Tr0ll2: The Revenge Of The Tr0ll!!

Hello everyone this is tr0ll 2 as i promised. Time to get some root access on the server, cause i didnt do much these days, so i will stop blabbing and start to explain what is going on and how everything happened… 😉

Of course as always i started an nmap scan to our dear tr0ll server

root@kali:~# nmap 192.168.124.131 -sV

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-10-12 18:13 EDT
Nmap scan report for 192.168.124.131 (192.168.124.131)
Host is up (0.00016s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
MAC Address: 00:0C:29:7C:A4:A9 (VMware)
Service Info: Host: Tr0ll; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.51 seconds

so this is where i started the ftp enumeration. I tried a couple of passwords and guessing. i actually got in and checked for the files and downloaded the only one i found there.

troll21

the file was password protected to i left hanging around for later… :/
lets go to the http service enumeration. this is the index page
troll22

the source didn’t contain anything interesting so lets move ahead. i thought to check the robots.txt and ok this is not a damn robots.txt file this is a huge list!!!i mean come on!!!
troll23
so because of this big list after i tried a few paths, they were fake…. -_- so i made a list and checked it with dirb
Continue reading

Advertisements

Human Stupidity…NOT A VM

Hey everyone so this is the story of how i hacked into a server. this is not a vm, it was an actual server and i wont be giving much infos cause i dont want to expose the target to attacks.
so lets say the name of the server i hacked into was http://www.stupid.com and the ip was 111.111.111.111.
of course i started as always with nikto to get some vulnerabillities…they were interesting but something else was more important at a first glance!
there was a .zip file called stupid.com.zip so i figured this must be a backup file so i downloaded and it indeed was a backup file… 😉 */Human stupidity number 1 /*
so after i extracted it this is what we got
rh1
after checking a few files i checked the sftp-config.json file to check for possible passwords and this is what we actually got
rh2
i know that you cant see the password but trust me it was quite good so good job there 😛
anyway i found after a while an admin login page in the newcms folder path but unfortunately the pass and username didnt work there although by checking the admin php code i noticed that for the user’s session to be created it needs to read some files in the var folder but there were no files like them in the backup file good job again at this point.
rh3
so i had to find another way so
ofc after finding out that tftp on port 22 might be running i scanned with nmap but it was closed too bad :/ although the ftp was open so i thought lets try it out and use the same password and username */Human stupidity number 2/*

root@kali:~# ftp 111.111.111.111
Connected to 111.111.111.111.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 01:43. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (111.111.111.111:root): stupid
331 User stupid OK. Password required
Password:
230 OK. Current restricted directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

i wont be showing what i got in there but i went after the mysql file that i found out earlier! the var directory and the rest of the mysql db files were all there!!!
i checked the mysql.php file and check this out


define('dbase','dbase');
define('host','host');
define('user','user');
define('password','password');
define('port','port');

$server[dbase]="stupid_site";
$server[host]="localhost";
$server[user]="stupid_site";
$server[password]="a8XXXXXXX";
$server[port]="3306";

Continue reading

The troller trolled the Tr0ll

Hey everyone so this is the VM for the tr0ll server! i know it is kind of old but since i am trolling everyday in real life i thought i would try it so tr0ll2 is on the way too 😀
Let me add here that this challenge was made by Maleus and hosted by vulnhub!

Anyway lets stop with all the blabbing and start our challenge
tr0ll server ip:192.168.124.141
kali ip:192.168.124.134

At first i tried a nmap scan

root@kali:~# nmap 192.168.124.141 -vv -sV

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-10-10 12:01 EDT
NSE: Loaded 33 scripts for scanning.
Initiating ARP Ping Scan at 12:01
Scanning 192.168.124.141 [1 port]
Completed ARP Ping Scan at 12:01, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:01
Completed Parallel DNS resolution of 1 host. at 12:01, 0.00s elapsed
Initiating SYN Stealth Scan at 12:01
Scanning 192.168.124.141 (192.168.124.141) [1000 ports]
Discovered open port 21/tcp on 192.168.124.141
Discovered open port 22/tcp on 192.168.124.141
Discovered open port 80/tcp on 192.168.124.141
Completed SYN Stealth Scan at 12:01, 1.22s elapsed (1000 total ports)
Initiating Service scan at 12:01
Scanning 3 services on 192.168.124.141 (192.168.124.141)
Completed Service scan at 12:01, 6.10s elapsed (3 services on 1 host)
NSE: Script scanning 192.168.124.141.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 12:01
Completed NSE at 12:01, 1.27s elapsed
Nmap scan report for 192.168.124.141 (192.168.124.141)
Host is up, received arp-response (0.00031s latency).
Scanned at 2015-10-10 12:01:04 EDT for 9s
Not shown: 997 closed ports
Reason: 997 resets
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 64 vsftpd 3.0.2
22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 00:0C:29:FE:92:AF (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.55 seconds
Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.040KB)

Continue reading

Lord Of The Root: 1.0.1 write-up

So this is the first write-up of lord of the root 1.0.1 created by this guy #KookSec.

This is apparently on the level of oscp certificate which i plan on taking so lets see…

After setting it up on vmware and running this lotr server we start up kali and begin the process…..

after a quick search of my LAN to find the target’s ip we find that the ip is 192.168.124.138 btw i am 192.168.124.134.

So lets start by scanning the target machine for open ports and stuff

root@kali:~# nmap 192.168.124.138 -sT -p- -A
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-10-06 18:52 EDT
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 0.69% done
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 3.67% done; ETC: 18:55 (0:03:04 remaining)
Nmap scan report for 192.168.124.138 (192.168.124.138)
Host is up (0.0011s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
| 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|_ 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
MAC Address: 00:0C:29:8F:4B:CE (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14, Linux 3.18, Linux 3.2 - 3.19
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.07 ms 192.168.124.138 (192.168.124.138)

We can see that the port 22(ssh) is on so lets try to connect and see what we can get from it

Untitled

It says that it wants us to knock 😛 and it is easy as 1,2,3 so i am guessing i should knock on port 1,2,3

i used this script to knock
Continue reading

First Post ^_^

Hello my alias is trickster0. Anyways my name is Thanasis. I am a pentester in learning and trying to go as high as possible!!! I am on route for taking the OSCP exam and hopefully get a job as a pentester in a security company in Greece where i am from! my facebook is this one for any reason you might want to contact me —-> facebook    E-mail: tserpthanasis@riseup.net
Hello to everyone and always be happy! ^_^