Skip to main content

Plethora




Plethora




we will start with enumeration we ganna use Nmap to see what ports and services are running 



as we can see we have a lot keep them in txt file we ganna use some of them later but for now
we have port 80 is open which means wh have a web service up and running 



as we can see we have a web page 
let's take a look at the source page 



ok let's open one by one of that machines let's start with DVWA

------------------------------------

DVWA

DVWA is a well-known vul machine with username: admin and password: password 
log in and go to command injection tap this vulnerability is about running a command on the server side so 
we ganna use it to capture our flag 

use: ping bing.com;cat /flag.txt


flag 1 Done! ✌

------------------------------------

XVWA


as we did with DVWA we ganna do it here navigate to OS Command injection tap 
and run this 

use: ping bing.com;cat /flag.txt




flag 2 Done! ✌

------------------------------------

Mutillidae

Mutillidae also is a well-known vul web app so we ganna navigate to command injection tap and 

use: ping bing.com;cat /flag.txt



flag 3 Done! ✌

------------------------------------

JuiceShop

is this flag made me mad 👿
I tried everything but none of them work and suddenly something hit my head whatttt ! if I was able to get root access
then I will get this flag from inside the system!!!!! 

so I moved on and get root access I searched for flags using this 

use: find / -type f -name '*.txt' | grep flag 

and bingo I found it 



flag 4 Done! ✌

------------------------------------

Vulnbank 

Vulnbank is a vuln web app you can download from Github
if you take a look at the project you ganna see that web app have a Remote Code Execution (ImageTragick, CVE-2016-3714) 
vulnerability 



first, you need to read robots.txt and you will found that /vulnbank/online/ is your way to get in do gobuster and you will
found login page at /vulnbank/online/login.php after a bit search on project repo the
default user name and password for that machine is j.doe:password so let's log in 
we know that web app vulnerable to Remote Code Execution (ImageTragick, CVE-2016-3714) so let's navigate to 
user profile to upload our payload 

after a bit of search, I found all we need here imagetragick 



so our payload will be 

push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/image.jpg";|cat /flag.txt > hack.txt")'
pop graphic-context

take this and save it into a file and name it as pic.png 
and upload it as a profile pic 
after upload, it navigates to this URL /vulnbank/online/hack.txt and you will found the flag!


flag 5 Done! ✌

------------------------------------

User flag

Now time to get into that machine 
as we know we have a lot of ports open ssh is there so we need to get username and password 
we ganna use enum4linux 

use: enum4linux machine-IP

after a not long time we ganna see users enumeration popup 



we have got two names and root user so we need to brute-force this user to get password we ganna use hydra for that

use: hydra -l username-you-found -P /location-to-rockyou.txt ssh://machine-IP



so we now have user name and password go and use it with ssh 
and boom we are in and we cat user.txt



user flag Done! ✌

------------------------------------

Root flag 

after we get user login we need to escalate our privilege to read root flag 
first thing I search for is what command can that user do as root so run " sudo -l " as you can see this user 
can run a lot of commands so I run

use: sudo /bin/bash 



and here we goooo we are root 
go to root folder and cat root.txt



Root flag Done! 😎



Comments

Post a Comment

Popular posts from this blog

Jack-of-All-Trades

Jack-of-All-Trades TryHackMe | Jack-of-All-Trades First of all, this write up is quite long so be patient and stay tunned coz it's a fun box and you may  learn something new so take your notes and let's jump into this machine starting with enumeration we ganna use Nmap for that to see what ports and services are running as we can see there are web service and ssh but both of them running on different ports so keep that in mind  let's go to the website and check this out but first, we need to allow HTTP to run port 22 you need to follow these steps  1- Select and copy the following preference name network.security.ports.banned.override 2- In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful. 3- In the search box above the list, type or paste ports and pause while the list is filtered If the above-listed preference exists: 4- Double-click it and add a comma to the end of the list followed by the port nu...
Post a Comment
Read more
HA Joker CTF   TryHackMe | HA Joker CTF this room is medium rated  first of all, as we used to do we will run Nmap scan against our target    as we can see you have three ports open ssh and two HTTP services so let's take a look at web app that is running on port 80   we have here a web page with a lot of joker's quotes  let's take a look at the page source to see if there any interesting info we can find    hmm there is no useful info so let's visit the second service on port 8080 it requires a username and password to access this page ok let's run gobuster against port 80 and what will we find  great we found some directories and some answers also  one of those files you will found contains a username, note it and now we have a username  time to get its password we will use brute force attack to gain access to services on port 8080  but the hint says that this username and password encoded with base64 so let's run burp ...
Post a Comment
Read more

Easy Steganography

Easy Steganography Tryhackme | Easy steganography First, you need to download the attached file and unzip it you will end up with 4 images each one contains its flag  Flag 1   if you open this image you will see a normal pic without any interesting info  and if you try to use "ExifTool" or "binwalk" you will get normal information  but if you use to try to take a look with "hexdump" you gonna earn your flag ✌ use :  hexdump -C flag1.jpeg | grep S   Flag 2 flag 2 is the same image as flag1 no interesting info so we will use "binwalk" here  use:   binwalk flag2.jpeg as you can see there is another image within the flag2 image so we need to extract it  use:  binwalk --dd '.*' flag2.jpeg as you can see after extracting a new folder came up navigate to that folder and you will see  a new image called 1326F just open it and you will get flag2 ✌ Flag 3 This one is so simple you just need to use strings command to capture the flag...
Post a Comment
Read more