Acid-Server Walkthrough

Hi Friends,

Today I am writing about Acid Server a vulnerable machine that is available at vulnhub.com.

We can download it from https://www.vulnhub.com/entry/acid-server,125/#download

Acid Server – Target Machine ( Both machines should be in NAT)

Kali Linux – Attacker Machine

Walkthrough:

First I started with Network discovery or discovery of target machine IP address, I done with netdiscover

Netdiscover -r 192.168.111.1/24

After netdiscover

Target IP – 192.168.111.135

Attacker IP – 192.168.111.130

Information Gathering:

I will first see what are the open ports and what services are running on the target machine

Namp -sS -A -p- 192.168.111.135

By using nmap found that port 33447 is open and running Apache httpd service

I tried to access the web page on port 33447

I run nikto for gathering more information but I didn’t find much

So whats next, I found page title as /Challenge and accessed that one and landed on login page.

I tried using sql injection methods to bypass login screen it won’t worked, gone with dirbuster tool on http://192.168.111.135:33447/Challenge/

I found cake.php as interesting and browsed the http://192.168.111.135:33447/Challenge/cake.php

It is showing message as “Long Way to go”

But /Magic_Box found intresting and tried to open it shown as Forbidden

I once again run dirbuster on http://192.168.111.135:33447/Challenge/Magic_Box/ URL and found some interesting files like command.php

It is showing message as “Enter IP address to Ping” I entered as 127.0.0.1 and seen in view source of web page it pinged.

Now I tried to execute some commands to prove it as command injection

And result is shown in source as

I confirmed it as an command injection and we are having many ways to exploit command injection but want to use COMMIX tool, as i never used it before

i captured request using burpsuite and save in a file called os.txt

started commix using file as input

i want to take reverse shell by using commix and followed steps according to commix tutorials

started metasploit handler and got meterpreter reverse shell

Now accessed shell and found file called investigate.php, when i opened investigate.php found an message

So i started investigating any important files and found hint.pcapng file, downloaded using meterpreter

I opened that pcapng file in wireshark and gone to TCP stream

Right click on TCP and click on “Follow TCP Stream” and i got an message from TCP packet

I found this message interesting and found an username as saman and want to try password as “1337hax0r”

import python shell and tried to login as su with same password and i got below message

Now next thing is to find flag.txt

🙂 i hope you like this….