Dev and Security Walkthroughs

Information: Name: HackDay Albania 2016 VM Creator: R-73eN Time it took me: 10+ hours. I dropped this one in November and picked it back up today. I was having trouble getting into the mysql database because of my shell. However when I tried again, I had no issues. Rating: 7/10 Recommend: Yep. This VM will help you understand the /etc/passwd file and what linux uses as hashes better. Also good for SQL Injection. root@kali:~# nmap 10.0.2.6 -A -p 0-9000 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) 8008/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 26 disallowed entries (15 shown) | /rkfpuzrahngvat/ /slgqvasbiohwbu/ /tmhrwbtcjpixcv/ | /vojtydvelrkzex/ /wpkuzewfmslafy/ /xqlvafxgntmbgz/ /yrmwbgyhouncha/ | /zsnxchzipvodib/ /atoydiajqwpejc/ /bupzejbkrxqfkd/ /cvqafkclsyrgle/ |_/unisxcudkqjydw/ /dwrbgldmtzshmf/ /exschmenuating/ /fytdinfovbujoh/ |_http-server-header: Apache/2.4.18 (...

Information: Name: covfefe: 1 Author: Tim Kent Rating: 9.5/10 Recommend: Yes. Great experience cracking SSH private keys and learning simple buffer overflow exploits. $ nmap 10.0.2.8 -p 0-65535 Nmap scan report for 10.0.2.8 Host is up (0.00044s latency). Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 31337/tcp open Elite Lets visit the 31337 port. http://10.0.2.8:31337/robots.txt User-agent: * Disallow: /.bashrc Disallow /.profile Disallow /taxes We find the first flag in the the /taxes directory. It looks like were in someones home directory... what a bad place to put an Apache web root. So after dirbing the directory with fuzzdb (https://github.com/fuzzdb-project/fuzzdb) raft-large-files.txt, we find out the .ssh directory exists. Copy the id_rsa private key and id_rsa.pub key. Put both of those files in your own ~/.ssh directory. This will help us SSH into the server. Use ssh2john to convert the id_rsa k...

Information: Name: Bullodog Author: Nick Frichette Link: https://www.vulnhub.com/entry/bulldog-1,211/ Time it took me: 6-7 hours. Rating: 7/10. It was alright. The hard part wasn't getting a shell on the box, but the privilege escalation part. The good thing about this box is it was my first time interacting with Django. I also learned about the strings command to print out string information in binaries. Recommend: Yep. $ nmap -A 10.0.2.7 -p 0-10000 Nmap scan report for 10.0.2.7 Host is up (0.00039s latency). Not shown: 9998 closed ports PORT STATE SERVICE VERSION 23/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http WSGIServer 0.1 (Python 2.7.12) 8080/tcp open http WSGIServer 0.1 (Python 2.7.12) SSH is enabled on port 23. Thats good to know. We see the Bulldog site is utilizing a custom WSGI Server. Lets spider it with dirb. $ dirb http://10.0.2.7/ ---- Scanning URL: http://10.0.2.7/ ---- ==>...

Information: Name: LazySysAdmin 1.0 VM Creator: @TogieMcdogie Time it took me: 2-3 hours. Pentest Skill Level: Less than a year. To begin use nmap: 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: LAZYSYSADMIN) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: LAZYSYSADMIN) 3306/tcp open mysql 6667/tcp open irc InspIRCd The box description said "linux enumeration". Samba is a file sharing server. It can be used with Windows, Linux, and Mac. I always thought Samba was a "windows thing" but I suppose not. Use the tool enum4linux. I used: enum4linux -a 192.168.0.15. [+] Attempting to map shares on 192.168.0.15 //192.168.0.15/print$ Mapping: DENIED, Listing: N/A //192.168.0.15/share$ Mapping: OK, Listing: OK //192.168.0.15/IPC$ Mapping: OK Listing: DENIED We see the /share$ folder ...

Information: Name: Rickdiculously-Easy (Rick and Morty themed VM) Link: https://www.vulnhub.com/entry/rickdiculouslyeasy-1,207/ VM Creator: Luke Time it took me: 3 days to solve it. Around 6-10 hours. Pentest Skill Level: Less than a year. To begin use nmap. Note: I lost a few hours by not scanning with -p 0-65535. $ nmap -A -p 0-65535 192.168.0.6 Starting Nmap 7.01 ( https://nmap.org ) Nmap scan report for 192.168.0.6 PORT STATE SERVICE VERSION 21/tcp    open ftp vsftpd 3.0.3 22/tcp    open ssh 80/tcp    open http Apache httpd 2.4.27 9090/tcp  open zeus-admin ssl/zeus-admin? 13337/tcp open unknown 22222/tcp open unknown OpenSSH 7.5 (protocol 2.0) 60000/tcp open unknown I will go after 80 first. I type in http://192.168.0.6/robots.txt into the browser. The root_shell.cgi is a trap. Rick wouldn't make it that easy. The /cgi-bin/tracertool.cgi is what were after. The tracerou...