-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

  • TryHackMe Badbyte Infiltrate BadByte and help us to take over root

     


     

    BadByte 


    Badbyte (https://tryhackme.com/room/badbyte) covers many important aspects of penetration testing such as importance of enumeration , hash cracking ,port forwarding , web exploitation and privilege escalation. First of all fire up your pen testing machine and connect to TryHackMe network by OpenVPN. Then deploy the given machine.  TryHackMe Badbyte Infiltrate BadByte and help us to take over root



    Reconnaissance


    First of all we have to perform a traditional port scan with nmap OR rustscan but we will used nmap. With the following nmap scan, you can get the answers for all 4 questions.



    1) How many ports are open?

    Ans :- 2 ports are open.



    2) What service is running on the lowest open port?

    Ans :- Lowest port is 22. So, the service running there is SSH.

     

     


     



    3) What non-standard port is open?

    Ans :- Only non-standard port we can find is 30024.



    4) What service is running on the non-standard port?


    Ans :- FTP is running on that port instead of port 21.





    Foothold


    So, you know that there are FTP and SSH services running on the machine. Let us try to login to FTP as an anonymous user.



    Download note.txt

     Download note.txt


    We can log in to FTP as an anonymous user without specifying a password. When looking around we can see that there are two files named id_rsa and note.txt. Let us download those.



    1) What username do we find during the enumeration process?


    When looking at the note.txt, we can find out the username as “errorcauser”.

    Ans :- errorcauser








    John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems.


    To crack ssh private key first use ssh2john python script convert private key to hash (It comes with Kali Linux. Run locate ssh2john).


    • python path/to/ssh2john.py privatekey > privatekey.hash



    Then use john to crack the hash.



    • john privatekey.hash -w=/path/to/wordlist



    Crack the passphrase of the private key and SSH into the machine. Make sure to change the file permissions of SSH private key to 600.



    2. What is the passphrase for the RSA private key?


    We come across that the id_rsa file we downloaded is a SSH private key. In order to use this with SSH, we need a passphrase. So, first we need to convert this key into a hash using ssh2john.

    Ans :- cupcake



    Now, we have the hash of the ssh key. So, We can crack it using JohnTheRipper.
     

     


     

    we can easily find out the passphrase by cracking it with john’s default wordlist.




    Port Forwarding


    As we have the passphrase, we can login to ssh using it. We have to set up dynamic port forwarding. However when we try to login, an error is occurred as following.





    Remember to provide the above cracked hash as the passphrase. You will be able to easily login as Errorcauser.



    Then we have to set up proxychains for the dynamic port forwarding. So, go to the proxychains configuration file which is located at “/etc/proxychains.conf” of your pentesting machine and open it with Nano editor.

     




    Then, make necessary changes. (comment out socks4 127.0.0.1 9050 and add socks5 127.0.0.1 1337 to the end of configuration file)


    Then, run a port scan using nmap to enumerate internal ports on the server using proxychains.

     

     


     

     


    After some time, we are given an output like following.

     

     



    After finding the port of the webserver, perform Local Port Forwarding to that port (port 80) using SSH with the -L flag as following.







    Here, remote port is 80(which we found by nmap scan) and the local port is given as 8080. Give the same passphrase we cracked earlier.


    1) What main TCP ports are listening on localhost?


    From the above result, we can see that apart from the ssh port, ports 80 and 3306 are also open.

    Ans :- 80, 3306


    2. What protocols are used for these ports?


    http and mysql services are running on those ports.


    Ans :- http, mysql



    Web Exploitation


    As port 80 is open, we can come across that there is a web application involved. Just give the IP:PORT combination in your web browser.






     
    1) What CMS is running on the machine?


    When analyzing the web application, we can come across that it is developed using Wordpress.

    Ans :- wordpress





     

     

     

    2. Can you find any vulnerable plugins?
    You can use wordpress enumeration nmap script to find the plugins.

    Ans :- No answer needed





    We are given an output as follows as the result of above enumeration.




    I just Googled the plugins for vulnerabilities and found the answers for the following questions.




    3. What is the CVE number for directory traversal vulnerability?

    Ans :- CVE-2020-11738





    4. What is the CVE number for remote code execution vulnerability?

    Ans :- CVE-2020-25213



    5. There is a metasploit module for the exploit. You can use it to get the reverse shell.

    In msfconsole search for a relevant exploit. I found it easily as follows.





    You have to set rhost as 127.0.0.1 ,rport as 8080 , lhost as your tun0 IP and run the exploit. If everything is fine, you will be prompted with the meterpreter session.







    6. What is the name of user that was running CMS?

    Give the command “whoami” and you will be able to find the username.

    Ans :-  cth



    7. What is the user flag?


    In the user’s home directory, you can find the user flag.

