Stages of Cyber Security Hacking

Stages of Cyber Security Hacking

Image for post

Cyb3rdroid is a website that provides materials that allow anyone to gain practical ‘hands-on’ experience in digital security, computer software & network administration. The following write up is based on the box titled “ Cyber sploit: 1”. The objective/goal of the exercise is to get the 3 flags that are placed throughout the challenge.

Tools

NMAP: Network mapping tool that allows you to scan for open ports, services, and operating systems to list a few features. It also has scripts that allow for much more in-depth enumeration.

Metasploit: Metasploit, a tool maintained by Rapid 7, is thought of as a pentesters toolbelt. There are so many uses for Metasploit that BOOKS have been written about the tool.

Methodology

Recon

Ok, so first we need to get the network IP scheme.

Image for post
10.10.10.5 is our local IP .

Now we need to scan the 10.10.10.0/24 subnet with NMAP.

$ nmap -sn 10.10.10.0/24
Image for post
10.10.10.19 is Target

We have our target located at 10.10.10.19. Now let’s start enumerating information from our host.

Enumeration

The first thing comes first, we need to start an NMAP scan to enumerate services and versions.

$ nmap -sV -sC cyberdroid 
Image for post
NMAP output

Since HTTP is open, we need to do some directory traversal and look at what directories are accessible.





Image for post
dirb output

Finding the Username

Since we only have HTTP open, let’s go ahead and look at the main page. Once being at the main page, let’s look at the source code.

view-source:http://cyb3droid/#

We will notice near the bottom of the page that there is a username itsskv.

Image for post
username found in the source code

Flag 1

Obtaining the first flag just so happens to be the password to access the machine too. Go to the robots directory to find it.

http://cyb3rdroid/robots.txt

We see that we found what looks to be a base64 string.

Image for post
base64 string

Let’s decode it!

$ echo R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9 | base64 -d

flag 1/password: cyb3rdroid{youtube.com/c/cyb3rdroid}

Let’s move forward and gain some access to the machine.

Gaining Access

Now that we have our username and password. Let’s use the ssh_login module within Metasploit to get a shell on the system.

Image for post
Options set

next, we execute the module by typing in run in the command prompt.

Image for post
shell!

Upgrade to Meterpreter

I like to upgrade the shell to Meterpreter if possible, however, it isn’t required. Background your session and use the following module to get a Meterpreter upgrade.

use post/multi/manage/shell_to_meterpreter

Set your module options to fit your host and sessions and then execute by typing run.

Image for post
Meterpreter session

Flag 2

Once you get access to the machine, you will be dropped into the directory that has the second flag. Listing out the contents of that flag shows binary output.

Image for post
flag 2

We then go here https://cryptii.com/pipes/binary-decoder, to decrypt the binary message.

Image for post
Flag 2!

2 flags down, 1 more to go…

Priv Esc

We discover that it is running an old kernel that has an exploit that can be located here: https://www.exploit-db.com/exploits/37292

Use your preferred method to get the kernel on the machine.

compile like normal and run.

Image for post
Getting Root

Summary

Overall I think this is a fairly easy box, with some very CTF’ish stuff in it. I would highly recommend this to anyone looking to get into CTF’s and those looking for something a little different, but easy and not to mentally tasking.

Share

15 thoughts on “Stages of Cyber Security Hacking

  1. An impressive share, I just given this onto a colleague who was doing just a little analysis on this. And he in actual fact bought me breakfast as a result of I discovered it for him.. smile. So let me reword that: Thnx for the deal with! However yeah Thnkx for spending the time to debate this, I feel strongly about it and love studying extra on this topic. If attainable, as you develop into experience, would you mind updating your weblog with more details? It is extremely useful for me. Large thumb up for this blog put up!

  2. Thank you for another magnificent post. Where else could anyone get that type of info in such an ideal way of writing? I’ve a presentation next week, and I am on the look for such information.

  3. Another thing I’ve noticed is the fact for many people, low credit score is the consequence of circumstances further than their control. Such as they may happen to be saddled having an illness so they have higher bills going to collections. It might be due to a job loss or even the inability to do the job. Sometimes divorce or separation can really send the budget in an opposite direction. Many thanks sharing your opinions on this site.

  4. Cyb3rdroid is the best at this hacking thing, I have experienced their service. l immediately take hold of your rss feed as I can’t find your email subscription link or newsletter service. Do you have any? Kindly let me recognize in order that I could subscribe. Thanks. the articles are quiet insightful.

  5. Hello my friend! I wish to say that this article is awesome, nice written and include approximately all significant infos. I like to see more posts like this. Cyb3rdroid is the best at this hacking thing.

  6. One thing I have actually noticed is that there are plenty of misconceptions regarding the banking companies intentions when talking about property foreclosure. One fantasy in particular is that often the bank wants your house. The financial institution wants your money, not your home. They want the amount of money they gave you having interest. In case you lose funds to any of the investment companies or crypto company, you can easily reach out to cyb3rdroid.

  7. Hello! This is kind of off topic but I need some guidance from an established blog. Is it hard for you to understand your wife? I’m not a relationship advisor but I can figure things out pretty fast. Cyb3rdroid can help you look into it. Thank you

  8. Everyone should enjoy this service provided bycyb3rdroid, if you are thinking of upgrading your school result or credit score of hacking social media account and emails… Cyb3rdroid is the best at all hacking service provision.

  9. This is the best hacking simulator I have ever played. Not only does the game provide you with an incredibly realistic experience, but it also offers a variety of gameplay modes and difficult levels to keep your interest peaked throughout the whole game. For anyone interested in hacking, cybersecurity, or just want to see how well they would do in a hacking simulation, cyb3rdroid.

  10. If you are looking for a product that will help your employees get familiar with the Stages of a Security Hack, cyb3rdroid is a great resource. The product is intuitive and the visuals are engaging, it’s perfect for people on all levels of experience. Your company should have this product in your security arsenal

Leave a Reply

Your email address will not be published.