Hi Friends,
Today I am writing about Acid Server a vulnerable machine that is available at vulnhub.com.
We can download it from https://www.vulnhub.com/entry/acid-server,125/#download
Acid Server – Target Machine ( Both machines should be in NAT)
Kali Linux – Attacker Machine
Walkthrough:
First I started with Network discovery or discovery of target machine IP address, I done with netdiscover
Netdiscover -r 192.168.111.1/24
After netdiscover
Target IP – 192.168.111.135
Attacker IP – 192.168.111.130
Information Gathering:
I will first see what are the open ports and what services are running on the target machine
Namp -sS -A -p- 192.168.111.135
By using nmap found that port 33447 is open and running Apache httpd service
I tried to access the web page on port 33447
I run nikto for gathering more information but I didn’t find much
So whats next, I found page title as /Challenge and accessed that one and landed on login page.
I tried using sql injection methods to bypass login screen it won’t worked, gone with dirbuster tool on http://192.168.111.135:33447/Challenge/
I found cake.php as interesting and browsed the http://192.168.111.135:33447/Challenge/cake.php
It is showing message as “Long Way to go”
But /Magic_Box found intresting and tried to open it shown as Forbidden
I once again run dirbuster on http://192.168.111.135:33447/Challenge/Magic_Box/ URL and found some interesting files like command.php
It is showing message as “Enter IP address to Ping” I entered as 127.0.0.1 and seen in view source of web page it pinged.
Now I tried to execute some commands to prove it as command injection
And result is shown in source as
I confirmed it as an command injection and we are having many ways to exploit command injection but want to use COMMIX tool, as i never used it before
i captured request using burpsuite and save in a file called os.txt
started commix using file as input
i want to take reverse shell by using commix and followed steps according to commix tutorials
started metasploit handler and got meterpreter reverse shell
Now accessed shell and found file called investigate.php, when i opened investigate.php found an message
So i started investigating any important files and found hint.pcapng file, downloaded using meterpreter
I opened that pcapng file in wireshark and gone to TCP stream
Right click on TCP and click on “Follow TCP Stream” and i got an message from TCP packet
I found this message interesting and found an username as saman and want to try password as “1337hax0r”
import python shell and tried to login as su with same password and i got below message
Now next thing is to find flag.txt
🙂 i hope you like this….