Commit 9b7caaa7 authored by Wesley Agena's avatar Wesley Agena

metasploitable ubuntu second drafts

parent 3ab3eed1
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -2,152 +2,152 @@
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>https://my-jigsaw-docs.com/contribute</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/docs/algolia-docsearch</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/docs/custom-404-page</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/docs/customizing-your-site</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/docs/faq</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/docs/navigation</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/docs/pricing</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/essentials/browser-developer-tools</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/essentials/scp</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/essentials/ssh-keygen</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/essentials/ssh</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/getting-started</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/walkthroughs/damn-vulnerable-web-app/brute-force</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/walkthroughs/damn-vulnerable-web-app/command-injection</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/walkthroughs/damn-vulnerable-web-app/cross-site-request-forgery</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/walkthroughs/damn-vulnerable-web-app/quickstart</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.comwalkthroughs</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/walkthroughs/metasploitable-3-ubuntu/5-of-hearts</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/walkthroughs/metasploitable-3-ubuntu/8-of-clubs</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/walkthroughs/metasploitable-3-ubuntu/ace-of-clubs</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/walkthroughs/metasploitable-3-ubuntu/quickstart</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/walkthroughs/metasploitable-3-windows/ace-of-hearts</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/walkthroughs/metasploitable-3-windows/jack-of-hearts</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/walkthroughs/metasploitable-3-windows/king-of-diamonds</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/walkthroughs/metasploitable-3-windows/quickstart</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/walkthroughs/webgoat-8/general</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/walkthroughs/webgoat-8/injection-flaws-sql-injection-advanced</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/walkthroughs/webgoat-8/injection-flaws-sql-injection-introduction</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://my-jigsaw-docs.com/walkthroughs/webgoat-8/quickstart</loc>
<lastmod>2019-07-31T05:17:24+00:00</lastmod>
<lastmod>2019-08-01T02:27:20+00:00</lastmod>
<changefreq>daily</changefreq>
</url>
</urlset>
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 active font-semibold text-blue nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......@@ -311,63 +311,30 @@
<div class="w-full lg:w-3/5 break-words pb-16 lg:pl-4" v-pre>
<h1>5 of Hearts</h1>
<p>1. SSH into your kali instance, reference the <a href="/walkthroughs/metasploitable-3-ubuntu/quickstart">quickstart guide</a> if you need a refresher on how to do this.
Once logged into you Kali instance, let's run an <strong>nmap</strong> scan.
Replace <code>165.227.59.82</code> with the IP address of your metasploitable 3 instance.</p>
<ul>
<li>-sV (Version detection) .</li>
<li>-p port ranges (Only scan specified ports) . -p- to scan ports from 1 through 65535.</li>
<li>--version-all: Try every single probe (intensity 9)</li>
<li>--open: Only show open (or possibly open) ports</li>
</ul>
<pre><code class="language-bash">nmap -sV -p- --version-all --open 165.227.59.82
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-01 20:47 UTC
Nmap scan report for 134.209.62.17
Host is up (0.00050s latency).
Not shown: 65514 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
139/tcp open netbios-ssn?
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
1617/tcp open nimrod-agent?
3000/tcp open tcpwrapped
3306/tcp open mysql MySQL (unauthorized)
3389/tcp open ms-wbt-server?
3500/tcp open http WEBrick httpd 1.3.1 (Ruby 2.3.7 (2018-03-28))
4848/tcp open appserv-http?
5985/tcp open wsman?
6697/tcp open irc UnrealIRCd
8020/tcp open intu-ec-svcdisc?
8080/tcp open http-proxy?
8181/tcp open http WEBrick httpd 1.3.1 (Ruby 2.3.7 (2018-03-28))
8282/tcp open libelle?
8383/tcp open m2mservices?
8484/tcp open unknown
8585/tcp open unknown
9200/tcp open wap-wsp?
