Mission statement

Get root and read the contents of the file ‘key.txt’ in the root directory.

Mission statement

The challenge includes an image hosting web service that has various design vulnerabilities. You must enumerate the various web service features and find an exploitable vulnerability in order to read system hidden files. The web application is 100% custom so do not try to search google for relative PoC exploit code.

FINAL GOAL: Reveal the hidden message for a date arrange that Bob sent to Alice.

In this post I am going to focus on the use of Metasploit.

Before starting, I want to leave here some links to good resources for learning Metasploit:

Offensive Security Metasploit Unleashed free training course

SecurityTube Metasploit Megaprimer

SANS Metasploit Cheatsheet

Metasploit: The Penetration Tester’s Guide

Continuing the LAMPSecurity series, the next machine I’m going after is CTF5.

Ever since I got into Linux and wanting to learn more and get better at it, I always held an interest towards Slackware. Being one of the oldest distributions around, with a hardcore community and an old-school reputation, it always came in the top answers when it comes to learning Linux without fancy hand holding and the like (along with Arch). But I always liked Slackware, its name is awesome, and well, slackwarez for a slacker! So I’ve finally set up some time to install it in a VM, and will get to work on it to deepen my Linux knowledge.

So in this post I will list the steps I went through to install Slackware 14.1 in VMware.

Today’s target is part of a CTF series by the LAMPSecurity project.

I’ve decided to try a VM named Primer that was recently added to VulnHub. I was hooked by the description of it being a story driven VM that was inspired by William Gibson’s Spraw Trilogy, which was one of my first reads in hacking literature, after I became interested in the subject! And it also provided me with a new novel to read, since I didn’t know about Snow Crash:

Concept

This is a story based challenge written in a style heavily inspired by Neil Stephensons Snow Crash and William Gibsons Sprawl Trilogy. Each chapter is unlocked by solving the puzzle. From hardcoded clear text javascript password checks, SQL-injections and cracking hashes to a simulated terminal. You only need to start the VM, a webserver will come up and you can connect with your browser. In fact you never have to leave the browser.

Goal

Teach some basic well known techniques and attacks. Spark some curiosity, make the user look at the source code and try to figure out what’s going on behind the scenes. The main goal is to give a nice welcoming intro to the scene and hopefully also teach something about ethics and responsibility.

I’ve decided on a goal for 2016 to pwn as many VulnHub boxes as I can, and train myself to reach a level where I can hopefully take the OSCP. So I scrolled back in the list of VMs to start with the older ones and move towards the newer ones. Today’s target is pWnOS v1.0, a vulnerable Linux machine that apparently contains multiple avenues for getting root

exploit-exercises.com provides a variety of virtual machines, documentation and challenges that can be used to learn about a variety of computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cyber security issues.

Nebula takes the participant through a variety of common (and less than common) weaknesses and vulnerabilities in Linux. It takes a look at

• SUID files
• Permissions
• Race conditions
• Shell meta-variables
• $PATH weaknesses
• Scripting language weaknesses
• Binary compilation failures

At the end of Nebula, the user will have a reasonably thorough understanding of local attacks against Linux systems, and a cursory look at some of the remote attacks that are possible.

I am doing these levels by SSH’ing into the box, rather than directly in the Nebula terminal.

Because my posts tend to become gigantic when I am focusing on a single challenge and it takes alot of time between them, I am going to break them up into smaller posts from now on, hence why I will cover only the levels from 00 to 10 in this post.

Natas teaches the basics of serverside web-security.

Each level of natas consists of its own website located at **http://natasX.natas.labs.overthewire.org**, where X is the level number. There is no SSH login. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.

Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5.

Start here:

Username: natas0

Password: natas0

URL: http://natas0.natas.labs.overthewire.org