Etiket: Vulnhub

Vulnhub

KategorilerLFIVulnhubWalkthrough

Vintermute 1 VulnhubWalkthrough

Yayın tarihi Ekim 10, 2022Yayınlayan Mustafa

Target machine ip is 192.168.56.102

Vintermute 1 can found on the vulnhub website.

We scan target machine with nmapAutomator.

we look login page into 3000 port.

System give a hint username and password.They are ‘admin’, ‘admin’. We login into page and we notice localhost extension that named /turning-bolo/

We connect target machine:80 port.

we press submit Query button.

There is LFI vulnerability on the website because url extension case but It is written in the text file as .log extension. This means it is lfi.

We inject php web shell command via smtp port. We use nc to send php file .

We check if the code works.

Code run on the target website. We try to add reverseshell.py

We open http server on 8080 for with wget download reverseshell.php

Reverse shell is ran the System

We download linpeas and run in the system. We see suid bit vulnerability.

We run the .sh file under the tmp directory.

We get a problem and we search in website. We find solution. As a result, we run the file. We get root

Error resolution

KategorilerVulnhubWalkthroughWordpress

STAPLER Vulnhub Walkhrough

Yayın tarihi Ekim 10, 2022Yayınlayan Mustafa

Target machine ip is 10.0.2.17

STAPLER can found on the vulnhub website.

We scan target machine with nmapAutomator.

we try to login ftp server with default credentials. Default credentials are “anonymous”,”anonymous”.

We see note in ftp and download to localhost with get command.

We try to connect ssh. But password is necessary to connect but we find username. Maybe it works.

we discover there is a WordPress website 12380 port with nmapAutomator.

We scan WordPress with wpscan and we get error ssl problem.

We disable ssl check

We find advanced video plugin

We look the advanced video plugin readmefile and we search plugin version in exploitdb and we find exploit for advanced video.

We try to find wp -config using file path. We get error.

We write the full path of wp-config.

We look https://localhost:12380/blogblog/wp-content/uploads.

We download the 3992227223.jpeg with wget command and we examine the jpeg file with nano.

We find username and password for wordpress database and we connect the mysql these credentials.

We look wordpress database and show tables.

We found user_pass hashs. With the hash identifier, we learn what the hashing will be. It is important John because there is the name who see in the wordpress blog.

We crack hash with hashcat

John’s password is ‘incorrect’ and we login into the wordpress.

We look plugin and we get error if we want to add new plugin.

we decide to add the plugin manually. We go to upload page

We upload php file to reverse shell.

Before, We run php-reverse-shell.php. We listen related port with nc command.

We look at the bash histories of the users.

We find ssh credentials as named peter username and we connect ssh. We write sudo -l command. We see important message that very neccassry to get root. The message is ‘User peter may run the following commands on red’.

KategorilerVulnhubWalkthrough

PwnOS 2.0 Vulnhub Machine

Yayın tarihi Ekim 10, 2022Yayınlayan Mustafa

Target machine ip is 10.10.10.100

PwnOS 2.0 can found on the vulnhub website.

We scan target machine with nmapAutomator.

We find login page.

WordPress php version is 0.4.0. We searched the internet to find vulnerabilities. We found the vulnerability.

We execute ./1191.pl -h target machine -e 1 and we see cmd.php file in target/images.

We click the cmd.php file.

We get webshell and we execute reverse shell.

We get reverseshell.

we see mysqli_connect.php file under the var file.

We get root that using ‘root’, ‘root@ISIntS’ credentials.

KategorilerSuid BitVulnhubWalkthroughWordpress

DC6 Vulnhub Walkthrough

Yayın tarihi Ekim 10, 2022Yayınlayan Mustafa

Target machine ip is 192.168.209.130

DC6 can found on the vulnhub website.

We scan target machine with nmapAutomator.

We find some usernames who can be useful

We connect the website and we see the website which has been made by wordpress

There is a clue from creater who made the target machine. We make it

He gave such a clue it looks like there will be bruteforce attack. We bruteforce wordpress page with wpscan who is very powerful tool for wordpress site.

We find password that is matched the username.

We login in to website.

activity monitor looks like interesting and we search on website who is name exploit-db

We find that can use related exploit and we change necessary parts.

exploit

we open file with firefox and we see the html page which has one button.

Before, we press button.We execute nc command

We get shell in the system.

we find strange file under the mark file

the file gives logon information about the graham contact. We connect with graham via ssh.

We create an http server linpeas to attack the target machine. we download with wget in target machine

We execute linpeas and we find suid bit.

we change backups.sh.

We execute /home/jens/backups.sh

we execute linpeas again. We find suid bit

We search privesc via nmap command.

We get root