Service Info: Hosts: UBUNTU, irc.TestIRC.net; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 523.79 seconds</code></pre>
<p>1. First, get logged into your Kali Linux instance. Checkout the <a href="/walkthroughs/metasploitable-3-ubuntu/quickstart/">Quickstart Guide</a> if you're not sure how to do this. </p>
<p>Next, let's start off by running the same <code>nmap</code> scan we ran in the first step of the <a href="/walkthroughs/metasploitable-3-ubuntu/ace-of-clubs">Ace of Clubs</a> walkthrough guide.</p>
<pre><code class="language-bash"># replace 165.22.171.133 with the IP of your target machine
$ nmap -p 1-65535 165.22.171.133</code></pre>
<blockquote>
<p>Hint: Refer to the <a href="/walkthroughs/metasploitable-3-ubuntu/ace-of-clubs">Ace of Clubs</a> walkthrough guide if you need a refresher on what we're doing with this <code>nmap</code> command.</p>
</blockquote>
<p>2. Navigate to port 80 in your browser to see an open directory</p>
<img src="/assets/images/walkthroughs/metasploitable-3-ubuntu/5-of-hearts/1-port-80.PNG">
<p>3. Explore the links until you a drupal instance.</p>
<img src="/assets/images/walkthroughs/metasploitable-3-ubuntu/5-of-hearts/2-drupal.PNG">
<p>4. Nne of the tabs has an image of a heart.</p>
<p>4. One of the tabs has an image of a heart.</p>
<img src="/assets/images/walkthroughs/metasploitable-3-ubuntu/5-of-hearts/3-high-fives.PNG">
<p>5. this isn't the flag, but if you right click the image and show the EXIF data, you'll see the exif data contains a string starting with <code>data:image/png;base64,iVBORw0K...</code>
If you've done web development you may recognize <code>iVBORw0K</code> as an image that is base64 encoded. Usually used to embed an image straight into html.</p>
<img src="/assets/images/walkthroughs/metasploitable-3-ubuntu/5-of-hearts/4-view-image-info.PNG">
<p>6. This means there is an image embedded within the original image's EXIF data. Let's download the original image and inspect the hidden image.</p>
<pre><code class="language-bash"># download image using curl
root@baad1df49737:~# curl http://165.227.59.82/drupal/sites/default/files/styles/large/public/field/image/5_of_hearts.png &gt; image.png
# replace 165.227.59.82 with IP of your target machine
$ curl http://165.227.59.82/drupal/sites/default/files/styles/large/public/field/image/5_of_hearts.png &gt; image.png
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 496k 100 496k 0 0 3356k 0 --:--:-- --:--:-- --:--:-- 3356k</code></pre>
<p>7. Decode the encoded image</p>
<p>7. In order to decode the exif, we're going to pipe together the output of several command line tools:</p>
<ul>
<li><code>exiftool image.png</code> - prints a table of exif data for the original image</li>
<li><code>grep hearts</code> - filter results to the line that contains the string &quot;hearts&quot;</li>
......@@ -375,10 +342,15 @@ root@baad1df49737:~# curl http://165.227.59.82/drupal/sites/default/files/styles
<li><code>base64 -d &gt; five_of_hearts.png</code> - decode the string into five_of_hearts.png</li>
</ul>
<pre><code class="language-bash"># pipe the output of each command as the input into the next
root@baad1df49737:~# exiftool image.png | grep hearts | awk '{print $6}' | base64 -d &gt; five_of_hearts.png</code></pre>
$ exiftool image.png | grep hearts | awk '{print $6}' | base64 -d &gt; five_of_hearts.png</code></pre>
<blockquote>
<p>Hint: linux pipes allow you to send the output of one command to the input of the next command using the <code>|</code> operator.
Checkout the <a href="https://ryanstutorials.net/linuxtutorial/piping.php">tutorial</a> to learn more.</p>
</blockquote>
<p>8. Download the new image to your local computer if you're running kali from a vps</p>
<pre><code class="language-bash"># run on your local computer
$ scp -i ../hacker-lab hacker-lab@167.99.160.109:/home/hacker-lab/five_of_hearts.png ./
<pre><code class="language-bash"># run this from your local computer
# replace 167.99.160.109 with the IP of your Kali Linux instance
$ scp -P 2222 hacker-lab@167.99.160.109:/home/hacker-lab/five_of_hearts.png ./
The authenticity of host '167.99.160.109 (167.99.160.109)' can't be established.
ECDSA key fingerprint is SHA256:sGnIbDcLbUCdWnjvkbKs+SbADQhCiOM8BVU3g4jDZig.
......@@ -386,6 +358,10 @@ Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/wagena/.ssh/known_hosts).
Enter passphrase for key '../hacker-lab':
five_of_hearts.png 100% 456KB 330.8KB/s 00:01</code></pre>
<blockquote>
<p>Hint: <code>scp</code> is a command line tool that allows you to securely copy files between local and remote hosts.
Checkout our <a href="/essentials/scp">essentials documentation</a> to learn more.</p>
</blockquote>
<p>9. And you've got another flag!</p>
<img src="/assets/images/walkthroughs/metasploitable-3-ubuntu/5-of-hearts/five_of_hearts.png"> </div>
</div>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......@@ -311,7 +311,8 @@
<div class="w-full lg:w-3/5 break-words pb-16 lg:pl-4" v-pre>
<h1>Ace of Clubs</h1>
<p>1. Let's start off by running an <code>nmap</code> scan on our target from your Kali Linux instance: <code>nmap -p 1-65535 165.22.171.133</code>.
