Showing posts from July, 2018

[VulnHub] - Jarbas: 1 Walkthrough

~ Spoiler Alert ~ Recently I did  Jarbas  from Vulnhub and below is my walkthrough for this machine. Firstly, to obtain the IP address of the target machine, I used netdiscover. My kali machine booted later than the target machine, so obviously Jarbas machine's IP is A quick port scan on the IP address revealed some open ports like 22 (SSH), 80 & 8080 (HTTP), 3306 (mysql). No SSH creds were initially provided and mysql also didn't allow to access remotely so I skipped port 22 and 3306 and moved towards the port 80. Homepage for port 80 looks something like below. In the machine's description, the author has mentioned that this machine (Jarbas) is a tribute to a Brazilian Search engine of the 90's. The homepage of the machine also displays a static page copied from wayback machine of the same search engine Since it's a static page directly copied from wayback machine, there's nothing interesting so I moved to port 80

[VulnHub] - billu: b0x 2 Walkthrough

~ SPOILER ALERT ~ Below is my walkthrough for the vulnhub machine  billu: b0x 2  by  Manish Kishan Tanwar  bhaiji. I already did this box a week ago but for the sake of this blog, I did it again so forgive my mistakes if you spot any. So, let's get started with our traditional boot2root box solving strategy by kicking off nmap to scan for open ports and services. Scanning the machine's IP, we can notice few ports are open like 22 (SSH), 80 (HTTP), 111(RPCBIND) and so on. As author already said we can get low priv shell with two methods, I decided to go with port 80. If we simply visit the machine's address, we can see a drupal instance running. Drupal 8? Few months ago, remote code exec vulnerability was discovered on Drupal CMS including version 8.x so without thinking twice, I tried the same RCE exploit  and it worked! While obtaining reverse shell, nc from the netcat openbsd-package failed (old version of nc?) but ncat did the job and we got a working n