Becoming the Ultimate Pentester: Mastering the Art of Penetration Testing with Pentester Club

Welcome to Pentester Club! In this video, we are thrilled to present to you an opportunity to enhance your penetration testing skills to a mastery level, ultimately making you the king of the field. Join us on this transformative journey as we guide you through the art of penetration testing, equipping you with the tools and techniques required to become the ultimate pentester.

At Pentester Club, we believe in pushing boundaries and exceeding limits. Our comprehensive training program delves deep into the intricacies of penetration testing, covering everything from the fundamentals to advanced methodologies. With our industry-leading instructors and hands-on exercises, you’ll gain invaluable expertise and practical experience.

Mastering the art of penetration testing requires a strong foundation in network security, vulnerability assessment, ethical hacking, and much more. Throughout this course, we leave no stone unturned, exploring the latest attack vectors and defense mechanisms. By the end, you will possess the knowledge and skills needed to excel in this dynamic and ever-evolving field.

Why choose Pentester Club? Not only do we provide top-notch training materials, but we also foster a tight-knit community of likeminded individuals. Interact and collaborate with fellow aspiring and seasoned professionals, sharing insights, tips, and tricks. Together, we can push the boundaries of what’s possible in the world of penetration testing.

Are you ready to take your penetration testing skills to new heights? Join us at Pentester Club and become the ultimate pentester! Don’t miss out on this remarkable opportunity to unlock your true potential in the field.

vikings walkthrough vulnhub writeup security

Identify the target

Firstly, I found out the IP address of the target machine.

fping -aqg 10.0.0.0/24
The IP address of the target is 10.0.0.22

Scan services on target

Next, I scanned the open ports on the target so that I could get the information about the exposed services.

nmap -v -T4 -p- -sC -sV -oN nmap.log 10.0.0.22
Nmap scan results

From the nmap scan result, we can see that there is directory browsing enabled. Thus, let’s check the content of /site.

Enumerate the webserver

The page looks as follows and it doesn’t have any important information.

The page /site

Thus, I did the enumeration of the directories.

gobuster dir -r -u http://10.0.0.22/site/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x txt,php,html -o dir-common.log
The gobuster result

The path has another path that has a base64 encoded long text. This gives us an idea that the text might belong to a binary.

/war.txt
/war-is-over has a base64 encoded text

Thus, I decoded this to a file as follows.

curl http://10.0.0.22/site/war-is-over/ | base64 -d > output
file output
The decoded text gives a zip file

We can see from the screenshot above that the encoded text is the content of a zip file. When I opened the file, I saw that this has a file named king that is protected by a password.

The zip is password-protected

So, I used zip2john and john the ripper to crack the password.

zip2john output > hash
john hash --wordlist=/home/kali/rockyou.txt
The password of the zip is cracked

This successfully cracked the password of the zip file. Thus, I can now extract the file that is an image.

Extracted image

Now, I have to extract data from this image. Interestingly, I could do this using binwalk.

binwalk -e king
cd _king.extracted

There is a file ‘user’ inside the extracted directory that gives us the password to a user on the same file.

Username and password of a user

Next, I logged in as the user floki.

SSH shell of the user floki

We can see that the user floki belongs to the group lxd and this directly gives us access to the root user. However, I won’t be doing this and if you want to learn more, search my other writeups with the keyword ‘lxd’. Here, I am going to go the intended way.

Escalate to user ragnar

There is another user ragnar on the machine that has the user flag. So, this gives us an idea to pawn the user ragnar. Now, when I checked the directory, we have a file readme.txt that has the following content.

I am the famous boat builder Floki. We raided Paris this with our all might yet we failed. We don't know where Ragnar is after the war. He is in so grief right now. I want to apologise to him.
Because it was I who was leading all the Vikings. I need to find him. He can be anywhere. 
I need to create this `boat` to find Ragnar

Furthermore, when I checked the same directory, I saw a file “boat” that looks as follows.

Hint in the file boat

From the file boat, we see that we have to find printable characters from collatz conjecture of a number. This is a very interesting conjecture and its domain is positive numbers. Since this hasn’t been proved or disproved (for all positive numbers), it is an unsolvable problem. Anyway, this works till the number 2 to the power 68. According to the conjecture, for a positive odd number n, we have to perform the next calculation as n = 3n + 1. Similarly, for a positive even number, it should be n = n / 2. Doing this iteration, we will reach number 1 and we can stop.

So, here, we have to find the collatz conjecture of the 29th prime number i.e. 109. For this, I wrote a simple python script.

The python script to print decimal integers of the series

The script that I created will print all the numbers that are less than 256 (ASCII) based on the conjecture. After this, I could send the numbers to Cyber Chef to get the password of the user ragnar.

python3 collatz.py | xclip -sel clip
Password of the user ragnar

Now that I have the password, I could log into the SSH server.

SSH shell of the user ragnar

Finally, I could log into the shell of the user ragnar. Also, note here that it asks password as a part of sudo access.

Root privilege escalation

Up to this, we got the shell of the user ragnar. The shell type isn’t a bash shell. So, I first spawned a bash shell for the user.

SHELL=/bin/bash script -q /dev/null

Earlier, we saw that the shell prompt for the password. This happens when commands are stored in user profiles, i.e. .profile, .bashrc, .bash_profile, /etc/profile, etc. Hence, I checked the file .profile and found a command.

.profile shows a command

Although the user doesn’t have any sudo permissions, the author might have put this to let us know that a rpyc server is running on the machine. Hence, I checked the listening TCP connections.

netstat -tnlp
TCP connections

Upon searching the internet, I got that the rpyc_classic is the unsafest option for RPC. Thus, we can execute any commands as the user root using this.

I copied my SSH public key to authorized_keys in the current directory. Next, I copied the authorized_keys to the .ssh directory of the root. Then, I created a simple python script.

import rpyc

def getshell():
    import os
    os.system("mkdir -p /root/.ssh; chmod 700 /root/.ssh; cp /home/ragnar/authorized_keys /root/.ssh/authorized_keys") 

conn = rpyc.classic.connect("localhost")

fn = conn.teleport(getshell)
fn()

Next, I ran the script.

The script copies the authorized_keys to the .ssh directory of root

Now, I logged into the SSH server as root.

Root shell

Comments

One response to “Becoming the Ultimate Pentester: Mastering the Art of Penetration Testing with Pentester Club”

  1. I wonder how much work goes into creating a website this excellent and educational. I’ve read a few really good things here, and it’s definitely worth saving for future visits.

Leave a Reply

Your email address will not be published. Required fields are marked *