Art  Lind

Art Lind

1601582400

Writeup-Vulnhub-Kioptrix

This writeup goes through exploiting outdated services/applications to get a root shell on the machine. The Target machine being used in Kioptrix 2014 available on Vulnhub.

Objective:

  1. Find Hidden Directories
  2. Exploit outdated versions of web application services
  3. Intercept traffic via burp suit and replay to get restricted access to URL paths

Getting Started

To get started download the ova file available on Vulnhub. Open the file on your VMware or Virtual Box. Fire up you Kali-Linux or Parrot distribution for attacking the target machine

Recon & Scanning Phase

Use netdiscover to know the IP of our target machine. Since we don’t know the IP we will scan the whole range of the network using the following command

netdiscover -r 192.168.0.0/16

So we have our target IP now as seen below

#privilege-escalation #pentesting #linux #exploitation #vulnhub

What is GEEK

Buddha Community

Writeup-Vulnhub-Kioptrix
Art  Lind

Art Lind

1601582400

Writeup-Vulnhub-Kioptrix

This writeup goes through exploiting outdated services/applications to get a root shell on the machine. The Target machine being used in Kioptrix 2014 available on Vulnhub.

Objective:

  1. Find Hidden Directories
  2. Exploit outdated versions of web application services
  3. Intercept traffic via burp suit and replay to get restricted access to URL paths

Getting Started

To get started download the ova file available on Vulnhub. Open the file on your VMware or Virtual Box. Fire up you Kali-Linux or Parrot distribution for attacking the target machine

Recon & Scanning Phase

Use netdiscover to know the IP of our target machine. Since we don’t know the IP we will scan the whole range of the network using the following command

netdiscover -r 192.168.0.0/16

So we have our target IP now as seen below

#privilege-escalation #pentesting #linux #exploitation #vulnhub

Birdie  Daniel

Birdie Daniel

1593368580

ERP PENTEST: Metasploit Writeup

What to do if we happen to be committed with SAP Penetration Test?

#sap #cybersecurity #metasploit #writeup #erp #testing

Houston  Sipes

Houston Sipes

1594341900

[HTB] JSON — Write-up

Welcome to the JSON box writeup! This was a medium-difficulty box and fun to play with. For the initial shell, you need to identify a vulnerability related to JSON-based deserialization on the website, and by leveraging this issue incorporated with a Bearer: header, you can get a RCE on the box. For the root shell, you can leverage a permissive permission configured for the initial user, SeImpersonatePrivilege, to perform a JuicyPotato exploit to get a SYSTEM shell. Let’s get started.

Recon

Nmap

As usual, let’s start with a basic Nmap discovery scan:

nmap -Pn --open -sC -sV -p- -T4 10.10.10.158

From the scan, we have some interesting ports:

  • FTP (21/TCP) —_ *Anonymous login was not allowed_
  • HTTP (80/TCP)
  • SMB (445/TCP) — *No null session allowed
  • WinRM (5985/TCP) — *A default port for Windows Remote Management (WinRM). If we have a user who is part of a “Remote Management Users” group and her credentials, we can gain a remote shell leveraging this service. However, this was not no need to gain an initial shell on this box.

Web Server (HTTP — 80/TCP)

So from the initial scan, it looks like we need to focus on the web server first.

The front page was a login page, and it was configured with weak credentials:

Username = admin : Password = admin

Once logged in as “Admin” user, it was pretty dead end with the website itself. Pages and functions were either static or 404 not found.

Web Server — Dirsearch

When you are targeting a web server, it is recommended to do directory brute-forcing to check if there are any hidden files/folders. I used Dirsearch tool to accomplish this.

/files/password.txt

There was a password.txt file under the /files folder, but it was a troll. -_-

However, an interesting file Account was found under the /api directory.

#hackthebox-writeup #json #json-writeup #juicypotato #hackthebox

Einar  Hintz

Einar Hintz

1593495960

InjuredAndroid CTF Writeup

In this article, I will be walking through the InjuredAndroid CTF. This is a vulnerable Android application with CTF examples based on bug bounty findings, exploitation concepts, and pure creativity. I have left a link to the creators Github and the GitHub I used to download the APK in the references below for anyone interested in trying out the CTF themselves.


Disclaimer

This writeup will obviously contain spoilers and I encourage readers to attempt this CTF before looking at this article. You will learn more by attempting it yourself first and will gain more satisfaction from solving the challenges yourself.

The author of this CTF has also mentioned that:

Looking at the source code of the applications in the InjuredAndroid directory, InjuredAndroid FlagWalkthroughs.md file, or binary source code in the Binaries directory will spoil some if not all of the ctf challenges.

I must also point out that challenge seven and eight for the release of the APK I used do not function properly and do not have flags. I discovered this after starting the writeup and decided to continue on anyways. With all that said, it’s time to move onto to the writeup!


Initial Setup

For this CTF, I will be using a Kali Linux virtual machine as my host device and a Samsung Galaxy S8 emulator created with Genymotion with the following specs:

To begin the CTF, i connected to my emulator using Android Debug Bridge (ADB) and installed the “injuredandroid.apk” file.

Looking at my emulator, I can see that the application has been installed successfully.

The CTF author also highly recommends decompiling the “injuredandroid.apk”. To accomplish this, I will be using a tool called Mobile Security Framework (MobSF). MobSF automates the process of decompiling the APK, reading the manifest file, identifying issues in the source code and in the Manifest file, extracting the certificate of the application etc. and saves me from having to do this manually. The image below shows the application has been successfully decompiled by MobSF.

With the initial setup out of the way, I can now move on to the challenges.


XSS Test

Opening the application, I am greeted with the following main activity.

There appears to be eight flags in total. According to the author:

XSSTEST is just for fun and to raise awareness on how WebViews can be made vulnerable to XSS.

Looking at the XSSTEST activity, I am presented with a simple input field where I can submit text.

I can enter some simple JavaScript that will create and alert box to demonstrate if the vulnerability exists.

<script>alert('XSS!!')</script>

Entering this input causes an alert box to be generated when the activity used to display our input is loaded.

The challenge recommends looking at the “DisplayPostXSS” activity to determine what makes this activity vulnerable. The source code for the “DisplayPostXSS” activity can be seen in the image below.

Examining the source code, I can see that a new WebView object is created which allows developers to display web content as part of their activity layout. This activity is vulnerable to XSS because the developer has enabled JavaScript execution as seen highlighted in red above. This is a nice, simple example of how developers can leave WebViews vulnerable to XSS.

#mobile-app-security #ctf-writeup #technology #android #mobile-app-testing #android

Clemmie  Will

Clemmie Will

1596605700

Write-Up 10- TryHackMe- Linux Challenges Part 2

So moving on from where we left in our previous part. You can check the Part1 here in case you feel difficulty in understanding

[Task 4] Data Representation, Strings, and Permissions

This section will focus mainly on how data is represented on the Linux System. In addition to that don’t forget to use searching skills as some of the tasks may require independent research using Google or any other reference material.

We find our **Flag20 **in Alice directory. When we cat the output we find that the content is encoded using base64 and we need to decode it. As seen below we can recognize if some string is encoded with base64 by looking at the character set [A-Z, a-z, 0–9, + /]. So let’s decode the string to obtain our flag. Use the following command to decode cat flag20 | base64 — decode

Image for post

Decoding String to find out Flag 20

Moving on to our next **flag21. **This flag is a PHP file and by using less command we find our flag as seen below. Less basically outputs the content of files one page at a time, it’s similar to more but with more functionalities

#beginners-guide #cybersecurity #linux #writeup #ctf