Hello Everyone, in this blog i am going to post walkthrough of Lord Of The Root 1.0.1.
This machine is for beginners
Target IP- 192.168.43.159
Attacker IP- 192.168.43.139
let’s scan target IP
nmap -sC -sV -p- -Pn 192.168.43.159
There is only 1 port open.
I tried connecting to ssh.
I tried few default passwords but it didn’t work.
When you see it carefully, The banner says “knock Friend To Enter” and under that it says “Easy as 1,2,3”.
Later, I got to know that there is something called “Port Knocking“.
Click Here, To know about Port Knocking.
So, Let’s knock ports 1,2,3.
nmap -sT -r -p 1,2,3 192.168.43.159
-sT : Connect scan
-r : Scan ports consecutively – don’t randomize
Let’s scan the target again,
nmap -sS -A -p- 192.168.43.159
Ok, Now we can see 1 more port got opened and a Website is running on it.
It’s an image, I checked page source but i didn’t find anything.
So, I did Nikto
nikto -h http://192.168.43.159:1337
I found a directory /images/ .
So, we got image files.
I checked every file but didn’t get anything.
Thought of checking /robots.txt.
It has an image.
I checked page source, and i found BASE64 encoded string .
I deocoded it twice.
So, we got a directory /978345210/index.php .
we got a login page, tried few usernames and passwords but i couldn’t login.
I used SQLMAP.
sqlmap -u http://192.168.43.159:1337/978345210/index.php –forms –dbs –risk=3 –level=5 –threads=4 –batch
So, There 4 databases available.
Next, I checked Tables in Webapp Database.
sqlmap -u http://192.168.43.159:1337/978345210/index.php –forms -D Webapp –tables
we got the table Users.
Let’s check for columns.
sqlmap -u http://192.168.43.159:1337/978345210/index.php –forms -D Webapp -T Users –columns
We got id,password and username.
Let’s dump them.
sqlmap -u http://192.168.43.159:1337/978345210/index.php –forms -D Webapp -T Users -C id,password,username –dump
Ok, we got some usernames and password .
i tried to login in webpage But failed.
As ssh is running i tried to login.
Only one username and password worked i.e
I got the shell.
Now, i checked for the Linux version.
I checked if any exploit available for that Version and found it.
I downloaded the exploit in my kali and started HTTP server.
python -m SimpleHTTPServer 8080
After this i moved into the tmp folder in the shell and downloaded the exploit using wget.
Compiled and executed it.
gcc 39166.c -o exploit
here, I got ROOT!!!