Cyber-Crux_Prabhu
Infosec1 Vulnhub Machine Walkthrough  By Prabhudarshan Samal

Infosec1 Vulnhub Machine Walkthrough  By Prabhudarshan Samal

prabhudarshan samal's photo
prabhudarshan samal
·

3 min read

Guided by Mahesh Rao Sir

Author: Vishal Biswas

Pre-requisites for better understanding of the walkthrough

_1.Burpsuite

_2.Linux Commands

_3.dirb tool

_4.nmap

_5.Web elements inspection

_6.Web technology terminologies

Let's dive into the world of cybersecurity by this walkthrough.

Download the ova file from the vulnhub website or directly through this link.->

https://www.vulnhub.com/entry/infosecwarrior-ctf-2020-01446/

1. We conducted the nmap ping scan of the network using command

nmap -sn 10.0.2.0/24

2. Then we did the verbose nmap scan on each host found.

nmap -sV 10.0.2.6

We noticed that in host 10.0.2.6 two ports, 22 for ssh and 80 for HTTP are open so we go for the web browser and have a check at the state of the machine.

After searching on web we did not find any clue so we go for further analysis using dirb tool.

dirb http://10.0.2.6

3.Now on close observation on the directories we find the status code 200 ok at a particular place named http://10.0.2.6/sitemap.xml

We find in the <loc> tag the index.htnl page and on accessing it we get

We find this funny gif but the story doesn't end here…

Time to do some vulnerability checks and let us inspect the web page

Change the <form action> tag by deleting the hidden

attribute and changing the GET method to POST

As we can see on changing the get method to post there is a text area asking for command and submit button.

So to test it we used the shell script echo “hackNos”.

Boom!! It's vulnerable to command injection vulnerability and let us use burp suite and go for next level.

Intercept the get request and change the id of “AI” from echo%20hackNos%20 to cat /etc/passwd

Note:

We are doing this for the sake of finding out the password directory which contains passwords

So we found a file that looked cmd.php so on AI we typed and requested cat cmd.php

We found this page of cmd.php and found the id and password now by doing ssh login(as the 22 port was open) and we will check about the results.

On login, we got access to the user now its time for Privilege escalation

sudo rpm –eval ‘%{lua:posix.exec(“/bin/sh”)}’

This command let us go for the root privilege it means sudo i.e superuser mode rpm i.e red hat package manager and -eval evaluate %being syntax Lua a scripting language POSIX (operating system interface ) exec execute the directory path then we get the access

cd /root gives u the root access ls gives the presence of flag.txt and on using cat command finally we get our flag and our job is done.

#capturetheflagpenetration testingpentestingoffensive-securitycybersecurityLinuxKali Linuxethicalhacking