Skip to main content

Posts

PentesterAcademy Vulnerable Servers II Lab Write-Up | metasploit-pivoting

PentesterAcademy Vulnerable Servers II Lab Write-Up | metasploit-pivoting Lab Link : https://attackdefense.pentesteracademy.com/challengedetails?cid=1747 Vulnerable Servers II is a lab from PentesterAcademy, which is rated as easy. The lab topology shows two machines which means, there are two targets and the attacker has to perform pivoting in order to hack and get the flag from the target machine. First Select the nearest Server and Click on Run the lab.   Once the lab is up, a web based terminal will be opened in the Web Browser. Firstly, check the IP address of the attacking machine.  We can see that, there are two interfaces. And as per the instructions, the first target machine should be 192.17.147.3. Let’s perform an Nmap scan of the target. The scan result shows that TCP port 8080 is open and is running an Apache Tomcat webserver/Coyote JSP engine 1.1. Let’s try to connect the webserver using netcat.   We can see that the Webserver is running OpenKM, a Document
Recent posts

Introducing Pre-Security Learning Path from TryHackMe.

Are you interested in learning cybersecurity and having the big question "Where to start?". Well, few months ago, i also had the same question in my mind. Do i need to learn programming languages first, or web applications or networking ??? That's where i want to talk about the popular learning platform Tryhackme . TryHackMe is an online platform that helps people to learn cybersecurity, especially penetration testing by doing hands-on labs.  There are multiple learning paths available on the platform and based on your knowledge and skill, you can select the most suitable one. If you want to learn cybersecurity from the scratch, then you can explore each learning path, finish the rooms (Rooms are a set of learning exercises with an objective) and proceed to the next. But before diving deep, one must understand the technology and basics first. Introducing the Pre Security learning path . This path consists of 40 hours of content and will teach the necessary technical knowl

PrintNightmare (CVE-2021-1675) PoC exploit Walkthrough

I am not an exploit developer but was interested to see how this vulnerability can be exploited. So i tried to replicate the infamous PrintNightmare vulnerability using the following PoCs ( https://github.com/cube0x0/CVE-2021-1675 ) and ( https://github.com/rapid7/metasploit-framework/pull/15385 ) However i had trouble with the new metasploit module (auxiliary/admin/dcerpc/cve_2021_1675_printnightmare) and i couldn't able to exploit the machine successfully. So i tried the second PoC from cube0x0. This one has done the magic. I just followed the guidelines with couple of tweaks. First of all, i installed the impacket (cube0x0 version) which will install the required modules and files. After that i set up a samba share with an anonymous login. This is required for hosting the dll file. I edited the smb.conf with the following settings. [global]     map to guest = Bad User     server role = standalone server     usershare allow guests = yes     idmap config * : backend = tdb     s

Comparison between CEH Practical and eJPT

This month, i have done two certification exams. Certified Ethical Hacker (CEH) Practical and eLearn Security Junior Penetration Tester (eJPT). These were not actually in my plan however when i received the free vouchers, i thought of giving the exams.  So in this post, i am going to give a detailed comparison between the two certification exams.  Certified Ethical Hacker (CEH) Practical I went for the CEH practical exam with an aversion, but i found it not bad. Mostly the basic topics are validated in the exams. However for really really beginners, they might find the practical exam as useful. Most of the guys attempting this exam might sign up for iclass/ilabs for their exam preparation. But in my opinion, that is not necessary. The best alternative exam prep option is to sign up for Tryhackme and then learn + practice. As i mentioned earlier, i got the free voucher and therefore i didn't go through the ilabs/iclass. In the exam, there are some questions based on cryptographic,

[FIX] Can't locate Net/SNMP.pm in @INC (you may need to install the Net::SNMP module)

I was trying to use the snmpenum.pl in my lab and encountered this error. Can't locate Net/SNMP.pm in @INC (you may need to install the Net::SNMP module) I searched over the internet for the fix , but couldn't able to find something direct. However, going through some of the stackoverflow pages, i fixed it and is explained below. 1) First install the required packages related to snmp utilities. sudo apt-get install libsnmp-perl 2) Install the SNMP module for perl. perl -MCPAN -e 'install Net::SNMP' That's it. And i was able to run the script.

Pivoting via Meterpreter [metasploit v6.x]

Pivoting is a technique used during Pentesting. The attacker gain access on one of the remote machine in the target network segment and use that machine to move around another network. Pivoting is useful in a scenario where you don't have direct access to a remote network. For example, the attacker can access the DMZ server but not the Internal Server segment. But DMZ server can communicate with Internal Server Segment. In such scenario, firstly the attacker gain access to the DMZ server and then use the DMZ server as a foothold to gain access to the Internal Server Segment. Note that the older versions of metasploit supports MSF scripts but the latest version (metasploit 6.x) doesn't support it. So lets see how to perform pivoting using the newer versions of Metasploit. For the illustration, i assume that the attacker has been gained the access to one of the remote machine and now he needs to move around. After establishing a meterpreter shell, background it. Since msfscripts

Configure Internet Explorer (IE) Mode in Microsoft Edge Browser.

