I started my penetration testing by looking for the IP of the target machine, I used netdiscover to
Aid me with this task, I used the following commands netdiscover -r “my ip address/24”. The r in the command stands for range meaning that it will scan for anything between 0 to 254 range.
Once I managed to get the ip address of the target machine the next step was to go to Nmap and look for open ports and the services that are running on the target machine. I used the following commands for this scan “nmap -Pn -sV -p- –mtu 24 -ff -T4 -O my ip address -oN nmapscan” .The following commands mean:
Pn – means treat everything as online
sV – means do a verbose scan
p- means scan all 65535 ports
mtu – means maximum transmission unit, basically am specify how many number of packets I want to send to the target machine,
f – means am fragmenting the packets
T4 – means how fast or slow I want the packets to be sent to the target
O – will be scanning for the operating system type
oN – means normal output, this one is used to save the scan
After getting the result of the scan, the next step was to analyze the result and I decided to go for the Ruby Drb RMI service on port 8787, I remember that one of my friends told me google is your best friend and as a normal person would do I went and googled about the service “what is Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb) “ and lucky enough I found an article that talked about how to exploit the service, and the url of the site is below
The article had the following information as shown below
After reading the article I went straight to Metasploit and typed Msfconsole to start Metasploit
Then I typed the command searched druby and got the exploit for it. Then I added the remote host and executed the exploit by typing in the command exploit.
I typed in exploit and I got a session then after that I typed in shell and got a remote connection to Pauls account
The next thing I wanted to know who I am logged in as so I typed in the command whoami and I realized that there was a user called Paul, and after that, I wanted to see what files and documents were there and I listed the files and I found the first flag.
I went further to see in what directory I was in by typing pwd which showed me I was in the home/paul directory , so I change directory which took me to the home directory and once I listed the content of home I noticed that there were more users apart from paul which was Allison and dr_balustrade
I continued my quest by typing the command cat /etc/passwd. /etc/password is a file used to keep track of every registered user of the system and I found another user which is peter.
The next step was to go to the IRC logs and read the log content of the system, I found another folder called localhost, so I entered the directory and I found logs for Paul, Allison, auth, dr_balustrade and Alheim.
I began by reading Allison’s logs and found out that Allison is dating Paul, but also Paul gave sudoers permission to Allison so that she could the game that he was bragging about to her. By doing so Paul has violated the company policy cause only the administrators have the right to have sudoers rights,
Apart from giving Allison sudoers rights, Paul made another violation of himself trying playing games in the company’s system instead of doing work during. Giving Allison sudoers access was a dangerous move because if she is compromised the hacker could do a lot of things to the system and they wouldn’t even need to have administrators account.
Next, I went to examine dr balustrade’s logs where he was chatting to Paul, unfortunately after reading their conversations I noticed that dr balustrade was requesting the password of the backup user, and unfortunately instead of Paul looking for alternative ways to send dr balustrade the password he typed the passwords in plain text which was easy for me to read.
During Paul’s conversation with dr_balustrade they mentioned something about samba as being the backup user which Paul thought it was, and my instinct told me to go and try to enumerate the SMB service and see if its really the backup that the dr was talking about. Here I used a tool called nmblookup. This is a tool that allows you access to the NETBIOS name services for resolving NetBIOS computer names into IP’s. so I found that the hosts NetBIOS was ALHEIM-LABS.
After getting the NetBIOS name the next thing was, I used a tool called smbclient which is famously known as the swiss army knife of the samba suite. It is can be used for file transfers and look at share names and it similarly functions as FTP.
I finally logged in the smb but there was a challenge which was I couldn’t execute the command ls and dir, which are used to list directories in the machines. This was another dead end.
I then decided to look at the services that I had found from the Nmap scan result and I noticed there was a service called uucp. So once again I had to go to google and see what this service was and what it does because I had never seen nor heard of such a service. In google, I accessed search networking web page which explained uucp means Unix to Unix copy which allows you to transfer files between Unix systems and it allows you to send and execute commands on another system. (Rouse, 2007)
After reading this the thought that crossed my mind was try and use Netcat to connect to the service. Netcat also known as the swiss army is a tool that is used for reading and writing to network connections using TCP or UDP. Once I connected to the port, I found it that it was a troll and there was nothing there of use.
I then remember that there was one move that I didn’t make and that is explore the FTP server, the first thing that came into my mind was that as usual try login in with default credentials where the username and password is anonymous or user anonymous and for the password is left blank but unfortunately that didn’t work, I tried to log in using paul, Allison, peter and dr_balustrade with password of KYNZh9t51nCLiIK but all of them failed. So I decided to try and download the whole ftp server on my local machine using the following command wget -r – – no-passive-ftp ftp://username:password@ ip / so I started with anonymous wget -r – – no-passive-ftp ftp://anonymous: KYNZh9t51nCLiIK @172.20.10.5/ but unfortunately that didn’t work
I decided to try again for the second time with Paul but that didn’t work at all,
I tried the third time with Allison and still, there was no hope
At this point I had no hopes of making any progress, at moments like this when you have no hopes is when your ancestor’s spirits come to the rescue I just found my self randomly typing the word backup for the user name and hit enter and moments later after looking at the code…..
