my machine1 Vuln Walkthrough

cool

Information Gathering

The target IP address is provided when the machine is deployed.

Target:<target-ip>

#Enum/Recon

Command used: nmap -A <machine IP>

From the nmap scan result we came to know that three ports are open and they are, 21/tcp ftp,22/tcp ssh and 23/tcp telent. Let’s go ..

There are 3 ports open :
21/ftp — vsftpd 3.0.3,23/telent — Linux telnetd
22/ssh — OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
OS detected — Linux

So far so good!! Let’s start enumerating the services. First up is FTP. We will do FTP as user ‘anonymous’ and upon password prompt, we will insert ‘anonymous’. It will allow us to log in to FTP anonymously as it is allowed.

ftp <target-ip>

I will start by investigating the FTP port (21). According to our portscan, Anonymous login is allowed:

Anonymous FTP login allowed

So let’s see what is on the FTP server:

ftp 9.9.9.9
Anonymous

Gaining Access:

Now that we have a ssh and telnet and some credentials we can try brute-forcing this with Hydra:

Hydra:

Hydra is a brute force online password cracking program; a quick system login password ‘hacking’ tool.

We can use Hydra to run through a list and ‘bruteforce’ some authentication service. Imagine trying to manually guess someones password on a particular service (SSH, Web Application Form, FTP or SNMP) — we can use Hydra to run through a password list and speed this process up for us, determining the correct password.

Hydra has the ability to bruteforce the following protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMP

command: hydra -l userr.txt -P pass.txt ssh://target-ip

sudo hydra -L userr.txt -P password.txt ssh://100.16-.0.1=8 -t 4

Now connect via SSH:

ssh jk@192.168.0.128

We will use ssh to gain an initial shell and obtain the user.txt flag:

Privilege Escalation

To check which commands we can run with root privileges we can run:

sudo -l

Great! We can run the ALL Utilities with root privileges.

We can take advantage of this to spawn a root shell, then grab the contents of the root.txt file to complete this CTF:

sudo bash 
sudo /bin/bash
sudo apt-get changelog apt
!/bin/sh
sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/shftp
!/bin/sh

telnet:

Gaining Access:

Now that we have a ssh and telnet and some credentials we can try brute-forcing this with Hydra:

Hydra:

Hydra is a brute force online password cracking program; a quick system login password ‘hacking’ tool.

We can use Hydra to run through a list and ‘bruteforce’ some authentication service. Imagine trying to manually guess someones password on a particular service (SSH, Web Application Form, FTP or SNMP) — we can use Hydra to run through a password list and speed this process up for us, determining the correct password.

sudo hydra -L userr.txt -P password.txt telnet://192.168.0.128
telnet 192.168.0.128

please everyone join my telegram channel :https://t.me/hackerwheel

Hackerwheel
Change the world
https://t.me/hackerwheel

happy hacking……….

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
jagadeesh

CTF-PLAYER, security analyst, Pentesting, vapt, digital forensics