    Ans :-  THM{227906201d17d9c45aa93d0122ea1af7}






    Privilege Escalation



    As for now, we have a low privileged shell. But, we need to escalate our privileges in order to obtain the root flag.




     

    1) What is the user’s old password?


    When browsing the file system for a little bit, you can come across that the log file, /var/log/bash.log can be accessed by the user, without requiring password. Just “cat” the log file and you can find the password there.

    Ans :-  G00dP@$sw0rd2020


     

     
     
     
     

    Make the user, a superuser. Then you may need to change some directories, in order to get to root’s home.


    Then you can obtain the root flag as follows.




     


    2) What is the root flag?


    You have to guess the new password of the user, in order to get the root flag. As we must use SSH, we must need the new password. It is very easy to guess.(Hint: Old password was configured last year and now we are not in last year. Isn’t it?) After guessing the new password, we can ssh as the new user.

    Ans :- THM{ad485b44f63393b6a9225974909da5fa}




  • How websites work via live practical

    How websites work via live practical

     

     

    How websites work


    To exploit a website, you first need to know how they are created.

    By the end of this room, you'll know how websites are created and will be introduced to some basic security issues.

    When you visit a website your browser (like Safari or Google Chrome) makes a request to a web server asking for information about the page you're visiting and will respond with data that your browser uses to show you the page; a web server is just a dedicated computer somewhere else in the world that handles your requests.




    How websites work via live practical





    There are two major components that make up a website:    

     

    • Front End (Client-Side) - the way your browser renders a website.
    • Back End (Server-Side) - a server that processes your request and returns a response.


     

    There are many other processes involved in your browser making a request to a web server, but for now you just need to understand that you make a request to a server and it responds with data your browser uses to render information to you.  How websites work via live practical

     

    1) What term describes the way your browser renders a website? 

    Ans :- Front End






    Task 2 HTML


    Websites are primarily created using:

     

    •     HTML, to build websites and define their structure
    •     CSS, to make websites look pretty by adding styling options
    •     JavaScript, implement complex features on pages using interactivity


     

    HyperText Markup Language (HTML) is the language websites are written in. Elements (also known as tags) are the building blocks of HTML pages and tells the browser how to display content. The code snippet below shows a simple HTML document, the structure of which is the same for every website:

     

     

    How websites work via live practical

     

     



     

    The HTML structure (as shown in the screenshot) has the following components:

     

    • The <!DOCTYPE html> defines that the page is a HTML5 document. This helps with standardisation across different browsers and tells the browser to use HTML5 to interpret the page.
       
    • The <html> element is the root element of the HTML page - all other elements come after this element.
       
    • The <head> element contains information about the page (such as the page title)
       
    • The <body> element defines the HTML document's body, only content inside of the body is shown in the browser.
       
    • The <h1> element defines a large heading
       
    • The <p> element defines a paragraph

     

    There are many other elements (tags) used for different purposes. For example, there are tags for: buttons (<button>), images (<img>), lists, and much more.

    Tags can contain attributes such as the class attribute which can be used to style an element (e.g. make the tag a different color) <p class="bold-text">, or the src attribute which is used on images to specify the location of an image: <img src="img/cat.jpg">.An element can have multiple attributes each with its own unique purpose e.g. <p attribute1="value1" attribute2="value2">

     

    Elements can also have an id attribute (<p id="example">), which is unique to the element. Unlike the class attribute where multiple elements can use the same class, an element must have different id's to uniquely identify them. Element id's are used for styling and to identify it by JavaScript.



    You can view the HTML of any website by right clicking, and selecting "View Page Source" (Chrome) / "Show Page Source" (Safari).





    1) Let's play with some HTML! On the right-hand side, you should see a box that renders HTML - If you enter some HTML into the box, and click the green "Render HTML Code" button it will render your HTML on the page; you should see an image of some cats.

    Ans :- No answer needed



    2) One of the images on the cat website is broken - fix it and the image will reveal the hidden text answer!


    Ans :- HTMLHERO



    3) Add a dog image to the page by adding another img tag (<img>) on line 11. The dog image location is img/dog-1.png


    Ans :- DOGHTML






    Task 3 JavaScript


    JavaScript (JS) is one of the most popular coding languages in the world and allows pages to become interactive. HTML is used to create the website structure and content, while JavaScript is used to control the functionality of webpages - without JavaScript a page would not have interactive elements, and would always be static. JS can dynamically update the page in real-time, giving functionality to change the style of a button when a particular event on the page occurs (such as when a user clicks a button), or to display moving animations.


