Hi friends I am CodeNinja a.k.a Aakash Choudhary and today i solved another machine SkyDog CTF vulnhub machine which is 1st machine in 2 Series. And guess what ? I did 90% myself this time.
I learned a lot from this machine.
You can download this vulnhub machine from here -> https://www.vulnhub.com/entry/skydog-1,142/
So, lets start the writeup solution
===================================================================
ATTACKING IP: 192.168.56.130
VICTIM IP: 192.168.56.131
First starting with my keepnote screenshot
=================================================================
Ok,So i DIVIDE this section into ->
I got IP -> 192.168.56.131
Now next step to get MAC ADDRESS
So we got MAC ADDRESS ->
MASSCAN
Result --->
Now NMAP to get more info about PORTS
NMAP
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.57 seconds
So PORTS -> 80,22 open which is HTTP,SSH respectively
I noted down this in my keepnote
As HTTP Open so first start to browse website
When i open I saw this
Ok lets figure out source-codes,comments,robots.txt,and grab directories and this is usually basic steps to do while pentesting as ENUMERATION ENUMERATION and ENUMERATION is the essential for every pentester to get more information about TARGET
Also as that web page have an image file so just save that file and then using exiftool command examine that image file
We got our first Flag
TOO MANY SECRETS
hmm OK
Lets check its source code
In terms of Trust i got this
Now i got this from above source code
Got http://192.168.56.131/Setec/Astronomy/ directory
I noted down it and checked
I downloaded Whistler.zip file and checked
Password hmm don't know password ? Lets figure it out. Till now what i got is i tried that as password but failed. Then using google i got to know password cracker for zip file -> fcrackzip
First i do man fcrackzip to know about this
Then i used it after understand it
Ok we got our 3rd FLAG :D
Ok now what
Just check that new directory
Now that directory --> 192.168.56.131/PlayTronics/ have two things
1. companytraffic.pcap file
2. flag.txt
Now we got these two details on those directories
one is FLAG and one is companytraffic.pcap
i checked flag and got our 4th flag
Ok now i noted this "leroybrown" in my keepnote
Now its time for 5th Flag now :D
"We should know various ways to do same task"
Like there is tcpdump , tcpick, tshark too for same task
So i google now -> various ways to read pcap file
I got many results like ->
https://github.com/caesar0301/awesome-pcaptools
http://bikulov.org/blog/2012/11/03/tools-for-tracing-a-pcap-file-in-linux-bash/
https://www.blackbytes.info/2012/01/four-ways-to-extract-files-from-pcaps/
http://www.lovemytool.com/blog/2010/05/wireshark-and-tshark-decrypt-sample-capture-file-by-joke-snelders.html
So many new things i learned while reading those above resources
I downloaded chaosreader and used it
First about Chaosreader -->
Now just open that pcap file in wireshark and figuring out it
Then FOLLOW TCP STREAM
I got this interesting ->
GET /8Q3zbtBpxOHb.128.mp3?
A mp3 file. So does it contain clue or hint for next step ? Yes Lets download it
Now how to download it ? There is a way for this just see this
Click on -> File -> Export Objects -> HTTP
and then i saved that mp3 file as audio.mp3
OK now lets listen it
Its saying this
Hi, my name is Werner Brandes. My voice is my password. Verify me.
So i google about this and got this youtube
So now what i did is just saved that name
Also in that video that person using "Werner Brandes" 's voice to access something
Now i thought what to do with this ? So i checked my notes to get more clue might be i am missing something..
