Hi everyone! I know it’s been a while since my last post, and now as i have more time i’ll try to post more often.
This room is aimed to learn newcomers/beginners how to enumerate a target.
The first step after passive recon would be the active recon. Let’s do a NMap Scan of our target. What i usually do is scan the target for the usual ports then i do another scan, but which is a full port scan.
I do this because you never know what you can come across.
Just by doing this we can see the programming language used by the web application and the open ports.
Time to investigate the web app. By accessing the website we notice a Login button. Clicking it we are allowed to also register an account.
I’ll use Burp to better explain how you can enumerate users.
I’ll login with my account first. You can see the time it took to login (bottom right corner of the Burp tab).
Let’s try now with an invalid account.
And finally let’s try with a valid account but with a wrong password.
To enumerate the users lets send the request to the intruder, mark only the user parameter and configure the payload tab. In this scope i used
As we can see, besides my username there is another valid username.
Note: Don’t go full berzerk on the application (don’t use too many threads or your results are going to be messed up).
Time to bruteforce the password now! We can download the wordlist created by the creator, use combinator to generate the wordlist and use Burp Intruder again.
Now we should look for a different length.
Now we can login. Lets see what we find when we login. By logging in we can find the SSH password of the user and now we can ssh into the box.
The user flag is in the home directory of the user.
Doing some enumeration i found out that the system is vulnerable to CVE-2019-18634. You can find the exploit on github here. Download it compile it and transfer it to the target machine.
Now, just run it and you should be root!
Hope you enjoyed and learned something new.