Pentesterclub!

The Road to Cybersecurity Firm Success!

admin

ยท

Welcome to our video discussing the journey to success for cybersecurity firms! In this video, we dive into the steps and strategies that top-level organizations can take to stay proactive in cybersecurity measures.

As cyber threats continue to evolve, cybersecurity firms play a crucial role in protecting businesses from potential attacks. By understanding the unique challenges that organizations face, cybersecurity firms can tailor their solutions to effectively address these issues.

Join us as we explore the various aspects of becoming a successful cybersecurity firm, from developing cutting-edge technologies to implementing robust security measures. We will also discuss the importance of staying ahead of the curve in the ever-changing landscape of cybersecurity.

Whether you are a seasoned professional in the cybersecurity industry or a top-level organization seeking protection, this video provides valuable insights to help you navigate the road to success in the cybersecurity sector.

Don’t miss out on the latest trends and strategies for cybersecurity firm success โ€“ hit the subscribe button and stay tuned for more informative content!

Identify the target machine

Firstly, I identified the IP address of the target machine.

sudo netdiscover -i eth0 -r 10.0.2.0/24

Scan open ports

Next, I scanned open ports on the target machine so that I would get the knowledge of the exposed services.

nmap -v -T4 -sC -sV -p- -oN nmap.log 10.0.2.63

Here, we see three web services and one FTP service. Likewise, we also see a filtered port 22.

Enumerate port 80

The default page didnโ€™t give me anything.

However, the source contained a base64 encoded text at the end of the page.

The decoded text gave us morse code which we can decode using Cyber Chef.

Here, we got the first flag.

Bruteforce directory

For the next flag, I enumerated the directory on port 80.

gobuster dir -u http://10.0.2.63 -x txt,php,html --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -o dir-80.log

I found a path that had a Wireshark packet capture file and a text file.

And, I also downloaded the capture file. From the note above, the one who smells like death refers to Creed. Similarly, it also says that he has a weak password. Upon opening the capture file, we see the FTP password of the user creed.

But it didnโ€™t allow me to log in. Meanwhile, we get another path in the gobuster scan.

On that path, we see a document.

The document has the third flag (ours second). Also, the document says that Creed has added a three-digit number at the end of the password. So, I wrote a python script to create a wordlist.

with open("wordlist.txt", "w") as file:
    for i in range(1000):
        file.write(f"creed{i:03}\n")

After I ran the python script, I got a wordlist โ€œwordlist.txtโ€ as follows.

Then, I did the bruteforce once again.

hydra -l creed -P wordlist.txt 10.0.2.63 ftp
lftp -u creed,creed223 10.0.2.63

On the reminder file, we see a hint for the next step. Upon searching the internet for a reference with the same line, we redirect to season 7 episode 9. And, there is a reference to the password which I have snipped below.

So, the password of the zip is โ€œbigboobzโ€.

The files had a note and an encrypted SSH private key.

Here, the note said that the private key belongs to angela and the passphrase is one of her catsโ€™ names. I checked the names from the link below.

https://theoffice.fandom.com/wiki/Angela%27s_cats

However, we saw in the Nmap scan results that the SSH port is filtered. Therefore, we have to unlock the port. In most of the case, we see the use of the binary knock for this purpose.

Enumerate port 18888

On the website, we see a reference to angela once again. Next, I scanned the directories.

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u "http://10.0.2.63:18888/FUZZ" -of html -o dir-18888.html -fs 0

On the admin page, we see a login form as follows.

I fired up burp suite for bruteforcing the password. Since we know the email is โ€œangela@dundermifflin.comโ€, and the password is one of her cats, we can use Burp Suite intruder. In the intruder, I set the position as follows.

And, I manually added the catsโ€™ names from the fandom page.

Lastly, I started the attack.

The cat Crinklepuss redirected and the length is different from others. So, we got the password.

The settings of the Koken CMS revealed the version of it. This version suffers from the following exploit.

https://www.exploit-db.com/exploits/48706

I followed the instructions to get the reverse shell. I listened on port 9001.

nc -nlvp 9001

Finally, I got access to a shell.

Next, I improved the shell using the following link.

Upgrade to an intelligent reverse shell

Unlock the filtered port

On the /var/www/html directory, there is a hint directory.

Inside the directory, we have an index.html file.

It asked us to find the difference between the images. Thus, I downloaded the images to my machine.

wget http://10.0.2.63/_hint_/knockknock1.jpg
wget http://10.0.2.63/_hint_/knockknock2.jpg
wget http://10.0.2.63/_hint_/knockknock3.jpg

After I downloaded the images, I looked at the exiftags of all images. Luckily, I got something on the second image.

exiftool knockknock2.jpg

Using the numbers 5000, 7000 and 9000, we can unlock the ssh port.

knock 10.0.2.63 5000 7000 9000

After doing the above command, I ran Nmap scan on port 22.

nmap -v -T4 -sC -sV -p22 10.0.2.63

Getting SSH shell access

Previously, we had found an encrypted SSH private key named michael. So, we can guess that that belongs to the same user. Thus, I moved forward to cracking the passphrase of it. Also, I had downloaded ssh2john.py for python3 into the home directory of my machine.

python3 ~/ssh2john.py michael | tee michael-hash

Next, I cracked the hash using the file โ€œrockyou.txtโ€.

john michael-hash --wordlist=/home/kali/rockyou.txt

It gave us the passphrase. So, I changed the permissions of the private key and logged into the SSH service.

chmod 600 michael
ssh michael@10.0.2.63 -i michael

The shell is a restricted bash. So, I overcame the restrictions as follows.

python3 -c 'import pty;pty.spawn("/bin/bash")'

We got the next flag on the directory.

Find unexplored flags

On the /var/www/html2/secret directory, we got one missed flag.

When I checked the sudo permissions, I found out that the user can execute some scripts as all users.

sudo -l

But before this, letโ€™s get another flag that is situated in MySQL server.

cat /var/www/koken/storage/configuration/database.php

Using these configurations, we can log into the database server.

mysql -ukokenuser -p -D kokendb

That table contained our fifth flag. So, we got all of the first 7 flags. Since we only have one flag left, we can proceed towards root privilege escalation.

Coming back to the sudo permissions, we donโ€™t see any files inside creedโ€™s home directory starting with โ€œdefuseโ€.

However, we can log into the FTP server using creedโ€™s credentials and try executing it as root. I created a file โ€œdefuse.shโ€ on my local machine with the following content.

#!/bin/bash
bash -i

However, I couldnโ€™t make it executable. So, I checked the permissions on the configuration file /etc/vsftpd.conf.

Since itโ€™s editable by everyone, we can enable the chmod command.

Now, we have to restart the service which we donโ€™t have access to. Therefore, I had to restart the virtual machine. Next, I had to unlock the service once again. Similarly, I had to log in as michael and overcome the restricted bash.

And, I didnโ€™t get any errors while changing the permissions in the FTP client.

Then, I executed the script as the user root.

sudo -u root /home/creed/defuse.sh

Finally, I got the last flag.

Leave a Reply

Your email address will not be published. Required fields are marked *