    JavaScript is added within the page source code and can be either loaded within <script> tags or can be included remotely with the src attribute: <script src="/location/of/javascript_file.js"></script>



    The following JavaScript code finds a HTML element on the page with the id of "demo" and changes the element's contents to "Hack the Planet" : document.getElementById("demo").innerHTML = "Hack the Planet";



    HTML elements can also have events, such as "onclick" or "onhover" that execute JavaScript when the event occurs. The following code changes the text of the element with the demo ID to Button Clicked: <button onclick='document.getElementById("demo").innerHTML = "Button Clicked";'>Click Me!</button> - onclick events can also be defined inside the JavaScript script tags, and not on elements directly.




    1) Click the "View Site" button on this task. On the right-hand side, add JavaScript that changes the demo element's content to "Hack the Planet"

    Ans :- JSISFUN




    Add the button HTML from this task that changes the element's text to "Button Clicked" on the editor on the right, update the code by clicking the "Render HTML+JS Code" button and then click the button.




     

     

    Task 4 Sensitive Data Exposure


    Sensitive Data Exposure is when a website doesn't properly protect (or remove) sensitive clear-text information to the end-user; usually found in the frontend source code of sites.


    We now know that websites are built using many HTML elements (tags), all of which we can see by simply "viewing the page source", a website developer may have forgotten to remove login credentials, hidden links to private parts of the website or other sensitive data shown in HTML or JavaScript.

     



    How websites work via live practical


     

     

    Sensitive information can be potentially leveraged to further an attacker's access within different parts of a web application. For example, there could be HTML comments with temporary login credentials, and if you viewed the page's source code and found this, you could use these credentials to login elsewhere on the application (or worse, used to access other backend components of the site).


    Whenever you're assessing a web application for security issues, one of the first things you should do is review the page source code to see if you can find any exposed login credentials or hidden links.



    1) View the website on this task. What is the password hidden in the source code?

    Ans :- testpasswd

     

     

     

    Room :- https://tryhackme.com/room/howwebsiteswork

     



    Task 5 HTML Injection


    HTML Injection is a vulnerability that occurs when unfiltered user input is displayed on the page. If a website fails to sanitize user input (filter any "malicious" text that a user inputs into a website), and that input is used on the page, an attacker can inject HTML code into a vulnerable website.


    Input sanitization is very important in keeping a website secure, as information a user inputs into a website is often used in other frontend and backend functionality - a vulnerability you'll explore in another lab is database injection, where you can manipulate a database lookup query to login as another user by controlling the input that's directly used in the query - but for now, let's focus on HTML injection (which is client-side).


    When a user has control of how their input is displayed, they can submit HTML (or JavaScript) code and the browser will use it on the page, allowing the user to control the page's appearance and functionality.

     

     

    How websites work via live practical

     

     

     

    The image above shows how a form outputs text to the page. Whatever the user inputs into the "What's your name" field is passed to a JavaScript function and output to the page, which means if the user adds their own HTML or JavaScript in the field it's used in the sayHi function and is added to the page - this means you can add your own HTML (such as a <h1> tag) and it will output your input as pure HTML.



    The general rule is never to trust user input - to prevent malicious input the website developer should sanitize everything the user enters before using it in the JavaScript function; in this case, the developer could remove any HTML tags.




    1) View the website on this task and inject HTML so that a malicious link to http://hacker.com is shown.



    Ans :- HTML_INJ3CTION

     

    Use this :- <a href="http://hacker.com">"What's your name"</a>

     



    Disclaimer

     

    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)


     

  • How do you calculate bytes?


    How do you calculate bytes? by hacking truth

     



    Bit


    • A "bit" is atomic: the smallest unit of storage
    • A bit stores just a 0 or 1
    • "in the computer it's all 0's and 1's bits
    • Anything with two separate states can store 1 bit
    • In a chip: electric charge = 0/1
    • In a hard drive: spots of North/South magnestism = 0/1
    • A bit is too small to be much use
    • Greoup 8 bits together to make 1 byte



    NOTE :- Everything in a computer is 0's and 1's. The bit stores just a 0 or 1: It's the smallest building block of storage.





    Byte



    • One byte = collection of 8 bits
    • eg. 0 1 0 1 0 1 0
    • One byte can store one character , eg. 'A' or 'x' or '$'





    How do you calculate bytes?

    The calculations is based on:


    In the cases when used to describe data storage bits/bytes are calculated as follows:



        1 byte = 8 bits
        1 kilobyte (K / Kb) = 2^10 bytes = 1,024 bytes
        1 megabyte (M / MB) = 2^20 bytes = 1,048,576 bytes
        1 gigabyte (G / GB) = 2^30 bytes = 1,073,741,824 bytes
        1 terabyte (T / TB) = 2^40 bytes = 1,099,511,627,776 bytes
        1 petabyte (P / PB) = 2^50 bytes = 1,125,899,906,842,624 bytes
        1 exabyte (E / EB) = 2^60 bytes = 1,152,921,504,606,846,976 bytes



    The period (.) is used as decimal separator.