I just checked my user details and then thought as i got many user information why not try to use these username as SSH to get connect
Should i also use that Werner Brandes to connect SSH ? May be
Then i made usernames.txt file and password.txt file and used three things to crack SSH Login information
Though i had clue about that name werner brandes but i still made those files
1. First hyrdra
2. Second msfconsole -> ssh login module
3. Patator and i loving it since i got to know about this
Before using these 3 tools i first sharing my usernames list here which i saved same as password.txt
Mean both file have same names
Hydra
MSFCONSOLE
So we got ->
username -> wernerbrandes
password -> leroybrown
Now lets use same ssh cracking using patator
PATATOR
REALLY patator is very awesome and i am liking it very much
so wernerbrandes:leroybrown is the username and password
In future i will make script for get clean output from patator results sure and google is the main source for this
Now lets use SSH to get connection
password -> leroybrown
Awesome we got in :D
Awesome we got our 5th FLAG -->
After decode ---> Dr. Gunter Janek
This is nothing just a Karate Kid movie mp4 video file
I wrote a c file for exploit [all right all right i have an privilege escalation text file and there is little script for that purpose]
When i going to save then error came which was related to writable.
Mean we now have to find writable path
full permission 😮
also as this file removing tmp file and having full permission so its clear that its owned by root and can be run by root and this is what we want
I learned a lot from this machine.
You can download this vulnhub machine from here -> https://www.vulnhub.com/entry/skydog-1,142/
So, lets start the writeup solution
===================================================================
ATTACKING IP: 192.168.56.130
VICTIM IP: 192.168.56.131
First starting with my keepnote screenshot
=================================================================
Ok,So i DIVIDE this section into ->
- FLAG 1
- FLAG 2
- FLAG 3
- FLAG 4
- FLAG 5
- FLAG 6
=================================================================
First lets see about Flags INSTRUCTIONS
=================================================================
Goal of Sky Dog Con CTF
The purpose of this CTF is to find all six flags hidden throughout the server by hacking network and system services. This can be achieved without hacking the VM file itself.
Flags
The six flags are in the form of flag{MD5 Hash} such as
The purpose of this CTF is to find all six flags hidden throughout the server by hacking network and system services. This can be achieved without hacking the VM file itself.
Flags
The six flags are in the form of flag{MD5 Hash} such as
flag{1a79a4d60de6718e8e5b326e338ae533
- Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)
- Flag #2 When do Androids Learn to Walk?
- Flag #3 Who Can You Trust?
- Flag #4 Who Doesn't Love a Good Cocktail Party?
- Flag #5 Another Day at the Office
- Flag #6 Little Black Box
===================================================================
Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)
First start from netdiscover and arp command to get host info
netdiscover -r 192.168.56.0/24
I got IP -> 192.168.56.131
Now next step to get MAC ADDRESS
arp-scan -l
So we got MAC ADDRESS ->
00:0c:29:30:9d:9b
MASSCAN
masscan --interface eth0 --router-mac 00-0c-29-30-9d-9b --wait 30 --rate 100000 -p0-65535 192.168.56.131
Result --->
Discovered open port 22/tcp on 192.168.56.131
Discovered open port 80/tcp on 192.168.56.131
Now NMAP to get more info about PORTS
NMAP
nmap -A -sV -sS -p80,22 192.168.56.131
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.57 seconds
So PORTS -> 80,22 open which is HTTP,SSH respectively
I noted down this in my keepnote
As HTTP Open so first start to browse website
When i open I saw this
Ok lets figure out source-codes,comments,robots.txt,and grab directories and this is usually basic steps to do while pentesting as ENUMERATION ENUMERATION and ENUMERATION is the essential for every pentester to get more information about TARGET
Also as that web page have an image file so just save that file and then using exiftool command examine that image file
We got our first Flag
flag{abc40a2d4e023b42bd1ff04891549ae2} -> Welcome HomeI crack that Using online decoding
Flag #2 When do Androids Learn to Walk?
Androids hmm may be directories of androids. Lets check directories
First using nikto
2nd i checked robots.txt
GOT 2nd flag in robots.txt
flag{cd4f10fcba234f0e8b2f60a490c306e6} ---> Bots
flag{cd4f10fcba234f0e8b2f60a490c306e6} ---> Bots
Flag #3 Who Can You Trust?
