This guide is meant to be used as a supplement for learning, please tackle this on your own before reading this!
- What is the name of the large cartoon avatar holding a sniper on the forum?
- When you’ve logged in, what page do you get redirected to?
- In the users table, what is the hashed password?
- What was the username associated with the hashed password?
- What was the other table name?
- What is the de-hashed password?
- What is the user flag?
- How many TCP sockets are running?
- What is the name of the exposed CMS?
- What is the CMS version?
- What is the root flag?
1) What is the name of the large cartoon avatar holding a sniper on the forum?
Using reverse image search:
2) When you’ve logged in, what page do you get redirected to?
3) In the users table, what is the hashed password?
First we intercept the BurpSuite request and save it and then use SQLmap to dump the database.
1
| ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14
|
4) What was the username associated with the hashed password?
5) What was the other table name?
6) What is the de-hashed password?
Using Hash-Identifier we can see that it SHA-256 or HAVAL-256
Then, using John to crack the password:
7) What is the user flag?
SSH into the machine using found credentials:
1
2
| login: agent47
password: videogamer124
|
1
| 649ac17b1480ac13ef1e4fa579dac95c
|
8) How many TCP sockets are running?
ANSWER:
9) What is the name of the exposed CMS?
10) What is the CMS version?
Logging in using previous credentials we can see the answer is:
11) What is the root flag?
1
| searchsploit webmin 1.580 -w
|
Corresponding: CVE-2012-2982
Set RHOSTS, USERNAME, PASSWORD as needed, SSL to false.
Set payload to cmd/unix/reverse then LHOST
1
| a4b945830144bdd71908d12d902adeee
|