    How many digits are in 8 bytes?


    Eight bytes contain 64 bits of information, so you can store 2^64 ~ 10^20 unique items using those bits. Those items can easily be interpreted as the integers from 0 to 2^64 - 1 . So you cannot store 302 decimal digits in 8 bytes; most numbers between 0 and 10^303 - 1 cannot be so represented. How do you calculate bytes?





    Disclaimer

     

    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)




  • TryHackMe Cryptography for dummies

     


     



    The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

    TryHackMe Cryptography for dummies


    While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.



    Room :- https://tryhackme.com/room/cryptographyfordummies




    Cryptography is a big topic. We are going to cover the basics, to give you a basic understanding.

    It is used by a wide range of applications, almost everywhere in the internet.



    Why we need cryptography?


    Without encryption communications over the internet will be very insecure, and it would be very easy for someone to see your data. Fortunately this isn't true, and almost all of the data you get/send over the internet is encrypted and cannot be seen in plain text by someone who got access to it. Now let's look into cryptography in more detail.


    I understand why cryptography is important!









    Task 2 Types of cryptography



    There are two types of cryptography :

    • Symmetric
    • Asymmetric




    What is symmetric cryptography?


    Let's say Alice wants to send message to Bob, but she doesn't want to send the message in plain text because anyone can read it.

    She  has a recipe how to mess up the letters in a way that no one can understand what it means(that is called encryption). Bob has the same recipe but he uses it to order them so it will become readable again(that is called decryption), and he will understand what Alice wrote. The recipe in cryptography is called a key.  In symmetric cryptography both users have the same key to encrypt and decrypt the messages.



    What is asymmetric cryptography?


    In asymmetric cryptography the encryption and decryption keys are different. The encryption key can be used only for encryption, not for decryption and vice versa. The encryption key is called Public key and the decryption key is called Private key.



    Why is asymmetric cryptography used?


    Well..because it's more secure! If you are using symmetric cryptography and someone takes your key he can encrypt and decrypt messages that you send. While in asymmetric cryptography he can't decrypt the messages you encrypted with the public key. Only the holder of the Private key can decrypt them. Let's give an example :

    Alice wants to talk to Google

    Google gives Alice the Public key.

    Alice encrypts her message with the public key and sends it to Google.

    Google decrypts the message with his private key and sends back what Alice wanted.

    And that's how the conversation goes...




    Note : Symmetric cryptography is faster than asymmetric, but asymmetric is more secure.

    Now let's see what you've learned!



    1) What type of cryptography is more secure?

    Ans :- Asymmetric



    2) What type of cryptography is faster?


    Ans :- Symmetric



    3) What type of cryptography will a Bank site use?


    Ans :- Asymmetric



    4) What will you use to encrypt your messages in asymmetric cryptography?


    Ans :- public



    5) What will you use to decrypt messages in asymmetric cryptography?


    Ans :- private



    6) Does symmetric cryptography use two different keys for encryption/decryption? (aye/nay)

    Ans :- Nay





    Task 3 What is a hash?



    Hashes are a long strings of letters and numbers generated by hashing algorithms. They take plain text and make it a hash.

    The important thing about hashes is that they are not reversible. There's no way to decrypt/decode a hash.

    Popular hashing algorithms are : MD5 (Message Digest 5) and SHA (Secure Hash Algorithm).

    That's how the word "hello" looks as MD5 hash : 5d41402abc4b2a76b9719d911017c592




    What are hashes used for?



    The most popular use of hashes is for file identification and storing sensitive data, like passwords. When you create an account on a website your password is converted to hash and this hash is stored in the server's database. So when you login the password that you type in will be converted to a hash, the server will take it and compare it with the hash in it's database, if it's the same that means your password is correct and the server will let you in.


    MD5 hashes are also used to ensure the data integrity of files. Because the MD5 hashing algorithm always produces the same output for the same given input, it can be used to compare a hash of the source file with a newly created hash of the destination file to check that it is intact and unmodified.


    There are plenty of other hashing algorithms out there, but this room is intended for beginners so we're not going to cover them here.





    1) What's the MD5 hash of "hashes are cool"?


    Ans :- f762d32e3c160900d94b683e927555b9


    2) What does MD5 stand for?


    Ans :- Message Digest 5


    3) created MD5?


    Ans :- Ronald Rivest





    Task 4 Decoding/encoding



    There's difference between encoding and encrypting. Let's say you have an encrypted file, the only way to decrypt it is using key. While encoded data can be decoded immediately, without keys. It's NOT a form of encryption, it just a way of representing data.

