root flag with command less

less /home/holt/user.txt

less root/root.txt

I HOPE THAT YOU ENJYED READING DO NOT FORGET TO LET ME A COMMENT.

kind regards

 

Abdel

THM :Blog (Billy Joel made a Wordpress blog!)

Hi All ,

 Today we are going to play with Billy Jo in Tryhackme the blog room yes let s start :

I used to start my enumeration process by nmap the target :

so we have ssh http and samba services in this server oook great let s see what's in the web server

Powered by wordpress the first thing that came to my mind is wpscan to get some information about the version :

Yes it s version 5.0 so it suffer from an RCE if you have an author account so we need an account ok 😃 we have an samba service so let's move to see if their s any information that can help (enum4linux result):

HUuuum a directory that can be listed :

Let's explore those files : nothing found stupid hole not rabbit hole

So in the main page i noticed that we have two author bjoel and kwheel :

so i think i have to try a bruteforce and one of them will give me access

result (rockyou password list): for bjoel nothing found and for kwheel password found ,and now i have all the necessary to RCE

I googled a lots of resources about the vulnerability so as a security noob i m not going to make the exploit manually so i m going to use metasploit :

Yeees i m in the server ok let s look for user flag :

HHH ok joel nice message

so i can't find the user text from this position so i m thinking to enumerate get root directly

i used LinEnum.sh script and found something new :

it s the first time that i see a binary file like that so i decided to download it to my local machine to explore the file

I have a little experience with binary exploitation after disassemble :

so the binary call the C function getenv which return the value of an environment variable great in our case which variable :

so it look for an admin variable in the system as first test i tried to create an envi variable 'admin' without any value result :

so which value i have to give to this admin variable from analysis of the binary it seems 0 :

after the call of getenv function we have a comparison between 0 and a value in the stack to make decision in the jump intruction (je) :

Yeeees we did it :

Now reading root.txt and  user.txt is piece of cake

I hope that you enjoyed reading see you next time

Kind regards

Abdel