Pentest Limited's BSides Edinburgh Write up

Thursday, June 1. 2017
Security

This is the second VM that I have tried from Pentest Limited. The report of the Securi-Tay CTF challenge can be found here. As usual, I downloaded the VM (located here) and imported it in to virtual box. Once I had changed the networking to my local host based network (vmbox0), I was ready to start taking a closer look. Initially, I did a ping sweep to determine the IP address of the target.




# nmap -sP 192.168.56.1/24



Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-20 22:56 BST

Nmap scan report for 192.168.56.100

Host is up (0.000065s latency).

MAC Address: 08:00:27:E0:C9:C2 (Oracle VirtualBox virtual NIC)

Nmap scan report for 888.darknet.com (192.168.56.103)

Host is up (0.0012s latency).

MAC Address: 08:00:27:31:B6:3A (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.56.1

Host is up.

Nmap done: 256 IP addresses (3 hosts up) scanned in 2.94 seconds






Once I had the IP address, I then performed a port scan of the main server to reveal a single TCP port open (80 - HTTP):




# nmap -sT 192.168.56.103



Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-20 22:56 BST

Nmap scan report for 888.darknet.com (192.168.56.103)

Host is up (0.00066s latency).

Not shown: 999 closed ports

PORT   STATE SERVICE

80/tcp open  http

MAC Address: 08:00:27:31:B6:3A (Oracle VirtualBox virtual NIC)





Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds




So without much delay I fired up a web browser, burp suite, archni and dirbuster and took a closer look...


PwnLab - Init CTF write up.

Saturday, May 20. 2017
Security

Pwnlab-init is a boot2root vm from vulnhub. The VM and background details can be found here. Once booted, a quick ping sweep via nmap reveals the IP address of the target as 192.168.56.102, and my attacker (Kali linux is on 192.168.56.1).



Running a basic TCP scan of the VM revelled a few services:




# nmap -sT 192.168.56.102



Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-20 21:26 BST

Nmap scan report for 192.168.56.102

Host is up (0.0032s latency).

Not shown: 997 closed ports

PORT     STATE SERVICE

80/tcp   open  http

111/tcp  open  rpcbind

3306/tcp open  mysql

MAC Address: 08:00:27:B8:8C:20 (Oracle VirtualBox virtual NIC)



Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds




Doing the next part of recon, I fire up Dirbuster to enumerate the webserver, to see if there is anything interesting on the server. I also open a web browser at the index page.


Pentest Limited's SecuriCTF Write up

Saturday, May 20. 2017
Security

From time to time, I have time to look at and try some CTF (Capture the Flag) VMs to try to get root on. These are purpose built VMs to challenge people to break in. For the Securi-Tay 2017 conference, Pentest Limited released a CTF VM, and even though the solution was posted I decided to give it a go to see how I faired. The VM was aimed at the novice level, so I was in with a chance.



Once the VM was booted in virtualbox, I was presented with the IP address of the VM from inside the console screen. In this case my target was 192.168.56.101. My attacking machine (Kali Linux) was sitting on 192.168.56.1. As this is my virtualbox network, I knew that there shouldn't be anything else on the LAN, so I did a ping sweep to confirm, using nmap. The nmap command is




nmap -sP 192.168.56.1/24




 


Vulnhub - Fristileaks walkthrough.

Saturday, April 9. 2016
Security

Over at https://www.vulnhub.com/, there are a load of virtual machines ready to be broken, hacked or used as a learning tool. I like a challenge, so I thought I would have a go. All that is required is a suitable VM player, such as virtualbox. For my first challenge, I chose the Frisileaks VM . The Challenge is aimed at a beginner, and is pitched to take around 4 hours.



Once the OVA is downloaded, it is simple to import into virtualbox. I chose to use Kali linux for my host machine, which I would also be launching attacks from. I modified the setttings of the VM, to use a host-only adapter, as I like to have control over what my VMs are doing. Especially when I have just downloaded a random VM from the internet. One that is made for Hackers no-less. Finding out that it did something nasty wouldn't be great, especially as part of the challenge is to have minimal information about the vm before you start.



I also start my VMs headless, so as I later realised, the DHCP IP assigned IP address was sitting on the console for me. The main reason for starting headless is to lower my impatence and not cheat by rooting the vm straight out the box. So my first task was to identify what IP address the VM had been assigned. Fortunately, this vm responds to ICMP pings, so discovery was as simple as running:




nmap -sP 192.168.56.0/24