    A very popular encoding is Base64. Here's how "hi there" looks with Base64 encoding : aGkgdGhlcmU=



    1) Encode the string "cryptographyisuseful" with Base64

    Ans :- Y3J5cHRvZ3JhcGh5aXN1c2VmdWw=


    2) Decode the string "dGhlIHNlY3JldCB3b3JkIGlzIDogd2F0ZXJtZWxvbg==". What's the secret word?

    Ans :- watermelon







    Disclaimer

     

    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)



  • TryHackMe Startup walkthrough

     



     

    TryHackMe: Startup Write-Up


    Abuse traditional vulnerabilities via untraditional means.


    TryHackMe is an online platform for learning cyber security, using hands-on exercises and labs and is meant for people starting out in the infosec field. TryHackMe Startup walkthrough

    This is write up for a TryHackMe room called Startup linked here.



    Enumeration and Scanning

    Using nmap, I found that this box had 3 ports open.


     


     

    The webpage looked like it was still under development.

     

     


     

     I then ran gobuster and found a hidden folder.

     

     


     

     

    Looking at the files directory, I saw the following:

     

     


     

     

    Going back to the ftp service, I tried logging in via anonymous user.

     



     

     


     

    The FTP and HTTP directory are the same. This means that we can upload files (read: reverse shell payloads) to the FTP directory which we can then execute on the browser.

     

    Abusing the FTP/HTTP misconfiguration


    To test this theory, we move into the /ftp directory as this is the directory where should have permissions to upload files; and upload a test file to see if we can display and execute it in the browser. To do this, I created a test.html page and uploaded it into the /ftp directory; 




     

     

     

     



     

    Now, to get a shell, we use PentestMonkey’s Reverse-Shell-PHP payload, change the IP and Port and upload it.a

     

     


     

    Stabilising the shell


    To stabilise the shell, we execute the following steps;
     

    1) python -c 'import pty;pty.spawn("/bin/bash")' 

     

    This spawns a Bash shell

    2) export TERM=xterm

    This will give access to terminal commands like clear

     

    3) Background the shell using Ctrl + Z;

     

    In the native shell, use stty raw -echo; fg

    This will turn off the terminal echo (giving access to tab autocompletes, arrow keys etc.) and foregrounds the shell
        

     

    4) alias ll='ls -la'

    This is a personal preference as it’s always better to list all current files with all the details which is always a good habit (which the following steps in this room would teach me)


    As I would learn, stabilising the shell was extremely important because there was no way I’d actually get a real shell (SSH or otherwise).

     

    Finding out the Secret Spicy Soup Recipe


    Now that we have working shell with most of the features, we go to the / directory to see its contents with our ll command. As you view the contents, make sure to not rush and miss out on anything. If you do so, then you should notice some extra (Hint: Which don’t belong) folders and files here.

     


     

    They are as follows:

    drwxr-xr-x   2 www-data www-data  4096 Nov  9 02:12 incidents
    -rw-r--r--   1 www-data www-data   136 Nov  9 02:12 recipe.txt
    drwxr-xr-x   2 root     root      4096 Nov  9 02:10 vagrant

     

    Opening up recipe.txt should help us with some clues on the Secret Spicy Soup Recipe

     


     


    Thoughts: I was honestly stuck here for a little while as I didn’t know what to do and rushed over the directories. It was only after I took a step back and went through all the directories and files that I could notice the extra directories and files. Lesson/Pro-Tip: Take your time to go over each folder and file to see any sus discrepancies
     

     

    1) What is the secret spicy soup recipe?

    Ans :- love

     

     

    Getting User privileges


    There are more out-of-place folders here, namely, /incidents and /vagrant. Going into the /incidents directory we see a suspicious.pcapng packet capture file.

    That’s pretty sus ngl.


    To view it you could either cat it out onto the terminal (like a pleb lmao) Or you could copy it to the /ftp directory to download and view it onto your system (like moi). To do so, simply run;

    www-data@startup:/incidents$ cp suspicious.pcapng /var/www/html/files/ftp/

     

    We know that it’s an Apache Server on Ubuntu and /var/www/html is where the Apache Server files exist.

    Now, download and view the file with Wireshark with

     

    wireshark suspicious.pcapng

     

    The best way to find useful information from a packet capture is to go through each TCP/HTTP stream and try to find something which seems useful.

     

    If you do so, you’ll come around a TCP Stream which seems like a packet capture of a Remote Connection session (telnet maybe?)

     

     


     

     We notice three things here;

    •     They used the same shell stabilising techniques as us!
    •     Seems like the user lennie is accessing the session and
    •     He has entered his password!

