發表文章

目前顯示的是 7月, 2016的文章

Vulnhub Stapler1

圖片
Vulnhub Stapler1.0 Writeup All information can be found on www.vulnhub.com ---------summary------- 1. information gathering 2. host exploitation by reverse shell 3. escalate privilege  ---------start---------  After boot up the download VM, the system's login page   Since we don't know the IP address, we use arp-scan to get IP. Here IP is 172.16.194.138(under NAT protocol) After know the IP, next step is use NMAP to see if there's any information, here we see port 80, 666, 3306 and 12380 are interesting. First I tried port 80, but no other information I can get, so I tried https with port 12380  here is the port 12380, it seems have more information   As usual, try to see if /robots.txt is exist, and luckily it is. It comes with 2 website here.  First is /admin112233, but only have pop-up screen and redirect to another page. Next, I tried /blogblog and I got really interesting stuff here, is...

Vulnhub Milnet writeup

圖片
Milnet exploitation All information can be found in www.vulnhub.com and there are some awesome walkthrough :P Goal: Attack this machine and got root privilege on this machine -----Summary------ 1. information gathering 2. exploitation by redirect to our own payload 3. escalate privileges -------Start--------- After download and open it, here is VM login page, which includes IP addr. It means we can skip use arp-scan  If you want to use 2 VM as attacker and victim, make sure they can communicate(in same subnet) You need to configure to same interface in your computer Then start information gathering--NMAP scan, this time I use -A option to scan, which don't need root privilege. And we got port 22, 80 are open.  First we start from port 80--http. Enter IP addr, can see the webpage  But it looks like don't have any important information, so we use dirb in my Kali Linux  Based on the wordlist, it can go through and see if there's any w...

Metasploitable by Rapid 7

圖片
Metasploitable by Rapid 7 A buggy VM can be exploit by Kali metasploit. Start from nmap scan, acquire information on which port are open First attack is on port 21, ssh. with :) in the end. Backdoor program will executed. Next telnet to port 6200, can direct login to Metasploitable. This issuing irc vulnerability, can direct use metasploit to exploit.  This is use ingreslock, directly use telnet to login system and have root privilege   Using Samba system's vulnerability, metasploit can directly attack the system without install backdoor program 

Vulnhub SickOs1

圖片
# CTF-Writeup SickOs1 all resource can be found on www.vulnhub.com Use arp-scan to get target's IP  And NMAP to scan the target We found port 3128 is open, next step use nikto to scan if there's any vulnerability.  We found a shellshock, which can be use on attack. Also we found a /robots.txt file Next, port 3128 is a proxy server, so I use firefox to set proxy on port 3128 and go to localhost. I got this picture: Based on the nikto, we can enter localhost/robots.txt, and got /wolfcms So, I decided go to this /wolfcms page and see a website For wolf CMS, it's admin page URL is /?/admin, and a good start username/password is admin/admin Go through the login page, next step is found is there any place we can upload a reverse shell to connect back to my host. And is on files folder, I can upload files This time, I use php-reverse-shell.php as my upload file  upload to 3128 server, also need to chmod 777 ...