Trust ? hmm lets figure it out
trust can be related to Security
In security there is one word "Never trust Any forms of Inputs wheteher it is Client-Side or Server-Side
I check this -> /Setec/ directory ---> http://192.168.56.131/Setec/
trust can be related to Security
In security there is one word "Never trust Any forms of Inputs wheteher it is Client-Side or Server-Side
I check this -> /Setec/ directory ---> http://192.168.56.131/Setec/
TOO MANY SECRETS
hmm OK
Lets check its source code
view-source:http://192.168.56.131/Setec/
In terms of Trust i got this
Now i got this from above source code
Got http://192.168.56.131/Setec/Astronomy/ directory
I noted down it and checked
I downloaded Whistler.zip file and checked
Password hmm don't know password ? Lets figure it out. Till now what i got is i tried that as password but failed. Then using google i got to know password cracker for zip file -> fcrackzip
First i do man fcrackzip to know about this
Then i used it after understand it
Ok we got our 3rd FLAG :D
- flag{1871a3c1da602bf471d3d76cc60cdb9b} --> yourmother
Flag #4 Who Doesn't Love a Good Cocktail Party?
Cocktail Party hmm
Remember that Whistler.zip file? Other than flag.txt file there was another file -> QuesttoFindCosmo.txt
now I read QuesttoFindCosmo.txt file
So it saying about OSINT
cat QuesttoFindCosmo.txtTime to break out those binoculars and start doing some OSINT
So it saying about OSINT
Now really interesting part comes.
OSINT so its mean we have to use gather information from out source
I checked my notes again and got this from source code of
"NSA-Agent-Abbott"; AKA Darth Vader
Lets GOOGLE about this
- http://192.168.56.131/Setec/
"NSA-Agent-Abbott"; AKA Darth Vader
Lets GOOGLE about this
I got this result ---->
After reading this i got this --->
1992 Sneakers NSA Agent Bernard Abbott
Oooohhh Sneakers
So now time is to get more information from that movie Sneakers
I again google about
Then i got this ->
www.thealmightyguru.com/Reviews/Sneakers/Docs/Sneakers-Script.txt
http://www.imdb.com/title/tt0105435/trivia
1992 Sneakers NSA Agent Bernard Abbott
Oooohhh Sneakers
So now time is to get more information from that movie Sneakers
I again google about
- "sneakers john earl jones coktail party"
Then i got this ->
www.thealmightyguru.com/Reviews/Sneakers/Docs/Sneakers-Script.txt
http://www.imdb.com/title/tt0105435/trivia
Ok now what to do ?
Might be genrate wordlists of those two resources
I googled this ->
List of kali linux tools to generate wordlists and i got to know about
cewl and crunch
Reading tutorial of crunch not so promosing for me
so i choose cewl now. Now how to use it ? Using man command ofcourse
Might be genrate wordlists of those two resources
I googled this ->
List of kali linux tools to generate wordlists and i got to know about
cewl and crunch
Reading tutorial of crunch not so promosing for me
so i choose cewl now. Now how to use it ? Using man command ofcourse
First using man command i got to know about cewl
CeWL (Custom Word List generator) is a ruby app which spiders a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers such as John the Ripper. Optionally, CeWL can follow external links.
CeWL can also create a list of email addresses found in mailto links. These email addresses can be used as usernames in brute force actions
CeWL can also create a list of email addresses found in mailto links. These email addresses can be used as usernames in brute force actions
cewl --depth 1 http://www.imdb.com/title/tt0105435/trivia -w /root/Desktop/wordlists/imdb_skydog_wordlist_snickers.txt
When i used that command then very very very long waiting and no response
Then i use 2nd command and got quick response
cewl --depth 1 www.thealmightyguru.com/Reviews/Sneakers/Docs/Sneakers-Script.txt -w /root/Desktop/wordlists/script_skydog_wordlist_snickers.txt
Now after got result i confused what to do with these wordlists now ?