     


    Hence, we simply get user (lennie) privileges by;

    www-data@startup:/incidents$ su lennie
    Password: c4nt**************
    lennie@startup:/incidents$ whoami
    lennie

     

    Going into /home/lennie we see the user.txt

     


     



    2) What are the contents of user.txt?

    Ans :- thm{03ce3d619b0ccbfb3b7fc81e46c0e79}

     

     

    Getting the Root Privileges


    In out home directory, we see that there are two directories, one which is owned by root. Maybe this can help us get root?

     


     

     The /scripts directory has the following files;

     


     

     

    It’s important to take note of the permissions and last modified information here;


    • Both the files here can only be modified by root
    • startup_list.txt has been modified preettyyy recently (1 min ago)




    The contents of planner.sh are as;


    #!/bin/bash
    echo $LIST > /home/lennie/scripts/startup_list.txt
    /etc/print.sh



    We see that it calls another script /etc/print.sh; which is owned by lennie!

     

     


     

    The contents of /etc/print.sh are;


    #!/bin/bash
    echo "Done!"




    To reiterate, we have a script owned by us which is run by another script owned by root.


    If only there was a way for root to run that script… Surprise, surprise! Root does that for ourselves! In concise;



    •     Root Cron Job runs planner.sh
    •     Modifies startup_list.txt
    •     Runs /etc/print.sh


    Since we notice that startup_list.txt is being modified every minute by some cron job, it is safe to assume that it is planner.sh which does it.

     

     


     

    Hence we can modify the /etc/print.sh script and wait one minute for root to run it!

    So, we make a directory in the /tmp folder to store the flag;


    mkdir /tmp/lol

    And adding the following to /etc/print.sh;

    cat /root/root.txt > /tmp/lol/flag


     

    should do the job of getting the flag for us!


    Thoughts: I was stuck here for over a day before I noticed that the file gets modified by some cron job. I tried finding cron jobs but since the cron running here is a user job and not a system one; something which I learnt because of this room; I couldn’t find one to confirm my suspicions about a cron job running and got sucked into unnecessary rabbit holes.

    Wait for one minute for the cron job to run and;

     


     

     

    3) What are the contents of root.txt?

    Ans :- thm{f963aaa6a430f21022215ae15c3d76d}

     

     

     

     

     


    Disclaimer


    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)


     

  • TryHackMe NIS - Linux Part I

     

     

    Task 2 ls   This task should give you a better understanding of the command ls and a few of the switches that the command can take and what are some of the more efficient ones. Below is a screenshot of the help menu, however, feel free to use the man. TryHackMe NIS - Linux Part I

     

     

    NIS - Linux Part I

    Enhance your Linux knowledge with this beginner friendly room! 

     

    Task 1 What is this room about?

    In this task, we will be looking back at ZTH Linux and a few other topics that seem to cause some trouble around the beginners. A requirement for this room is to finish the Learn Linux room - https://tryhackme.com/room/zthlinux.

    As it covers all the basic requirements and this is just a follow up to it in order to strengthen the understanding you gained throughout the room. In order to do so.
    Below I will be asking a few questions related to that room, so please, make sure to complete it first :). If you didn't feel free to go through the tasks and come back to this once you finished the room.



    The commands you are allowed to use in this room are:

    •     cat
    •     tac
    •     head
    •     tail
    •     xxd
    •     base64
    •     find
    •     grep
    •     echo
    •     xargs
    •     hexeditor
    •     tar
    •     gzip
    •     7zip
    •     binwalk


     

    Bear in mind, commands such as cd are not allowed.


    *The SSH credentials are chad:Infinity121 *

    1)What is shiba3's password?

    Ans :-

     

    2) What is shiba4's password?

    Ans :- 


     

    3)What is the root.txt flag? 

    Ans :- 

     

     


     

    Task 2 ls


    This task should give you a better understanding of the command ls and a few of the switches that the command can take and what are some of the more efficient ones. Below is a screenshot of the help menu, however, feel free to use the man. TryHackMe NIS - Linux Part I








    Task 3 cat

     

    Hopefully, the above screenshot should help you go through a few of the tasks below, however further research is required. A good thing to know is that ls supports multiple ways of chaining switches. Such as:



    •     ls -x -y -z
    •     ls -xyz


     

    In some cases, you would need to keep evidence of your findings. Below we will start with some basic commands you should be familiar with.

     

    1) How do you run the ls command?

    Ans :- ls


     

    2) How do you run the ls command to show all the files inside the folder?

    Ans :- ls -a

     


    3) How do you run the ls command to not show the current directory and the previous directory in the output? (almost everything)

    Ans :- ls -a


     

    4) How do you show the information in a long listing format using ls?

    Ans :- ls -l
     

     

    5) How do you show the size in readable format? e.g. k, Mb, etc

    Ans :- ls -h

     

    6) How do you do a recursive ls?