<p>1. First, get logged into your Kali Linux instance. Checkout the <a href="/walkthroughs/metasploitable-3-ubuntu/quickstart/">Quickstart Guide</a> if you're not sure how to do this. </p>
<p>Next let's start off by running an <code>nmap</code> scan on our target from your Kali Linux instance: <code>nmap -p 1-65535 165.22.171.133</code>.
Here's a quick explanation of what this command does.</p>
<ul>
<li><code>nmap</code> - Start the <code>nmap</code> tool, a utility for network discovery and security auditing.</li>
......@@ -349,7 +350,7 @@ PORT STATE SERVICE
<blockquote>
<p>Hint: <code>nmap</code> is an open source command line tool for network exploration and security auditing.
We're using it here to scan for open ports, and services running on those ports.
Checkout the <a href="https://nmap.org/">official documentation</a> for the <code>nmap</code> tool to learn more about it's other options.</p>
Checkout the <a href="https://nmap.org/">official documentation</a> for the <code>nmap</code> tool to learn more.</p>
</blockquote>
<p>2. Walk through each of the open ports discovered in the <code>nmap</code> scan until we discover a web server being served on port 1180 in your browser where we can see an open directory.</p>
<img src="/assets/images/walkthroughs/metasploitable-3-ubuntu/ace-of-clubs/1-port-80.PNG">
......@@ -367,7 +368,7 @@ It looks like submitting the pattern <code>do you know x</code> will result in a
(8:32 PM) Papa Smurf: Oh yeah I know this dude. He cool. He cool. Check this out I know the
credential too:root:x:0:0:root:/root:/bin/bash
(8:32 PM) Papa Smurf: zzzzzzzz.....</code></pre>
<p>4. Let's test our theory by entering: <code>do you know blah; ls</code> and it works! prints out the /etc/passwd file</p>
<p>4. Let's test our theory by entering: <code>do you know blah; ls</code> and it works! prints out the <code>/etc/passwd</code> file</p>
<pre><code class="language-bash">(8:32 PM) wes: do you know root; ls
(8:32 PM) Papa Smurf: Oh yeah I know this dude. He cool. He cool. Check this out I know the
credential too:root:x:0:0:root:/root:/bin/bash
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......@@ -328,9 +328,6 @@ See <a href="/walkthroughs/metasploitable-3-windows/quickstart">Metasploitable 3
<p>You can setup Metasploitable locally using vagrant by following the <a href="https://github.com/rapid7/metasploitable3">official documentation</a>.
Alternatively you can use a paid service like <a href="https://thehackerlab.co">thehackerlab.co</a> to set this up for you.</p>
<hr />
<h2>Start CTF challenges</h2>
<p>1. Once you have your lab setup, checkout our walkthrough of the <a href="https://learn.thehackerlab.co/walkthroughs/metasploitable-3-ubuntu/ace-of-clubs/">Ace of Clubs</a> to capture your first flag.</p>
<hr />
<h2>Login to Kali Linux (Optional)</h2>
<p>1. If you've chosen to setup the optional Kali Linux instance, <a href="/essentials/ssh">ssh</a> into your Kali Linux server now.</p>
<pre><code class="language-bash"># replace 178.128.77.75 with the IP address of your Kali Linux instance
......@@ -338,6 +335,9 @@ $ ssh -p 2222 hacker-lab@178.128.77.75</code></pre>
<p><a href="https://thehackerlab.co">thehackerlab.co</a> sets up the ssh service on port <code>2222</code> with access for the user <code>hacker-lab</code> using the ssh keys provided at setup by default.
Replace the user and port number with the correct values if you set it up manually.</p>
<hr />
<h2>Start CTF challenges</h2>
<p>1. Once you have your lab setup, checkout our walkthrough of the <a href="https://learn.thehackerlab.co/walkthroughs/metasploitable-3-ubuntu/ace-of-clubs/">Ace of Clubs</a> to capture your first flag.</p>
<hr />
<h2>More Resources</h2>
<ul>
<li><a href="https://information.rapid7.com/download-metasploitable-2017.html">Rapid7 Download</a></li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -203,7 +203,7 @@
<a href="/walkthroughs/metasploitable-3-ubuntu/5-of-hearts"
class="lvl1 nav-menu__item hover:text-blue"
>
8 of Hearts
5 of Hearts
</a>
</li>
......
......@@ -25,7 +25,7 @@ return [
'Quickstart' => '/walkthroughs/metasploitable-3-ubuntu/quickstart',
'Ace of Clubs' => '/walkthroughs/metasploitable-3-ubuntu/ace-of-clubs',
'8 of Clubs' => '/walkthroughs/metasploitable-3-ubuntu/8-of-clubs',
'8 of Hearts' => '/walkthroughs/metasploitable-3-ubuntu/5-of-hearts'
'5 of Hearts' => '/walkthroughs/metasploitable-3-ubuntu/5-of-hearts'
],
],
'Metasploitable 3 Windows Walkthroughs' => [
......