The Internet Explorer 11 desktop application will be retired and go out of support on June 15, 2022. Organizations with websites optimized for Internet Explorer may consider configuring IE mode in Microsoft Edge.  If you are configuring IE mode for an enterprise, you may refer the step by step guide from Microsoft. To configure IE mode on your windows machine, follow the below steps. 1) Open Microsoft Edge browser 2) Go to Settings 3) Click on Default Browser option 4) On the right pane, you can see " Allow sites to be reloaded in Internet Explorer mode ". Toggle the button to ON  5) Restart Edge. 6) Now access any website. 7) To view the website in Internet Explorer Mode, click on Settings > More Tools > Reload in Internet Explorer Mode 8) Now the Website will be reloaded in IE mode. You can also see the settings from IE icon next to the address bar. 9) To exit IE mode, click on Settings > More Tools > Exit Internet Explorer Mode  

UDP is connection-less, then how Nmap identifies open/closed UDP ports??

When a packet is sent to an open UDP port, default behavior should be no response, Simply because UDP is a connection-less protocol. When this happens, Nmap or port scanning scripts  refers to the port as being open|filtered. It could be open or behind the firewall. However, if it gets a UDP response which is very unusual in UDP, then the port is marked as open. Then how Nmap or other port scanning scripts confirms whether there is an open UDP port exists??? For this, one should know about the relation between UDP and ICMP. You may refer to this post to understand. When a packet is sent to a closed UDP port, the target responds with an ICMP (ping) packet containing a message that the port is unreachable. Using ICMP error codes, nmap identifies and confirms the closed ports.

HTB Bastion : CIFS share / mount .VHD tips

To mount a share to your working machine, use the following command. There are some prerequisites for CIFS mount and for mounting the .VHD files. Normally comes preinstalled with you Kali/Linux Distro. However, i am listing it down. apt-get install libguestfs-tools apt-get install cifs-utils Now to mount a remote share,   #sudo mount -t cifs //<Remote_Machine_IP>/<Path>/ <Mount_Path> -o rw eg: mount -t cifs //10.10.10.1/Backups/ /mnt/nfs -o rw To check the .VHD filesystem, we can use guestfish. sudo guestfish --ro -a <file.vhd> ><fs> run ><fs> list-filesystems /dev/sda1: ntfs Guestfish shell runs only specific commands. However, run and list-filesystems commands are enough to get you the required information.In the above example, we can identify that the filesystem is NTFS and the partition /dev/sda1. Now mount the .VHD file using guestmount. #guestmount -a <File.vhd> -m <device_file_partition> --ro <Mount_Path> --ro = readonl

[FIX] Fingerprint reader not working properly??

The fingerprint reader on my laptop was not working properly since last couple of month. Suspecting after some update from Microsoft. It was not completely working, sometimes it work perfectly and often sometimes not. Especially after my laptop goes sleep. So i uninstalled and reinstalled the driver with the latest update, did some googling and couldn't get a solution. However, i though of checking the power management settings. And unchecked the "Allow the computer to turn off this device to save power" under the device's power management (From Device Manager). The issue is fixed and the fingerprint reader is working fine. Thought of sharing this as some of my friends had the same issue. Also i can see a lot of queries in the internet regarding this fingerprint reader malfunction. Always keep your OS and the drivers up to date and don't download any third party tools to fix issues with your machine.

Unable to locate package linux-headers / E: Unable to locate package linux-headers-5.10.0-kali5-amd64

While compiling programs, you may encounter this particular error. E: Unable to locate package linux-headers-5.10.0-kali5-amd64 I encountered this while compiling a C code. To fix this, i first updated my Kali machine (v2020.2a).  sudo apt update -y && apt upgrade -y && apt dist-upgrade   Rebooted. Then installed the headers.   sudo apt install linux-headers-$(uname -r)  

Different CTF a.k.a Adana Room from TryHackMe [THM] Writeup

Room link : https://tryhackme.com/room/adana Excellent room. Spend much time on Recon and Enum. The room developer has also put a sweet spot rabbit hole. The WordPress. I am not making this write-up in detail. You perform the initial nmap scan, get couple of open ports and services. Then perform a dirbuster or gobuster scan. You get the secret directory. Announcement. In the Announcement directory, you can see an image and a word-list. As common with THM, we can easily assume that there might be some kind of stenography involved. And yes, but with a point. I used steghide and exif tools at first but you need to use brute-force method to crack the hidden data. Also the hint is given on the room poster. Anyway. Use Stegbrute to crack the image. Stegbrute gives an output file and its encrypted. Do a Base64 conversion to decode and here it is, the FTP credentials. Decode using icyberchef.  Now we have the FTP creds and let's try it. Well, the directory structe looks like the web folde