Lazy SSH - SSH Scanner - SSH Checker V1.7.0 - T4/2015 Traffic Click Botz - Tool Boot Traffic, Auto Click Using SSH, Proxy, HMA How to get accepted into Fileice PPD network and Earn Money - Simple. Lazy SSH Scanner II SSh checker ver 1.7 cracked ( 2015-7) Dinhan93hp. 5 years ago 999 views. Download wm checker 2011 v.1.7 crack elite edition. A Multi-threaded Dictionary based SSH cracker. Bgp-md5crack: 0.1: RFC2385 password cracker: biosmemimage: 1.2: A tool to dump RAM contents to disk (aka cold boot attack). Bkhive: 1.1.1: Program for dumping the syskey bootkey from a Windows NT/2K/XP system hive. Blackhash: 0.2: Creates a filter from system hashes. Bob-the-butcher: 0.7.1.

This walkthrough is for the HacktheBox retired machine named Lazy.

GitHub uses libssh in production to power its git SSH infrastructure, serving millions of requests daily. Lazy ssh scanner free download. LabMACOSX LabMACOSX: Is a laboratory of applications written in Applescript language. Brutosx is brutus.pl rem.

Beatbox 2 plus free download. We pick Lazy from the list:

Name: Lazy SSH 1.7.0.rar: Size: 2.42MB (2,532,812 bytes) Type: RAR archive data, v1d, os: Win32: First seen: October 8, 2015 at 1:42:42 PM GMT+2.

We do a usual nmap scan:

Output:

We can browse to the website on default port 80:

While we look around we can start a directory scan:

Back to the website we could either try to sign up to see what’s on the authenticated part of the site or try to go right in and brute force an admin or user.

I start first by signing up with lazy:password1.

Once logged in there doesn’t seem to be much going on.

For the login I did some testing with cURL and it looks like the login page gets cut off part way here:

The dirb scan finishes:

Before looking around we can start an sqli scan for any possibilities:

When going to /classes sub directory, we can see some php files:

And we can see some photos in /images:

Seeing how one is called key.png I had hoped it was a hint and downloaded it:

Then tried to extract some info:

Nothing.

Back at the sqlmap scan we can see we’re not having any luck.

I tried some brute forcing and manual directory searching. Finally, after checking difference in the pages from logging on and logging off I notice a cookie:

I attempted to try to decrypt it with simple tools:

Searching “cookie decryption tool for kali” brings up padbuster. 🔗 https://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html

I also came across this blog page: 🔗 https://spring.io/blog/2014/01/20/exploiting-encrypted-cookies-for-fun-and-profit

Not sure yet if it will be vulnerable to padding but we can try. We can run with the syntax:

We can use options -cookies and -auth and -encoding. I started with 0 for encoding and 8 for blocksize.

This prompt to examine blocks 1 and 2. The first one didn’t bring back anything:

but the second one does:

Knowing this is the pattern the auth cookie is made we can try to attempt to create a new cookie for user=admin so we can spoof our authentication.

Before we do that we can double-check this is the right user by trying to register as user if not done so already:

When prompted, select block 2.

We will use this cookie BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA to spoof our authentication.

There are a few plugins we could use or we could do it manually with Burp Suite.

I used Cookie Quick Manager: https://addons.mozilla.org/en-CA/firefox/addon/cookie-quick-manager/.

When installed, click the cookie icon and select Manage all Cookies.

Select 10.10.10.18Domain and paste the cookie in the Value field replacing the current one from the dummy user we made and click Save.

Back at the main page when we reload with the new cookie we can see we get authenticated.

Right away we can see there is a link to a file we can download and it turns out to be private ssh key.

The filename itself helps also give us a user name: mitsos.

Copy and paste into a file:

Change file permissions:

Then connect to the lazy machine:

And we are in. We can get the user flag:

Looking at the files in the user directory we can already see there is a file called backup.

There is also 🔗 peda setup for 🔗 gdb, which is a executable debugger program built in to most Linux versions.

If we run it, we can see it outputs the /etc/shadow file. Using this content we could try to crack the users password. In the ssh session copy the contents from the backup file:

Lazy Ssh 1 7 Cracker Toffee

On a Terminal tab on our local machine copy it to a new file:

Then repeat for the /etc/passwd file, on the ssh session:

Back on our local machine copy it to a new file:

Then we will merge the file:

And attempt to crack it:

Unfortunately in this case, no common password was found.

Lazy Ssh 1 7 Cracker Barrel

Back in our ssh session, we can confirm the command is being run:

Lazy Ssh 1 7 Cracker Crust

And check the file permissions:

Since this is a sticky bit executable, it will run the command cat /etc/shadow with root privileges. If we try to just run the command it will fail as we do not have the right user permissions:

But if we look at this code a different way we could create a file named cat then making /etc/shadow an argument, which we can dismiss.

Then make it executable:

If we try now we can see it won’t work and is still using the legitimate cat command. In order this exploit to work we need to either remove /bin/ from our PATH variable or make our home directory first priority.

If we update this then anytime we want to run cat again for real we will need to use /bin/cat for it to work.

We can retrieve our current PATH variable using:

Lazy Ssh 1 7 Cracker Topping

In this case we will want /home/mitsos to be first. We can use the export command to achieve this and then append the current PATH variable after it:

We can confirm it works by echoing the PATH again as well as running just cat, which should fail as we don’t have permission:

Now running backup will give us the root flag.

However, if we wanted to take this further and obtain a root shell, we could create a reverse shell command instead of the copy command.

Then on our local machine setup a listener:

Then back on our ssh session run the file again:

Our reverse shell works and as root. We can now grab the root flag.