the wall

Tools:

netdiscover
Nmap
Wireshark
Netcat
Wfuzz
Nikto
Hash-identifier
Hashcat
Steghide

Vulnerabilities:

Use netdiscover to detect target IP address

netdiscover -i eth0 -r 192.168.41.0/24

[title manually exploit [alt text]]

192.168.41.162 is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 192.168.41.162 -p-

However, no port is opening.

use wireshark to check the traffic

[title manually exploit [alt text]]

find the target send packet to TCP port 1337 in my Kali.

nc -nlvp 1337

[title manually exploit [alt text]]

nothing cool shows.

rerun nmap, find port 80 is opening now

[title manually exploit [alt text]]

I use wfuzz and nikto and find nothing.

[title manually exploit [alt text]]

The webpage just show a image. check the source code:

[title manually exploit [alt text]]

find an interesting string. 737465673d3333313135373330646262623337306663626539373230666536333265633035

use Hash-identifier cannot figure out what’s encode type. Finally, I find it is hex encode in hackbar. Hex decode to character, get

steg=33115730dbbb370fcbe9720fe632ec05

use Hash-identifier to find out 33115730dbbb370fcbe9720fe632ec05 is a MD5

[title manually exploit [alt text]]

use hashcat to crack it.

hashcat hash.txt /usr/share/wordlists/rockyou.txt

[title manually exploit [alt text]]

get password is divisionbell

Now I want to check the image to see if there is any hiden information

steghide extract -p divisionbell -sf pink_floyd.jpg

get the result:

[title manually exploit [alt text]]

U3lkQmFycmV0dA==|f831605ae34c2399d1e5bb3a4ab245d0 is very interesting. | separates the string into two parts.

U3lkQmFycmV0dA== is base64 encoded, decode it, SydBarrett

f831605ae34c2399d1e5bb3a4ab245d0 is MD5. crack it.

[title manually exploit [alt text]]

its pinkfloydrocks

now what, remember enumerate, enumerate and enumerate.

rerun nmap again,

[title manually exploit [alt text]]

port 1965 is opening and running ssh

[title manually exploit [alt text]]

shows This service allows sftp connections only

use sftp to login

sftp -P 1965 SydBarrett@192.168.41.162

check the files

sftp> ls -ahl

[title manually exploit [alt text]]

check the file eclipsed_by_the_moon

[title manually exploit [alt text]]

tar zxvf eclipsed_by_the_moon

foremost -v -i eclipsed_by_the_moon.lsd

[title manually exploit [alt text]]

got a jpg file. Roger Waters

open it

[title manually exploit [alt text]]

and his password is hello_is_there_anybody_in_there

based on previous username SydBarrett, Roger Waters user name should be RogerWaters

ssh RogerWaters@192.168.41.162 -p 1965

[title manually exploit [alt text]]

check sticky bit set

find / -perm -u=s -type f -user DavidGilmour 2>/dev/null
find / -perm -u=s -type f -user NickMason 2>/dev/null
ls -al /usr/local/bin/shineon 
ls -al /usr/local/bin/brick

[title manually exploit [alt text]]

/usr/local/bin/brick has sticky bit set.

run it

/usr/local/bin/brick

[title manually exploit [alt text]]

Bob1Bob2

Pen Test Notes

Tools:

Vulnerabilities: