This article describes the process of exploiting hackNos 3 target environment downloaded from Vulnhub. I have included all the necessary screenshots which will help you understand the methodology easily. Wherever needed I have added the required description still, if you have more things to add or questions which are not clear, do let me know in the comments section.
Download the target environment from vulnhub and import in your VirtualBox or VM player setup.
How to Exploit?
- Login to kali and identify the IP address, from IP address we get information about the network IP schema. Using this information I started the host discovery.
Enumeration using Nmap:
2. With target IP identified, let’s start the enumeration with Nmap. The scan results provided two open ports 22 and 80.
3. The port 80 found to be running the Apache web server, I checked what application is hosted from the browser.
and it was nothing more than a single HTML page.
4. So the next move was to enumerate directories under the root web directory.
5. With directory names available I tried browsing around and found two applications under the two directories.
6. I tried with different functionalities but was unable to find any breakthrough, so I turned to nikto for providing some more information.
Tried my best to use the available information to move forward but no luck.
Note: The change in IP is due to network configuration change from host-only to NatNetwork. It has no impact on exploitation methods.
7. One thing identified from Nikto scan was the admin directory in “websec”, I tried accessing it through the browser. It prompted me for username and password, tried a few attempts with guess but no luck.
8. So I decided to brute force the login, now the first requirement is a good word list and what better than one generated from the application.
9. As observed from the login page the username must be email-id and going by common logic one with application domain “@hacknos.com”. So I created two copies of the wordlist one with the email-id format as username and other as password. I fed this data to a multiheaded beast “hydra” and it never fails you “hail hydra!!!”
10. Using the credentials I logged in to the application and browsed through the different functionalities on offer.
and I felt this one functionality bit interesting ‘file manager’.
11. The file manager allowed me to see all the files present and modify them.
12. I went back to generate a reverse TCP payload using ‘msfvenom’, I copied the same to ‘index.php’ file on the web server and saved the file.
13. Now it is time to run the exploit handler locally and then invoke the reverse shell connection web server.
14. After landing with meterpreter shell, it was time to look around for further clues.
moving around the directories, I landed with our first flag.
Post-Exploitation (Privilege Escalation):
15. Now next target was moving forward in order to escalate privileges, which led to the search of our next clue.
with bit of searching online, I found a way to decode the fake spreadsheet.
16. Using this password it was time to switch user, once switched I checked what rights this user has.
17. It can be seen that user has permission to run all commands. So that’s it, with ‘sudo –i’ we are there with root privileges and there lies our final flag.
I hope you will find this write-up helpful in understanding the approach towards similar environments, let me know if you have something to add-in.
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.
good article and well explained