Sunday, 31 January 2016

Hackademic 2

Hackademic Level 2.

Methodology will be very similar with Hackademic 1 walkthrough
root@osboxes:~# nmap -sn
We have got following result
Nmap scan report for
Host is up (0.0011s latency).
MAC Address: 00:0C:29:74:B5:21 (VMware)
We know that our target has IP address.

Let's enumerate services of our target
root@osboxes:~# nmap -sV

Starting Nmap 6.47 ( ) at 2016-01-31 21:34 GMT
Nmap scan report for
Host is up (0.00088s latency).
Not shown: 998 closed ports
80/tcp  open     http    Apache httpd 2.2.14 ((Ubuntu))
666/tcp filtered doom
MAC Address: 00:0C:29:74:B5:21 (VMware)
We are able to browse the web application

We noticed very interesting web based form with username and password fields.
Let's examine the web form toward SQL Injection vulnerability
root@osboxes:~# sqlmap -u "" --forms --level 5 --risk 3
But, unfortunately both parameters are not vulnerable.
Wen we are trying guess credentials, the web application redirect us to /check.php page.
The source of check.php is also not interesting, maybe dirbuster cover something interesting.


The phpmyadmin doesn't allow default credentials and I didn't perform brute-force attack.
Let's look at our nmap scanning result again...
We see that we have tcp/666 filtered. Maybe we should find some UDP ports?