......@@ -7,51 +7,17 @@ section: content
# 5 of Hearts
1\. SSH into your kali instance, reference the [quickstart guide](/walkthroughs/metasploitable-3-ubuntu/quickstart) if you need a refresher on how to do this.
Once logged into you Kali instance, let's run an **nmap** scan.
Replace `165.227.59.82` with the IP address of your metasploitable 3 instance.
1\. First, get logged into your Kali Linux instance. Checkout the [Quickstart Guide](/walkthroughs/metasploitable-3-ubuntu/quickstart/) if you're not sure how to do this.
* -sV (Version detection) .
* -p port ranges (Only scan specified ports) . -p- to scan ports from 1 through 65535.
* --version-all: Try every single probe (intensity 9)
* --open: Only show open (or possibly open) ports
Next, let's start off by running the same `nmap` scan we ran in the first step of the [Ace of Clubs](/walkthroughs/metasploitable-3-ubuntu/ace-of-clubs) walkthrough guide.
```bash
nmap -sV -p- --version-all --open 165.227.59.82
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-01 20:47 UTC
Nmap scan report for 134.209.62.17
Host is up (0.00050s latency).
Not shown: 65514 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
139/tcp open netbios-ssn?
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
1617/tcp open nimrod-agent?
3000/tcp open tcpwrapped
3306/tcp open mysql MySQL (unauthorized)
3389/tcp open ms-wbt-server?
3500/tcp open http WEBrick httpd 1.3.1 (Ruby 2.3.7 (2018-03-28))
4848/tcp open appserv-http?
5985/tcp open wsman?
6697/tcp open irc UnrealIRCd
8020/tcp open intu-ec-svcdisc?
8080/tcp open http-proxy?
8181/tcp open http WEBrick httpd 1.3.1 (Ruby 2.3.7 (2018-03-28))
8282/tcp open libelle?
8383/tcp open m2mservices?
8484/tcp open unknown
8585/tcp open unknown
9200/tcp open wap-wsp?
Service Info: Hosts: UBUNTU, irc.TestIRC.net; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 523.79 seconds
# replace 165.22.171.133 with the IP of your target machine
$ nmap -p 1-65535 165.22.171.133
```
>Hint: Refer to the [Ace of Clubs](/walkthroughs/metasploitable-3-ubuntu/ace-of-clubs) walkthrough guide if you need a refresher on what we're doing with this `nmap` command.
2\. Navigate to port 80 in your browser to see an open directory
<img src="/assets/images/walkthroughs/metasploitable-3-ubuntu/5-of-hearts/1-port-80.PNG">
......@@ -60,7 +26,7 @@ Nmap done: 1 IP address (1 host up) scanned in 523.79 seconds
<img src="/assets/images/walkthroughs/metasploitable-3-ubuntu/5-of-hearts/2-drupal.PNG">
4\. Nne of the tabs has an image of a heart.
4\. One of the tabs has an image of a heart.
<img src="/assets/images/walkthroughs/metasploitable-3-ubuntu/5-of-hearts/3-high-fives.PNG">
......@@ -73,13 +39,14 @@ If you've done web development you may recognize `iVBORw0K` as an image that is
```bash
# download image using curl
root@baad1df49737:~# curl http://165.227.59.82/drupal/sites/default/files/styles/large/public/field/image/5_of_hearts.png > image.png
# replace 165.227.59.82 with IP of your target machine
$ curl http://165.227.59.82/drupal/sites/default/files/styles/large/public/field/image/5_of_hearts.png > image.png
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 496k 100 496k 0 0 3356k 0 --:--:-- --:--:-- --:--:-- 3356k
```
7\. Decode the encoded image
7\. In order to decode the exif, we're going to pipe together the output of several command line tools:
* `exiftool image.png` - prints a table of exif data for the original image
* `grep hearts` - filter results to the line that contains the string "hearts"
......@@ -88,14 +55,18 @@ root@baad1df49737:~# curl http://165.227.59.82/drupal/sites/default/files/styles
```bash
# pipe the output of each command as the input into the next
root@baad1df49737:~# exiftool image.png | grep hearts | awk '{print $6}' | base64 -d > five_of_hearts.png
$ exiftool image.png | grep hearts | awk '{print $6}' | base64 -d > five_of_hearts.png
```
>Hint: linux pipes allow you to send the output of one command to the input of the next command using the `|` operator.
>Checkout the [tutorial](https://ryanstutorials.net/linuxtutorial/piping.php) to learn more.