hackNos ReconForce walkthrough vulnhub CTF

hackNos Reconforce Walkthrough Vulhub CTF Machine is create by Rahul Gehlaut

Download hackNos: ReconForce VM here

Today we are solving hackNos ReconForce is Created by Rahul Gehlaut

Walkthrough

Our First Step is a network Scanning Finding our target IP address Today I use netdiscover for All network scanning

hackNos ReconForce walkthrough

After finding our target IP address Our next step is to scan our target with Nmap.

hackNos ReconForce walkthrough

Enumeration

we see the Nmap scan target machine three-port are open 21/ftp, 22/ssh, and 80/http service and the target is allowed, anonymous user login

FTP login

I go to ftp login and connecting with ftp username and ftp password and ls command to see target directory and the target directory is empty and we see the target ftp banner Security@hackNos

  • username: ftp
  • password; ftp

I try the banner for Troubleshoot login page password field and try command username admin and us successful login with 5ecure page.

hackNos ReconForce walkthrough
  • web username: admin
  • web pass: Security@hackNos
hackNos ReconForce walkthrough

After trying many attempts our target is vulnerable command injection I run the ID command and before our command using ( | pipe ) and hit enter.

hackNos ReconForce walkthrough

our browser is show response next page and we see the target uid and guid.

hackNos ReconForce walkthrough
Msfvenom

Without wasting our time I go to create a php reverse shell with msfvenom raw formate and copy a shellcode and paste shell.php file.

hackNos ReconForce walkthrough

Now downloading our shell payload target machine I start our python local server port 99 downloads the payload wget command

hackNos ReconForce walkthrough

before executing our payload I start our msfconsole multi handler payload listener specified lport and lhost

hackNos ReconForce walkthrough

Executing our payload with using pip and type php our shell name

hackNos ReconForce walkthrough

we see the msfconsole window we got a reverse connection target machine now I run the shell command and we see the blank shell now import python3 for proper shell

hackNos ReconForce walkthrough

After enumeration target directory I go to target home directory and see a user recon I am trying to changing our current user shell with su switch user command and try the password 5ecure login page

After loning with recon user I run the ID command and see the user group name we see the user recon with docker group.

hackNos ReconForce walkthrough

Privilege Escalation

I install virtual image ubuntu with docker

After installing our ubuntu image I run the command docker run ( -it interactive mode ) and -v ( verbose ) and our mounting point or our image file name

hackNos ReconForce walkthrough

we see the root shell docker virtual image ubuntu and I changing our directory mounting point /mnt and type ls command to see all file /mnt directory we see the target root directory and our last root flag cat command to open the file

hackNos ReconForce walkthrough
Five86-1 Walkthrough Vulnhub CTF read here