    Ans :- ls --recursive


     

    7) How many files did you locate in the home folder of the user?(non-hidden and not inside other folders)

    Ans :- 13



     

    Task 3 cat


    The cat command is one of the most common Linux commands that people use, however, in some instances, the cat command cannot be used as it's removed.

    Below is a screenshot of the cat command's help menu.


     





    But, as we are professionals we know about a few alternatives of going around it:
     
    The first command we are going to learn about is tac. Yes, cat spelt backwards. It is similar to the command, with the downside of less functionality.







    Thus being a good tool to add to your toolbelt when you are limited by your reverse shell.


    Another tool that can be used is head. This is usually used to get the beginning part of a file, however, you can use it to your heart's content and grab as many lines as you want.







    One more tool that can be used to grab the content of a file is tail. This is similar to the head command, however, as the name implies it will grab the last part of a file.





     




     

    Another useful command is xxd. this can be used to generate a hex dump of the content of a file. Then, if you want you can either just read the text from the right-hand side or convert from hex to ASCII.





     


     

     

    Similar to the above you can use the base64 command to convert the text to base64 and then convert it back to ASCII.




















    1) What is the content of cat.txt?

    Ans :- THM{11adbee391acdffee901}



    2) What is the content of tac.txt?

    Ans :- THM{acab0111aaa687912139}



    3) What is the content of head.txt?

    Ans :- THM{894abac55f7962abc166}



    4) What is the content of tail.txt?

    Ans :- THM{1689acafdd20751acff6}



    5) What is the content of the xxd.txt?

    Ans :- THM{fac1aab210d6e4410acd}



    6) What is the content of base64.txt?

    Ans :- THM{aa462c1b2d44801c0a31}









    Task 4 find


    The find command is one of the most useful commands on a Linux operating system.



     





    This command can help us find specific files that match a pattern like:


    find . -name *.txt


    Or we can use it to find files that have a specific extension:


    find / -type f -name "*.bak"



    This simple command will start browsing the machine directory, finding all the files with extension .bak (backup).










    But we can also use it to find files that have the SUID or SGID bit set like so:



    find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;

    This command combines permissions 4000 (SUID) and 2000 (SGID)


     





     

     

     

    1) How many .txt files did you find in the current folder?

    Ans :- 8

     

    2) How many SUID files have you found inside the home folder?

    Ans :- 0









    Task 5 grep


    grep is a really useful command to grab text from files.






    Let's read through a few examples of grep commands and see how we can use them for our own benefit in a scenario.

    grep "word" file



     


     

    Grep not only allows us to check if a certain word exists in the file but also outputs us the context in which the word had appeared. As you can see on the screenshot above, we were able to find an exact match to the word 'if' in the file script.py.

    We can also compare two files with similar names using.

     

    grep "word" file*







    How many times does the word "hacker" appear in the grep files? (including variations)











    Task 6 sudo



    sudo command allows certain users to execute a command as another user, according to settings in the /etc/sudoers file. By default, sudo requires that users authenticate themselves with a password of another user.

    In the real-life scenario, sudo is mostly used to switch to root account and gain an ability to fully interact with the system.






    sudo -l appears to be the most commonly used switch. It can always tell you which commands are you allowed to run as another user on the following system, and in some cases, can give you a clue to root access.

     

    1) Is the user allowed to run the above command? (Yay/Nay)

    Ans :- 








    Task 7 chmod

    The chmod command sets the permissions of files or directories.







     

    Those permissions are divided between three main characters:

       

    • User
    • Group
    • Other


     

    All of them can rather read, write or execute a file. Permission to do so can be granted using chmod.



    It can be done rather using letter notation or numerical values.



    Let's take a look at the following command:

     

    chmod u=rwx,g=rx,o=rw myfile


    •     u = user is being giver read, write and execute permission
    •     g = group can now read and execute
    •     o = other can read and write



    This long notion can be eliminated by numerical values for permission. There are exactly four of them:



    • 0 stands for "no permission."
    • 1 stands for "execute";
    • 2 stands for "write";
    • 4 stands for "read".


     

     

    Those values can be easily combined by adding them up.

    For example, permission to read, write and execute would be 7 (1 + 2 + 4).

     

    chmod 777 file

     

     

    The following command will grant full file access to everyone on the system. (Those numerical values can be easily calculated using an interactive chmod-calculator).

    chmod command comes in handy with ssh key files (id_rsa). By editing their permissions to 'user read-write only' we can use other people's id_rsa files to connect via ssh.



    chmod 600 id_rsa











    Task 8 echo


    echo is the most fundamental command found in most operating systems. It used to prints text to standard output, for example, terminal. It is mostly used in bash scripts in order to display output directly to user's console.





