Saturday, September 30, 2017

VulnHub - GameOver vm - Hackademic_Challenges - challenge 010

The last challenge was in regards to bypassing the Login screen, getting a serial number and becoming a member of a hacker team.

I intercepted the page with BurpSuite and before Forwarding it, I modified the Login information from False to True, and the password of 'LetMeIn' (found in the source code of the page, but did not see it anywhere on the page, so it was suspect to me...) .

I was redirected to a webpage with a javascript pop-up, with the text:
%53%65%72%69%61%6C%20%4E%75%6D%62%65%72%3A%20%54%52%56%4E%2D%36%37%51%32%2D%52%55%39%38%2D%35%34%36%46%2D%48%31%5A%54

, that I ended up converting to a serial number of:
Serial Number: TRVN-67Q2-RU98-546F-H1ZT

After clicking OK, I was redirected to a logon page with a populated email for r00t@n1nj4h4x0rzcrew.com , filled out the empty spaces, and received:



The End....

VulnHub - GameOver vm - Hackademic_Challenges - challenge 009


This one took me a while to get done, as Nikto send me on a lot of while goose chases, with the results.

I created a new User Agent to include the shell (from the description):



,which was uploaded as prwtoftyari.gr and noticed in my BurpSuie the 'adminpanel.php' link:








The logon information was in a file called:
sUpErDuPErL33T.txt

Top Secret Information:
---------------------------------------
username: Admin
password: teh_n1nj4_pwn3r
email : admin@prwtoftyari.gr
---------------------------------------
 

Friday, September 29, 2017

VulnHub - GameOver vm - Hackademic_Challenges - challenge 008

We browse to the 008 challenge and get:




- after prodding around with nikto, and dirbuster, we find nothing except a possible vulnerability for the Santy.A worm, which lead me off to several sites on google...
- I checked the source code and found nothing...
- reading the page, I  am given information about...

Enter 'help' for available commands.

- typing help gives me available commands...
ls
whoami
id
help
su

- we still need to be root to run any commands, so I proceeded through the list.
- under 'ls' I get a list of files, such as, index.php and b64.txt. I browse to the .txt file to get:

LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NClVzZXJuYW1lO
iByb290IA0KUGFzc3dvcmQ6IGcwdHIwMHQNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0
tLS0tLS0tLS0tLS0tLS0tLS0t

-  does 'b64' file name indicate a base64 encryption format:
--------------------------------------------
Username: root
Password: g0tr00t
--------------------------------------------
..it did :)

One needs to type 'su' first, to get to the Login prompt in the site!

Another way to decrypt that would be with the command below, replacing the base64 format with our long string:
echo QWxhZGRpbjpvcGVuIHNlc2FtZQ== | base64 --decode

 Upon authentication, we are greeted with:



 

VulnHub - GameOver vm - Hackademic_Challenges - challenge 007

Short story: the network administrator is asking for 3,000 euro to change the grades into As. You need to find the admin password... to rat the admin out....

DirBuster finds a 'lastlogin.txt' file to Irene Pretty, but she is only a user.

Last Login user:
Irene Pretty : Irene
at 14/3/2000 10:59:00am

While searching the site, I decided to run Intruder in BurpSuite to see if I can authenticate with the male name...nothing worked...

Nikto, didn't provide any information I could use.

After doing some more digging, I used Firebug to look at Irene's cookie...

And that's where I was able to elevated my permissions to 'admin' and received the..









... message!


About Us