What bruteforce now ? We have no login details till now and i already cracked zip file so what to do now ?
Then a thought came to my mind why not bruteforce for more directories ?May be we get another secrets reveal ?
So lets use dirb again
What bruteforce now ? We have no login details till now and i already cracked zip file so what to do now ?
Then a thought came to my mind why not bruteforce for more directories ?May be we get another secrets reveal ?
So lets use dirb again
Ok now what
Just check that new directory
Now that directory --> 192.168.56.131/PlayTronics/ have two things
1. companytraffic.pcap file
2. flag.txt
Now we got these two details on those directories
one is FLAG and one is companytraffic.pcap
i checked flag and got our 4th flag
cat flag.txt
After decode from online hash cracker it becomes -->
- flag{c07908a705c22922e6d416e0e1107d99}
- flag{c07908a705c22922e6d416e0e1107d99} -> leroybrown
Ok now i noted this "leroybrown" in my keepnote
Now its time for 5th Flag now :D
Flag #5 Another Day at the Office
Now i read that pcap file ---> companytraffic.pcap
I know i can use wireshark to read pcap file but as a pentester or can say researcher we always getting this tip ->
"We should know various ways to do same task"
Like there is tcpdump , tcpick, tshark too for same task
So i google now -> various ways to read pcap file
I got many results like ->
https://github.com/caesar0301/awesome-pcaptools
http://bikulov.org/blog/2012/11/03/tools-for-tracing-a-pcap-file-in-linux-bash/
https://www.blackbytes.info/2012/01/four-ways-to-extract-files-from-pcaps/
http://www.lovemytool.com/blog/2010/05/wireshark-and-tshark-decrypt-sample-capture-file-by-joke-snelders.html
So many new things i learned while reading those above resources
I downloaded chaosreader and used it
First about Chaosreader -->
Now just open that pcap file in wireshark and figuring out it
Then FOLLOW TCP STREAM
I got this interesting ->
GET /8Q3zbtBpxOHb.128.mp3?
A mp3 file. So does it contain clue or hint for next step ? Yes Lets download it
Now how to download it ? There is a way for this just see this
Click on -> File -> Export Objects -> HTTP
and then i saved that mp3 file as audio.mp3
OK now lets listen it
Its saying this
Hi, my name is Werner Brandes. My voice is my password. Verify me.
So i google about this and got this youtube
https://www.youtube.com/watch?v=-zVgWpVXb64
So now what i did is just saved that name
Also in that video that person using "Werner Brandes" 's voice to access something
Now i thought what to do with this ? So i checked my notes to get more clue might be i am missing something..
I just checked my user details and then thought as i got many user information why not try to use these username as SSH to get connect
Should i also use that Werner Brandes to connect SSH ? May be
Then i made usernames.txt file and password.txt file and used three things to crack SSH Login information
Though i had clue about that name werner brandes but i still made those files
1. First hyrdra
2. Second msfconsole -> ssh login module
3. Patator and i loving it since i got to know about this
Before using these 3 tools i first sharing my usernames list here which i saved same as password.txt
Mean both file have same names
Hydra
MSFCONSOLE
So we got ->
username -> wernerbrandes
password -> leroybrown
Now lets use same ssh cracking using patator
PATATOR
patator ssh_login host=192.168.56.131 user=FILE0 0=/root/Desktop/wordlists/usernames.txt password=FILE1 1=/root/Desktop/wordlists/passwords.txt --max-retries 0 -x ignore:time=0-3
REALLY patator is very awesome and i am liking it very much
so wernerbrandes:leroybrown is the username and password
In future i will make script for get clean output from patator results sure and google is the main source for this
Now lets use SSH to get connection
password -> leroybrown
Awesome we got in :D
Awesome we got our 5th FLAG -->
flag{82ce8d8f5745ff6849fa7af1473c9b35}
After decode ---> Dr. Gunter Janek
Flag #6 Little Black Box
black box ? does it mean testing black box type ? Mean more enumeration. Just take time in privilege escalation
PRIVILEGE ESCALATION
Now using cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
landscape:x:104:110::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
nemo:x:1000:1000:nemo,,,:/home/nemo:/bin/bash
wernerbrandes:x:1001:1001:Werner Brandes,,,:/home/wernerbrandes:/bin/bash
nemo another home user hmm
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
landscape:x:104:110::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
nemo:x:1000:1000:nemo,,,:/home/nemo:/bin/bash
wernerbrandes:x:1001:1001:Werner Brandes,,,:/home/wernerbrandes:/bin/bash
nemo another home user hmm
Then check first /var/www/html directory
And very important thing i got ->
CongratulationsYouDidIt <---- wow got it may be flag there ?
