My Tryst with Exploitation

By -
Hello Everyone! n1ghtcr4wl3r here...

I have started preparing for offensive Security Certified Expert (OSCE) and in this post shall be a description as to how I have started honing my skills of binary exploitation.

Tulpa has been a great help in commencing this journey and so has been Mike and corelanc0d3r :)

This post shall be an incremental post and I will describe my journey while exploiting a software called vulnserver

I will keep adding more content on this post as time goes by.

Until then see you next time!

Comments

Post a Comment

Popular posts from this blog

By -
Image
I picked up Sedna and these were the steps: Like any machine, starting with arp-scan to first know the machine IP: arp-scan -l The machine got detected at 192.168.137.152 The next step was to run an nmap scan: From here, I decided that I shall  be concentrating on port 80. First checking the webpage: I decided I shall have a peek at the robots.txt as well: going to /Hackers gave 404 -Not found! Damn! :D Meanwhile in background, I was running gobuster. Doing web enumeration and checking web page sources dint reveal much! I decided to check my gobuster results: Manually enumerating the dirbuster pointed folders, I quickly became clear that builderengine was running. Next, a searchsploit revealed exploit for arbitrary upload in BuilderEngine. Seems BuilderEngine is vulnerable to arbitrary file uploads on the directory: http://IP_Addr/themes/dashboard/assets/plugins/jquery-file-upload/server/php/ I uploaded a simple php reverse shell...
Read more

Pluck w00t!

By -
Image
Time to Pluck! Though a bit late, I decided to give this machine a try! As with all almost every machine I began with arp-scan/netdiscover: Once this is done, next I try to do a port scan on the host. I began with the tcp scan while upd scans taking more time ran in the background. Since port 80 was open, I ran nikto in other window. Post this is done, I move next to check banners on each service. SSH dint give any banner, neither mysql or llmnr protocol so I tried to enumerate the web. Just before I went to check the web service, I looked at the nikto results and they were interesting! Now, this was very interesting, an LFI!! Meanwhile I had also tried fuzzing the admin page on the webservice and it revealed sql injection: Now, I had two vectors so I thought lets begin with the LFI. Doing a /etc/passwd dumped all the contents!! But Trying lfi on other files like apache logs etc was not getting possible (permission issue??) This was when som...
Read more