In this article, we will attempt to complete another Capture the Flag (CTF) challenge which was posted on the VulnHub website by “CanYouPwn.Me.” Vulnhub.com is a platform which provides vulnerable applications/machines to gain practical hands-on experience in the field of information security. You can review my previous articles for more CTF challenges.
The link to download the VM and run it in a VirtualBox is as follows:
The torrent download URL is also available for this VM, which you can find in the reference section of this article. For those who are not aware of the site, VulnHub.com is a well-known website for security researchers to provide users with a way to learn and practice their hacking skills. You can download the vulnerable machines from that website and try to exploit them.
In this article we will be exploiting the following web application vulnerabilities:
- Path Traversal Vulnerability;
- SQL Injection Vulnerability;
- Server-Side Request Forgery (SSRF) Vulnerability.
Note: As this is a CTF walkthrough, I will not be covering the basics of the above vulnerabilities.
After downloading and running this machine on VirtualBox.com, I started by running a Netdiscover command to obtain the IP Address of the target machine. The command output can be seen in the screenshot given below:
Command Used: netdiscover
As shown in the above screenshot, we have obtained the Virtual Machine IP address, i.e., 192.168.11.20 (the Target Machine IP Address).
We will now be using 192.168.11.16 as the attacker IP address.
Please Note: The Target and the Attacker machine IP address may be different on the network configuration.
The first step is always to find out the ports and services that are available on the target machine. (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Nikhil Kumar. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/2tZdxAApg1Q/