No but there is mp4 file ---->
No but there is mp4 file ---->
So i tried a lot of times to download that file and in last i finally succeed
This is nothing just a Karate Kid movie mp4 video file
I wrote a c file for exploit [all right all right i have an privilege escalation text file and there is little script for that purpose]
When i going to save then error came which was related to writable.
Mean we now have to find writable path
FIND WRITABLE PATH
wernerbrandes@skydogctf:/$ find / -writable -type f 2>/dev/null | more
/lib/log/sanitizer.py
/proc/sys/kernel/ns_last_pid
/proc/1/task/1/attr/current
/proc/1/task/1/attr/exec
/proc/1/task/1/attr/fscreate
/proc/1/task/1/attr/keycreate
/proc/1/task/1/attr/sockcreate
/proc/1/attr/current
/proc/1/attr/exec
/proc/1/attr/fscreate
/proc/1/attr/keycreate
/proc/1/attr/sockcreate
/proc/2/task/2/attr/current
/proc/2/task/2/attr/exec
/proc/2/task/2/attr/fscreate
/proc/2/task/2/attr/keycreate
/proc/2/task/2/attr/sockcreate
/proc/2/attr/current
/proc/2/attr/exec
/proc/2/attr/fscreate
/proc/2/attr/keycreate
/proc/2/attr/sockcreate
/proc/3/task/3/attr/current
FIND <--- this is command to find files/directories in kali linux. And there is many options like type,exec,file,writable etc etc
/lib/log/sanitizer.py
/proc/sys/kernel/ns_last_pid
/proc/1/task/1/attr/current
/proc/1/task/1/attr/exec
/proc/1/task/1/attr/fscreate
/proc/1/task/1/attr/keycreate
/proc/1/task/1/attr/sockcreate
/proc/1/attr/current
/proc/1/attr/exec
/proc/1/attr/fscreate
/proc/1/attr/keycreate
/proc/1/attr/sockcreate
/proc/2/task/2/attr/current
/proc/2/task/2/attr/exec
/proc/2/task/2/attr/fscreate
/proc/2/task/2/attr/keycreate
/proc/2/task/2/attr/sockcreate
/proc/2/attr/current
/proc/2/attr/exec
/proc/2/attr/fscreate
/proc/2/attr/keycreate
/proc/2/attr/sockcreate
/proc/3/task/3/attr/current
FIND <--- this is command to find files/directories in kali linux. And there is many options like type,exec,file,writable etc etc
/ <----- This is root PATH mean we are finding our desire thing in main root path
-writable <--- we are finding writable path
-type <--- type is using which type of file we are looking for like regular file,symbolic file,exe file etc
f <-- The type of file we are looking for REGULAR FILE
2>/dev/null <-- Without using this we get our desire result too but with many errors like Access Denied.But when we use this command then that Access Denied Command surpass to /dev/null and we not see errors on output
NOW
I got very interesting file -> /lib/log/sanitizer.py
I got very interesting file -> /lib/log/sanitizer.py
So a python file. what does it saying ?
