V.9 (Part 7) – Token MAIL

Categories Tutorials

So far, so long. It has been a long time since I posted the last token, so now we are here again at full power 🙂

This time we are going to explain the process to get the MAIL Token.
So, lets get things started:

For this token it was a hell of a ride, starting by accessing the server via nc, and trying to “VRFY” each user, to try some dir enumeration and downloading files like .htaccess nothing was been helpful, and since there was a lot of services on this machine it was beeing hard to find a way in.

So, I steped outside of this box, and Continue reading “ V.9 (Part 7) – Token MAIL” V.9 (Part 6) – Token NAS

Categories Tutorials

Before the day drops to an end… let’s share another Token Tutorial. 😀
This time will be our NAS server. I must say that this one was really fun, since we learned a lot and had the possibility to learn and explore at least two new tools. So, let’s get things started…
Once again, the first thing we did was to enumerate the target:

$nmap -sV

21/tcp   open  ftp     vsftpd 3.0.2
22/tcp   open  ssh     OpenSSH 6.7p1 Debian 5+deb8u2 (protocol 2.0)
3260/tcp open  iscsi?
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:kernel

Continue reading “ V.9 (Part 6) – Token NAS” V.9 (Part 5) – Token FTP

Categories Tutorials

Another day another tutorial Token 😀
This time our focus will be on the ftp server –
As always we start with a nmap scan from our SSH server to the FTP server:

$nmap -sV

21/tcp open  ftp     ProFTPD 1.3.5
22/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u2 (protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:kernel

With this information, we checked exploit-db and found a vulnerability that we might be able to use:

We tried to explore it: Continue reading “ V.9 (Part 5) – Token FTP” V.9 (Part 4) – Token Cisco

Categories Tutorials

So, we already got our first 3 tokens, and I have to say you… this one will be the 4th one, and also the simplest one 😀
When we got access to the ssh machine, the 1st step was to do some machine enumeration:

d.nash@tl9-ssh:~/.ssh$ cat /etc/network/interfaces | grep address

To do one exhaustive enumeration we used a great Linux Enumeration Script created by user rebootuser. The script can be found here:

Continue reading “ V.9 (Part 4) – Token Cisco” V.9 (Part 3 – 2/2) – Token Mainsite

Categories Tutorials

So this is the 2nd part of this tutorial where we are going to show the way we got the Mainsite token.
After discovery a plugin vulnerability and identifying where it’s the vulnerability and how can it be explored we start using sqlmap:

$sudo sqlmap -u "http://cybear32c.lab/wp-content/plugins/wp-symposium/get_album_item.php?size=1" --proxy="" --proxy-cred="b.muncy:r****t" --level 5 --random-agent

Continue reading “ V.9 (Part 3 – 2/2) – Token Mainsite” V.9 (Part 2) – Token SSH

Categories Tutorials

On our previous tutorial we managed to get out some users and their hashes, so now we should look into crack them, or maybe use some PTH (pass-the-hash) function.

I decided to give a try to john the ripper and try crack the passwords and it turns out it was pretty easy:

$sudo john hashes.txt --show

4 password hashes cracked, 0 left

Continue reading “ V.9 (Part 2) – Token SSH” V.9 (Part 1) – Token GW

Categories Tutorials

This is the first part of a series of tutorials about the V.9 free lab.
This is the start of our path to gather GW token, we begin by enumerating services and versions.

$sudo nmap -sV 

Starting Nmap 7.12 ( ) at 2016-07-28 09:30 WAT
Nmap scan report for cybear32c.lab (
Host is up (0.22s latency).
Not shown: 994 filtered ports
22/tcp   open  ssh        OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
25/tcp   open  smtp       Postfix smtpd
80/tcp   open  http       nginx 1.10.0
443/tcp  open  ssl/http   nginx 1.8.1
3128/tcp open  http-proxy Squid http proxy 3.4.8
8100/tcp open  http       nginx
Service Info: Host: -mail.cybear32c.lab; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .

Nmap done: 1 IP address (1 host up) scanned in 37.95 seconds

Continue reading “ V.9 (Part 1) – Token GW”

Download Script –

Categories Scripts

This week someone shared a really interesting e-books library, that it turns out that it have a security section with a lot of e-books. When I saw it, I commented that would be great to have a way to download all the e-books of that section without all the trouble to go one by one. That sentence created a challenge to a irc user aka n1k0n who saw this opportunity to test his skills and improve his knowledge.
Continue reading “Download Script –” – What is it?

Categories Tutorials

On my previous week, I got to know a penetration testing lab environment called pentestit, currently on the version 9 of the free laboratory. works to provide its users with “Test Labs” to emulate real companies IT infrastructure, providing diferent types of labs, free ones and paid ones. More information about the labs can be found here.

“Test lab v.9”

CyBear 32C* – professional software development company

The new lab is a professional software development company, engaged in the development of various information security systems and applications, so CyBear 32C* is well protected against hacker attacks. To compromise CyBear 32C*’s corporate network attackers needs a good penetration testing skills. Good luck!

Continue reading “ – What is it?”