Posts

Showing posts from December, 2017

Albania

Image
Information: Name: HackDay Albania 2016 VM Creator: R-73eN Time it took me: 10+ hours. I dropped this one in November and picked it back up today. I was having trouble getting into the mysql database because of my shell. However when I tried again, I had no issues. Rating: 7/10 Recommend: Yep. This VM will help you understand the /etc/passwd file and what linux uses as hashes better. Also good for SQL Injection. root@kali:~# nmap 10.0.2.6 -A -p 0-9000 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) 8008/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 26 disallowed entries (15 shown) | /rkfpuzrahngvat/ /slgqvasbiohwbu/ /tmhrwbtcjpixcv/ | /vojtydvelrkzex/ /wpkuzewfmslafy/ /xqlvafxgntmbgz/ /yrmwbgyhouncha/ | /zsnxchzipvodib/ /atoydiajqwpejc/ /bupzejbkrxqfkd/ /cvqafkclsyrgle/ |_/unisxcudkqjydw/ /dwrbgldmtzshmf/ /exschmenuating/ /fytdinfovbujoh/ |_http-server-header: Apache/2.4.18 (...

Covfefe

Image
Information: Name: covfefe: 1 Author: Tim Kent Rating: 9.5/10 Recommend: Yes. Great experience cracking SSH private keys and learning simple buffer overflow exploits. $ nmap 10.0.2.8 -p 0-65535 Nmap scan report for 10.0.2.8 Host is up (0.00044s latency). Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 31337/tcp open Elite Lets visit the 31337 port. http://10.0.2.8:31337/robots.txt User-agent: * Disallow: /.bashrc Disallow /.profile Disallow /taxes We find the first flag in the the /taxes directory. It looks like were in someones home directory... what a bad place to put an Apache web root. So after dirbing the directory with fuzzdb (https://github.com/fuzzdb-project/fuzzdb) raft-large-files.txt, we find out the .ssh directory exists. Copy the id_rsa private key and id_rsa.pub key. Put both of those files in your own ~/.ssh directory. This will help us SSH into the server. Use ssh2john to convert the id_rsa k...

Bulldog

Image
Information: Name: Bullodog Author: Nick Frichette Link: https://www.vulnhub.com/entry/bulldog-1,211/ Time it took me: 6-7 hours. Rating: 7/10. It was alright. The hard part wasn't getting a shell on the box, but the privilege escalation part. The good thing about this box is it was my first time interacting with Django. I also learned about the strings command to print out string information in binaries. Recommend: Yep. $ nmap -A 10.0.2.7 -p 0-10000 Nmap scan report for 10.0.2.7 Host is up (0.00039s latency). Not shown: 9998 closed ports PORT STATE SERVICE VERSION 23/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http WSGIServer 0.1 (Python 2.7.12) 8080/tcp open http WSGIServer 0.1 (Python 2.7.12) SSH is enabled on port 23. Thats good to know. We see the Bulldog site is utilizing a custom WSGI Server. Lets spider it with dirb. $ dirb http://10.0.2.7/ ---- Scanning URL: http://10.0.2.7/ ---- ==>...