Sunday 31 January 2016

Hackademic 2

Hackademic Level 2.

Methodology will be very similar with Hackademic 1 walkthrough
root@osboxes:~# nmap -sn 192.168.1.0/24
We have got following result
Nmap scan report for 192.168.1.103
Host is up (0.0011s latency).
MAC Address: 00:0C:29:74:B5:21 (VMware)
We know that our target has 192.168.1.103 IP address.

Let's enumerate services of our target
root@osboxes:~# nmap -sV 192.168.1.103

Starting Nmap 6.47 ( http://nmap.org ) at 2016-01-31 21:34 GMT
Nmap scan report for 192.168.1.103
Host is up (0.00088s latency).
Not shown: 998 closed ports
PORT    STATE    SERVICE VERSION
80/tcp  open     http    Apache httpd 2.2.14 ((Ubuntu))
666/tcp filtered doom
MAC Address: 00:0C:29:74:B5:21 (VMware)
We are able to browse the web application


We noticed very interesting web based form with username and password fields.
Let's examine the web form toward SQL Injection vulnerability
root@osboxes:~# sqlmap -u "http://192.168.1.103/" --forms --level 5 --risk 3
But, unfortunately both parameters are not vulnerable.
Wen we are trying guess credentials, the web application redirect us to /check.php page.
The source of check.php is also not interesting, maybe dirbuster cover something interesting.


 


















The phpmyadmin doesn't allow default credentials and I didn't perform brute-force attack.
Let's look at our nmap scanning result again...
We see that we have tcp/666 filtered. Maybe we should find some UDP ports?
 TBU