     

    echo can also be used to interact with other system commands and pass some value to them.








     

    echo also has a small trick which allows to print out any command output to console.



    echo "$( [command] )"

     

    What command would you use to echo the word "Hackerman" ?








    Task 9 xargs


    xargs command builds and executes command lines from standard input. It allows you to run the same command on a large number of files.





     

     

     

    xargs is often used with the find command, in order to easily interact with its input.



    Let's take a look at the given command:



    find /tmp -name test -type f -print | xargs /bin/rm -f


     

    On the left side, we can see a command which should technically display all files under a name 'test'. xargs command on the left allows us to execute rm (remove) on those files and easily delete all of them.
    Same can be done with reading all the files under the name 'test'.

     

     

    1) How would you read all files with extension .bak using xargs?

    Ans :- find / -name *.bak -type f -print | xargs /bin/cat








    Task 10 hexeditor


    Hexeditor is an awesome tool designed to read and modify hex of a file, this comes in handy especially when it comes to troubleshooting magic numbers for files such as JPG, WAV and any other types of files. This tool is also helpful when it comes to CTFs and text is hidden inside a file or when the magic number of a file was altered.

    Another tool that is good for this kind of scenarios is called strings but we won't be talking about it in this part of our course.







     

     

     

    For this task, I will be providing you with resources to help you along your journey around challenges you might be facing in which you need the hexeditor tool.



    A few resources I use for tasks that involve analysing files and fixing the magic 

    number I use the following resources:



    https://en.wikipedia.org/wiki/List_of_file_signatures

    https://gist.github.com/leommoore/f9e57ba2aa4bf197ebc5

    https://www.garykessler.net/library/file_sigs.html











    Task 11 curl 

    The curl command transfers data to or from a network server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE). It is designed to work without any user interaction, so could be ideally used in a shell script.



    curl is a huge tool with a lot of switches and possibilities. Let's take a look at some of the most important ones.



    curl http://www.ismycomputeron.com/






     

    The most basic command. Fetches data from the website using the HTTP protocol, and display it using standard HTML code. This is essentially the same as "viewing the source" of the webpage.



    The following command will limit the connection speed to 1,234 bytes/second:



    curl --limit-rate 1234B http://www.ismycomputeron.com/


    Another example is saving the output to a file using either:



    -o to save the file under a different name
    curl -o loginpage.html https://tryhackme.com/login



    -O to save the file under the same name:


    curl -O https://tryhackme.com/login

    Or, you might be interested in fetching the headers silently?


    curl -I -s https://tryhackme.com

     

     

    1) How would you grab the headers silently of https://tryhackme.com but grepping only the HTTP status code?

    Ans :- 






    Task 12 wget


    The wget command downloads files from HTTP, HTTPS, or FTP connection a network.






     

     

     

    wget http://somewebsite.com/files/images.zip






     

    Adding a -b switch will allow us to run wget in the background and return the terminal to its initial state.



    wget -b http://www.example.org/files/images.zip




    1) What command would you run to get the flag.txt from https://tryhackme.com/ ?

    Ans :- 



    2) What command would you run to download recursively up to level 5 from https://tryhackme.com ?

    Ans :-








    Task 13 tar


    tar is a command that allows creating, maintain, modify, and extracts files that are archived in the tar format.






     

     

    The most common example for tar extraction would be:

    tar -xf archive.tar

     




     

     

    -x tells tar to extract files from an archive.

    -f tells tar that the next argument will be the name of the archive to operate on.
     

     

    1) What is the flag from the tar file?

    Ans :-








    Task 14 gzip


    gzip - a file format and a software application used for file compression and decompression. gzip-compressed files have .gz extension.





     

    A gzip file can be decompressed using a simple gzip -d file.gz command, where -d stands for decompress.


    1) What is the content of gzip.txt?

    Ans :-









    Task 15 7zip


    7-Zip is a free and open-source file archiver, a utility used to place groups of files within compressed containers known as "archives".







    7z is as simple as the gzip or tar and you can use the following command:

    7z x file.zip to extract the file

    This tool comes in handy as it works with a lot more file extensions than other tools. You name the archive extension and 7z should be the tool for you.

     

    1) What is the flag inside the 7zip file?

    Ans :-






    Task 16 binwalk


    binwalk allows users to analyze and extract firmware images and helps in identifying code, files, and other information embedded in those, or inside another file, taking as an example steganography.








    A simple command such as binwalk file allows us to perform a simple file scan and identify code information.

    binwalk -e
    file allows us to extract files from firmware. This method is usually used in CTFs, where some important information can be hidden within the file.

    binwalk -Me file does the same as-e, but recursively.






     

     

    1) What is the content of binwalk.txt?

    Ans :-








    Disclaimer


    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)


      



  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.