Initial Enumeration Having located the VM on 192.168.189.129, we run an nmap scan to see what port action is available: No known vulnerabilities for the services were found. Taking the ports one at a time: 21/ftp anonymous FTP access is allowed: PUT and MKDIR are not allowed: 550 Permission denied Server is anonymous only so no root, or other user, access allowed 22/SSH external ssh appears to be allowed 80/HTTP Website found: Dirb finds files and listable directories: [email protected]:~/temp# dirb http://192.168.189.129 ----------------- DIRB v2.22 By The Continue Reading
VulnHub VM: Stapler
This has turned out to be quite a fun box to attack because it has multiple ways in and supposedly multiple escalation methods too. I prefer this sort of CTF to the ones where they hide passwords in Base64 encoded jpgs in the page source and that sort of thing. This is less of a puzzle/game and more realistic, albeit an unrealistically badly configured security setup. N.B. when I write these up, I write as I'm doing it so it's not a carefully edited walk-through as such but more of a record (for myself) as to what I did, as I did and the thought-processes which I'm hoping to Continue Reading
Kioptrix2014
I'm intending to start the OSCP course in the nearish future and wanting to give myself the best possible chance of success with it, I'm doing some more CTFs. I found this list of supposedly relevant CTFs: https://medium.com/@a.hilton83/oscp-training-vms-hosted-on-vulnhub-com-22fa061bf6a1 Top of the list is Kioptrix: 2014. Enumeration Booting up the VM you're presented with a bare login page with no info to be gleaned. I've put the machine on a host-only network of 10.0.0.0/24 and I can see the IP it's bound in the info on the boot screen. A basic nmap gives Continue Reading
LazySysAdmin 1 – revisited
In this post https://neilsec.com/ctf/vulnhub-lazysysadmin-1-ctf-attempt/ I had a crack at the LazySysAdmin VM from VulnHub and found the hidden flag. However it seemed a bit odd/easy to just enumerate some website directories and find a password, whilst ignoring all the Wordpress and myphpadmin bits. So I thought I'd have another look at it to see if there were other ways of rooting the box. Back to Wordpress So going back to the Wordpress site, I had a go at the login page using the credentials. WPSCAN had earlier told us that Admin was a valid username and so I tried the database Continue Reading