Its actually removing files from tmp directory
Lets check its permission ->
Its actually removing files from tmp directory
Lets check its permission ->
ls -la /lib/log/sanitizer.py
-rwxrwxrwx 1 root root 96 Oct 27 2015 /lib/log/sanitizer.py
full permission 😮
also as this file removing tmp file and having full permission so its clear that its owned by root and can be run by root and this is what we want
So now use this as for advantage for ROOT ACCESS
ROOT ACCESS TIME
So we have to modify that python file so that we gain root access
Google -> using python to get root privileges
So here i googled a lot and not get desire result so
Privilege Escalation to get ROOT is the only part where i stucks many times.
Lets take help now for the first time from writeups
So i will wrote every method here which i took help from other writeups
METHOD 1
By changing this path we are giving maximum permissions to /bin/sh
THEN ->
So finally cracked it :D
NOTE: also can use /bin/dash in place of /bin/sh
Now time for 2nd METHOD
METHOD 2
cat /etc/issue && uname -a
Ubuntu 14.04.3 LTS \n \l
Linux skydogctf 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Google about 14.04 exploit i got this -> https://www.exploit-db.com/exploits/39166/
i downloaded it using
wget https://www.exploit-db.com/download/39166/
Then
Now we have to transfer this file to victim machine
For this First ->
Then Second ->
Finally we now again root with this simple METHOD 😀
Now time for method 3
METHOD 3
Now in this method we now again modify that python script
Then run file
Meanwhile run netcat
And we got root :D Impressive
Just google about python code to understand more.
Its just use reverse connection
Now its final Method 4 time yeaaahhhhhhhh
METHOD 4
Herw what i did is I add the user wernerbrandes to sudoers: so that we gain root access
The run it and wait for sometime
And boom awesome we root again now
FROM ALL 4 THOSE METHODS WE GOT FINAL FLAG :D
- flag{b70b205c96270be6ced772112e7dd03f}
After decode it --> CongratulationsYouDitIt
So now we have all 6 Flags
EXTRA/Bonus
I also got another thing to read pcap file using google. And this is what i got -->
https://github.com/DanMcInerney/net-creds
net-creds <-- this is also use for capture pcap file
I downloaded it using
- git clone https://github.com/DanMcInerney/net-creds.git
Then
./net-creds.py -p /root/Desktop/pcapfile/companytraffic.pcap
[192.168.2.223] GET cf-media.sndcdn.com/8Q3zbtBpxOHb.128.mp3?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiKjovL2NmLW1...
Great and so simple
Google -> using python to get root privileges
So here i googled a lot and not get desire result so
Privilege Escalation to get ROOT is the only part where i stucks many times.
Lets take help now for the first time from writeups
So i will wrote every method here which i took help from other writeups
METHOD 1
THEN ->
NOTE: also can use /bin/dash in place of /bin/sh
cat /etc/issue && uname -a
Ubuntu 14.04.3 LTS \n \l
Linux skydogctf 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Google about 14.04 exploit i got this -> https://www.exploit-db.com/exploits/39166/
i downloaded it using
wget https://www.exploit-db.com/download/39166/Then
For this First ->
Just google about python code to understand more.
Its just use reverse connection
The run it and wait for sometime
And boom awesome we root again now
- flag{b70b205c96270be6ced772112e7dd03f}
https://github.com/DanMcInerney/net-creds
- git clone https://github.com/DanMcInerney/net-creds.git
SUMMARY OF FLAGS ---> CongratulationsYouDidIt
Thanks for reading.Hope you also learned as i too learned
In last i want to say thanks to @jamesbower to make such awesome machine for us so that we learn and to vulnhub where all machines hosting for us so that we learn more and develop skills in penetration testing and in last thanks to others who post writeup/walkthrough so that every beginners learn
Thanks 😊
0 comments:
Post a Comment