Pages

Sunday, May 31, 2020

Tryhackme : Dav

Hi All

I m trying to do Dav box in Tryhackme so here s my note during
the process of pentesting :

after a scan with nmap i found http port 80 with apache server V2.4.18
so let s look if their s a vuln related to this version: nothing found
so let s bruteforce directory with wfuzz :
wfuzz -u http://10.10.187.183/FUZZ -w /usr/share/wordlists/wfuzz/general/common.txt --hc 404


********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer                        *
********************************************************

Target: http://10.10.187.183/FUZZ
Total requests: 950

==================================================================
ID      Response   Lines      Word         Chars          Payload
==================================================================

000905:  C=401     14 L       54 W          460 Ch        "webdav"

Total time: 14.05000
Processed Requests: 950
Filtered Requests: 949
Requests/sec.: 67.61562

i have found this webdav i don't know  what this so i m going to spend some time to read about and
understand how it work: it s an extension to add more option to http function  that can be activated in webserver
when i try to acces the directory i have some sort of authentication so i have two path
find a way to bypass the authentication or bruteforce login before starting this process i want
to try enumerate more files in this directory to see if i m going to find something else
nothing found for directory so i was stuck with this login pop up thinking directly to bruteforce
is not the ideal approche so first we have to think if their s any default cred and that
the step that make me move on (so before any login bruteforce let's look at page code and also
if their s any default credentiel)
after that it was easy to get shell with Davtest and cadever as www-data user next step to get
user flag it was also easy :by default after getting shell the first command that i execute is
sudo -l and i get what i need for user flag and root flag

It s done see you next time

at No comments:
Location: Nassim, Casablanca, Morocco

Friday, May 29, 2020

Vulhub:Kioptrix level1 let's try

Hi All

Today we going to play with Kio1(Kioptrix1) First step in the road to OSCP certification :

My game start as always with nmap scanning :




so we have to explore each service to see if their s any way to get root of the Kioptrix1 VM

for the ssh service nothing found so il will move to the second service.

port 80 we have apache 1.3.29 we have also port 443 ssl_mode  :


so openfuck seems very interesting so let's give a try :

this how to use the C code :


Misson done :


we have root acces .

Let 's see explore the remaining port :

the rpc port are for file sharing via smb so version enumeration :


it 's vulnerable version so you can use this from exploitdb :





it's also done after compile and execute yes it s done i have root acces easly. :



for directory bruteforcing
so i have tested with many wordlist in wfuzz directory so i found as directory:
/cgi-bin/
/mrtg
/usage
/manual
as file
test.php : it contain just a php code for test nothing else and an href=resource://content-accessible/plaintext.css

Target: http://192.168.0.136/mrtg/FUZZ.html
Total requests: 45463

==================================================================
ID      Response   Lines      Word         Chars          Payload
==================================================================

017405:  C=200    130 L      511 W         4342 Ch        "forum"
021445:  C=200    423 L     1485 W        17318 Ch        "index"
033776:  C=200   1200 L     6038 W        48684 Ch        "reference"
038982:  C=200    109 L      463 W         4115 Ch        "squid"

Total requests: 3036

==================================================================
ID      Response   Lines      Word         Chars          Payload
==================================================================

001119:  C=200    130 L      511 W         4342 Ch        "forum"
001375:  C=200    423 L     1485 W        17318 Ch        "index"
001646:  C=200    123 L      431 W         3659 Ch        "logfile"

after visiting the /mrtg/index.html it s about MRTG 2.9.6 so i mgoing to look in that to see what i can get
i have inspected folder nothing and navigation in the wbesite nothing just documentation of the mrtg tool


Thank you for reading see in the next article Kioptrix 2

Kind regards

 Abdelmouhsine Bouaouda
at No comments:

Monday, May 25, 2020

Hackthebox Traceback

In my path to learn offensive security i have worked this weekend in Traceback VM in hackthe box,
I know that's it still online so i just going to talk about my approach and i have learned form this VM :

As all the time i start VM by the nmap to look for services that run in the server then i moved to the web page where to look for page code in directory fuzz so comment in the code helped me to find the login page in the first account.
the second step was a piece of cake to have shell as webadmin so as a habit i run sudo -l command
so it give me the answer to get the user flag
after validating this flag now i m sysadmin user sudo -l nothing  need password to get result so i have uploaded linEnum script to help me so i noticed some process that run every after a sleep 30 so i have checked file 00-header and tried to look for the reflection of the execution of this file : yes when we logging as sysadmin.
great i have got the root flag after the modification of 00-header file and the first try to login as sysadmin
(i forgot to mention .ssh file it will help you a lots)
at No comments:
Location: 237, lotissement Mandarouna-Sidi Maârouf-Station Tram Zenith A coté de Marjane، Dar-el-Beida, Morocco

Saturday, May 23, 2020

Let's start

Hi all

 I have created this blog to note my path of learning offensive security ,some write-up of hacking machine in hack the box or tryhackme or any challenge that i get into or even bug bounty if i do.

Now i m preparing to take CEH certficate in the next few month so i do not have a lots of thing to say about my self :
I have a master degree in computer science and telecomunication  during my studies i have learned some programming language like C/C++, Java and  during my two internship i have learned Web programming HTML/CSS PHP and Mysql beside to android programming.

i have already my CCNA R&S , CCNA Security certificat it s recommanded for anyone  who want to start in the security industry.

I have five year in the IT field the last three year of them in the security field as security consultant i m working a lot with SIEM , Firewall,WAF ,PSM,DAM ,FIM/FAM,EDR,WebProxy all the security defensive staff.

So Let's start and do it.

Kind regards
 Abdel




at No comments:
Location: 237, lotissement Mandarouna-Sidi Maârouf-Station Tram Zenith A coté de Marjane، Dar-el-Beida, Morocco
Subscribe to: Comments (Atom)

Offensive Lab : simple Format string challenge

 Hi All  Today i will write about a very easy challenge from Offensive LAB where you can solve it through using reverse engineering techniq...

  • Tryhackme : Dav
    Hi All I m trying to do Dav box in Tryhackme so here s my note during the process of pentesting : after a scan with nmap i found http port 8...
  • TryHackme : Boiler CTF
    HI All Lets play another box in tryhackme and learn something new today it will be Boiler CTF room I used to start any box  enumeration wi...