At the end of the code I see downloaded complete, and in moments like these, you start thanking your ancestors for rescuing you.
I then went to the folder which was downloaded from the server and I finally found the second flag and then I remembered my father once told me he who never gives up shall enjoy the rewards and indeed my persistence paid off.
Next was to look for the third flag, I then started looking at the other directories but I began with /etc folder and then I noticed there was a file that was written shadow so once I opened it I saw that it was the shadow for the usernames root, backup, Allison, Paul and dr_balustrade.
The next step was to crack the hashes in order to get the passwords, the tools that will aid you to achieve this are either john the ripper or medusa.
For me, I used John the Ripper to crack the hashes and the only hash that was cracked was one which was for dr. balustrade
I remember that there was a login page on the web so the next thing I did is copy-pasted the IP with a full colon and the port number to access the swat website login popup (format – 172.20.10.5:901)
Once I logged in the website and looked around the directories and there was nothing interesting in there
Then I remembered that there was port 22 open and I decided to go and try to login with the same credentials and I managed to log in, I did pwd to know what path I was in and then I listed the directories by typing ls and I found flag 3 YaaY! For me and thanks to my ancestors 😊
I proceeded by examining the system logs and so that paul and dr_balustrade talking about the webstats program which the dr had uploaded for paul.
Then I went to the web temp directory to see what it contains and I found that there were hardcoded codes for the website, I decided to go through the checklogin.php codes and after reading each code of line in order to understand how the login page works, I noticed that there was a MySQL database running at the backend which the website uses to authenticate users.
I typed in the following command to gain access to the database since we had seen the username web on the hard-coded login codes and password of supersecret we are going to try those credentials to log in the database.
The commands used were to connect to the database was mysql -u web -p supersecret . and it successfully went through, and I managed to login.
The next thing was to try and see what databases were there and so I typed in the command show databases; and two databases appeared which were named information_schema and web, I had to select one of the databases and see what it entailed, I started with information_schema but there was nothing of important there so I went to web, I typed in the command use web; in order to select the database web. then I typed in the command show tables; in order to see what tables, the database web had and I found that it had one table named members.
I then typed in the command select * from members; to see all the fields that the table members had, and I had found credentials which I was going to use them to login in the webpage.
I kept the credentials on the web page and the login was a success
After successfully logging in the website I went to view the page source and I found out that it was using a post method but also I found out it was using SQL statements to access the tables from the database which means something I could exploit hehe. Next stop is into burp suit to try and intercept the traffic and see what I’m working with
But before proceeding to burp suite I decide to play around with the display button first on the “choose a static to display” pane and see what it does, once I clicked the display button it displays some random test in an array enclosure but it reading the information it seemed that the information is being retrieved from a database.
After finding nothing of interest I decided to send the traffic through burp suite and intercept it and see what I would find, after sending the traffic to burp suite the next step was to edit the display SQL commands and inject my own SQL commands and see if they would get executed.
So I decided to type in SQL commands which were going to display the tables of the databases and see what tables are available
Out of relieving one of the tables that were available was one called flag 4, I was very excited to find flag 4 because I never imagined to find flag 4 there, hurray for me 😊.
I then decided to try and inspect the element of the webpage and see if I could get anything important, through inspecting the elements I found that on the test tab there was a SQL command again being used in order to display the contents of the database when you click on the button display, here is where I decided to try and see if I could be able to get the contents of flag 4.
I typed flag 4 and replaced test and then clicked displayed and contents of flag 4 were there phew!.
Now it was time to look for flag 5, For flag 5 on the same field where I type in flag 4, I typed in statsadmins which was among the tables which were in the database.
I found some statements which looked like credentials for Allison, but it didn’t make sense to me what they meant so as what a normal person would do, I copy-pasted the random words into google and see what I would get.
Whenever I pasted the contents on google it gave me Korean words, then I had to google translate it from Korean to English and see what it means and it translated to this is your password for SSH!@#$
Then I tried to log in ssh using Allison’s password, for the first attempt I tried the special character only as of the password !@#$ but it didn’t work, then I tried with the whole English translated version and it also failed
but then lastly I tried login in with the Korean statement (이 SSH에 대한 비밀번호입니다!@#$) as the password and finally, I managed to log in as Allison
When I successfully logged in as I tried to list all the directories in Allison account but there wasn’t anything of interest there so I remembered that Allison was given Sudo privileges so I tried to Sudo Allison and logged in, cd back to root and then I listed everything in root and there she was flag5
Rouse, M. (2007, 4). Search Networkin. Retrieved from TechTarget: httpsss://searchnetworking.techtarget.com/definition/UUCP