Araiz's Offensive Writeups

Writeup — Crocodile By Araiz Naqvi Prepared By Araiz Naqvi . Overview - Difficulty : Easy - Operating System: Linux - Objective : Find a way to break in. - Tools Used : nmap , FTP , curl , gobuster I tend to start enumerating as much basic information as I need before dwelving deeper. Performing Nmap Scans As usual the very first step is to figure out what ports and hence what services are actually open. This will set the stage for how we will try to break in. Let’s start with a stealth scan with disabled arp pings to figure out what ports are open: It is clear that the following ports are open: - 21 ~ FTP - 80 ~ HTTP Now, let’s move further and scan for service versions and run the default scripts on these three ports: From this I interpreted the following information: - FTP runs on 21 exposing a ProFTPD server which allows for anonymous login - This FTP server is also giving unrestricted access to two what seem to be important files holding credentials. - HTTP runs o...

Writeup — PreIgnition By Araiz Naqvi Prepared By Araiz Naqvi . Overview - Difficulty: Easy - Operating System: Linux - Objective: Capture flag via Bruteforcing - Tools Used: nmap , gobuster , openvpn Nmap Scans Let’s start with stealth scanning default ports using the -sS flag: I now just out of curiosity to know what servers are set up maybe might come of use later. So, I use the service scan with some default script scans: From this I get the idea that nginx 1.14.2 is in use. Browsing Webpage Since port 80 is open means a webpage might be available to view. Upon browsing: I next check the source code which has nothing at all that might look interesting: Bruteforcing Directories The next option I usually think of wrt to open http pages is bruteforcing directories. So, I use gobuster with Seclists common.txt word list: Browsing admin.php Upon browsing there’s a login page. Not even making this up the first thing any hacker might think is admin:admin , and quite precisely ...

Writeup — Mongod By Araiz Naqvi Prepared By Araiz Naqvi . Overview - Difficulty: Easy - Operating System: Linux - Objective: Capture flag via Mongodb - Tools Used: nmap , mongosh , openvpn Nmap Scans Let’s as usual start with a nmap stealth scan to determine the open ports: There usually is not a ssh only, there has to be something else from where we can get the usernames and passwords. So, let’s run an all port stealth scan: As can be seen there’s another port 27017 which is usually used by mongodb . I now want to service scan it and see what deeper information can I get: Ahaa! It does look like mongoDB. Entering into MongoDB Let’s start by checking whether we’re able to login to the mongosh server itself: And, we’re in! I need to look into what databases are open: To me sensitive_information and users looks very hot! So, that’s where we’re headed: Let’s look at what it contains: This right here is absolute gold! In fact better than gold! Let’s check out sensitive_in...

Writeup — Explosion By Araiz Naqvi Prepared By Araiz Naqvi . Overview - Difficulty: Easy - Operating System: Linux - Objective: Capture flag via RDP - Tools Used: nmap , xfreerdp , openvpn Nmap Scans Let’s start with stealth scanning default ports using the -sS flag: Clearly, ports 135 , 139 , 445 and 3389 are open and resemble SMB and RDP. But since RDP is open, we might just be able to directly access the remote machine locally. Let’s run a service and default script scan on these ports: As can be seen very clearly port 3389 is responding with an active RDP along with we get to see that the remote machine is running Windows . Using xfreerdp Let’s use xfreerdp with the IP assigned: As seen from here, there are two things that come up, which is that there’s some certificate related issue and requires login creds. Let’s fix the first by using /cert-ignore : Problem 1 solved. Now, after figuring out usernames like root , Root , Admin , admin I tried using Administrator wh...

  Writeup — Redeemer By Araiz Naqvi Prepared By Araiz Naqvi . Overview - Difficulty: Easy - Operating System : Linux - Objective: Capture flag via Redis - Tools Used: nmap , redis , openvpn Nmap Scans Let’s start with stealth scanning default ports using the -sS flag: Strange, nothing comes back. Let’s run an all-port stealth scan: As can be seen that port 6379 is open.  Seems like it is redis , looks like we’re about to use redis-cli . Let’s first quickly run a service and script scan: I also run a udp scan just for the sake of it: Using redis-cli Let’s use the redis-cli to logon host 10.129.229.238 : I next need to get more information using the INFO command: At the end here: This shows that there is only one db since it’s value is 0 and there are 4 keys. Let’s start by selecting this database using the SELECT : Let’s see what keys are available: Now, let’s get these variables and get all values: There’s our flag!