Lab 6 Kioptrix Level 3

Information Gathering

service Enumeration

based on the picture on nmap, I found some open ports, such as port 22 (ssh) and 80 (http)

vulnerability Assement

here i try to inject the login form, but it not works.

so i try to go to http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid # photos
then i try to inject the id parameter

Exploit

here i use sqlmap to inject the web page.
root @ bt :/ pentest / database / sqlmap #. / sqlmap.py-u "http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid # photos"-p id - dbs - level = 3 - risk = 4 - threads = 8

here i found three databases.
So I will use the database gallery to see what tables are availabe.

I found seven tables, so I will dump the table dev_accounts.

Here I found loneferret password. So I try to use it for login using ssh.

It works, I successfully enter into the server.
And I also found an interesting file on this folder.

We can see, that there is a newly installed software for editing, creating, and viewing files. And use it for, please use the command 'sudo ht'. And I guess, this software is an editor.
So I try to use it to see the / etc / shadow

and I try to use change the root password with loneferret password.

And it works, I'm on root now.

Alhamdulillah ....:D

Lab 5 Kioptrix Level 2

Information Gathering

Service Enumeration

based on the picture on nmap, i found some port open, such as port 22 (ssh), 80 (http), 111 (rpcbind), 443 (ssl/http), 631 (ipp), and 3306 (mysql).

Vulnerability Assement

here i try to inject the form login, and it works.

I directly redirected to Administrative web console.

Exploit

so i try to use command execution attack vector.
here i try to see the information kernel.

now, i know that the server use kernel 2.6.9, then i try to see the /etc/passwd and /etc shadow. but it not works for ;cat/etc/shadow.

then i try to search the local exploit for kernel 2.6.x after that i copy it to /var/www/

then i download it to directory /tmp on target machine and compile it.

 

 we can see that the file exploit (9545.c) has been succeded. So execute it.

but i still on apache. until here I need to find a way to get into the server and then i will execute the exploit from within the server. so i try to type netcat command for listing on port 1234.

then connecting via netcat by type nc 192.168.56.101 1234. after that, execute the exploit (rooting)

we can see that our exploitation has been succes, and i'm on root now.

Alhamdulillah.... :D

Lab 4 De-ICE v1.0 (2.100)

Information Gathering
here i use netdiscover to scan the network on interface vboxnet1
root@bt:~# netdiscover -i vboxnet1 -r 192.168.0.0/16

so we got two ip. 192.168.2.100 and 192.168.2.101
then scan the ip target using nmap

i also use scan using nikto

open the web page to see the content

Service Enumeration

based on the picture on nmap on ip 192.168.2.100, i found some port open, such as port 21 (ftp --> Anonymous ftp login allowed), 22 (ssh), 25 (smtp) 80 (http), 110 (pop3), and 143 (imap). and on ip 192.168.2.101, i found port 80 (http).

on nikto ip 192.168.2.100, i found directory icons and files index.php and info.php. but on ip 192.168.2.101 i found directory icons and /~root/ and it allowed to browse root's home directoy.

and on the web page (ip 192.168.2.100) i found some names.
and on ip 192.168.2.101 i just found some files.


Vulnerability Assement

i've tried to enter through ftp, but it not successfully access it.

based information on nikto i try to access on directory ~root. and i guess there are some directory users.
so i will make list of user based on iformation that i found on the web page and i save it with name user.

Exploit
here i use dirbuster to looking for directories and files and also will scann use my user list.

and i found some interest directory (~pirrip, ~magwitch, and ~havisham)
then i use nikto again to see any directories and files  that exist in directori ~pirrip.

root@bt:/pentest/web/nikto# ./nikto.pl -host http://192.168.2.101/~pirrip/ -Display 1

i found a hidden folder .ssh/
so open it in browser.

i found the private and public ssh key for pirrip. so download it and save it to directory ./ssh (on my backtrack) and then change the permissions. then, enter into the system via ssh.

so i was in the system, so try to access the /etc/passwd and /etc/shadow/ to see the password root.

i have a problem, because permisson denied, and also i don't know the pirrp's password. so i will exploring some folders to search information. and found interestin file on /var/mail/. here i found pirrip's mail.

and at the end (message), i found pirrip's password.

so i try to gain root access using pirrip password, but it not works. so type sudo -l to see list of command that may run.

here vi is allowed i used it to see /etc/shadow. then i will use jtr to crack the password.

it is so long i waiting to crack the password using jtr, so i try to change the password root be pirrip's password.

then gain the access root.

i was on root, based on previously challange, we have to get information about account bank or credit card. so try to do exploring in some folder again. and i found a file zip on /root/.save. so i unzip it but the file still compressed by tar. so uncompress it again. and found an interesting file, that is a mail text (Jan08).
here i use cat to see the content and i found data for raises for they tim.

Alhamdulillah ... :D

Lab 3 De-ICE v1.0 (1.110)

Information Gathering

here i will use nmap for scanning the network.

Service Enumeration

based on the picture, i found 2 host 192.168.1.20 that's my ip and 192.168.1.110 is ip target, and I also found some port open, such as port 21 (ftp), 22 (ssh), 80 (http), and, 631 (ipp).

Vulnerability Assasement

based of the Information Gathering, we can see that on port 21 (ftp), we can login using anonymous and there are two folder (downloads and incoming).

then, download the file core, and use string to see the content.

i found like /etc/shadow at the end of file core. so crack it using john the ripper for login via ssh. 

here i will cutting the file core that i will crack like shadow. and then crack it.

i successfully crack it, i found the password for root and password for the other user. 

so, try to log in through ssh using other user but not using root, because in this lab, we can't enter using root. but don't worry, we can gain the root using other user because we have password root. :D

i successfully gain the root, but the hint on the web page, we have to get the customer credit card. so search it on every folder. after i seach on every folder, i found it on folder home/root/.save/ . and use command ls -a to show all folder, because folder .save is a hidden folder.

and i also found the key for open the file customer_account.csv.enc because the file is encrypted using openssl. so execute it and don't forget to set -d option for decrypt it.

it works and i successfully decrypt the file. now we can see the customers credit card.

Alhamdulillanh ... :D