SickOS 2

SickOS 2 is also a vulnerable machine from vulnhub and can be downloaded here: https://www.vulnhub.com/entry/sickos-12,144/ To start of the machine I had to use NMAP again to get its IP address since netdiscover didn’t found the machine. First we run NMAP to see what ports are open: So we got …

SickOS 1

SickOS is a vulnerable machine which can be found on: https://www.vulnhub.com/entry/sickos-11,132/ For some reason I couldn’t find the machine with the netdiscover tool. No idea why, but nmapping the whole NAT network worked. So lets use nmap for the whole machine. We use the -sV parameter to get the version …

Leviathan1

Challange: There is no information for this level, intentionally. Seems like we don’t get any information for any challenge. Just like the last one we can SSH into the server with the credentials we got from the last challenge. Command: $ssh leviathan1@leviathan.labs.overthewire.org -p 2223 Lets have a look to see …

Natas20

Challange:After logging in we see the same message as a couple challanges ago: You are logged in as a regular user. Login as an admin to retrieve credentials for natas21. After having a look at the sourcecode I could not find something special. Lets input some names. The value of …

Natas19

Challange:After logging in we are greeted with the following message: This page uses mostly the same code as the previous level, but session IDs are no longer sequential… So lets check what the PHPSESSID value is now. This can be done by going to your cookies in your browser, Press …

Natas18

Challange:This time we see a real loginscreen, requesting a username and password. We can also see the source code again. The source code can be found below. Some remarks I found in the code: Return 1 is used for an admin login, but this function is disabled. Return 0 is …

Natas17

Challange:So we see the loginscreen again from the username to check if it exists. We had this one already. But I checked the source code and it’s not the same query. Username this time is in between double qoutes. Which cant be escaped. The query in the source code: They …

Natas16

Challange:For security reasons, we now filter even more on certain characters. Where we see the input field again to search for words containing: Solving it:So lets have a look at the source code As we can see the keys ; | & ` \ ‘ ” are being filtered. I …

Natas15

Challange:There is a single field named username to check the existence in the database. Solving it:We probably have to do another SQL injection, but lets have a look at the source code first. This is the query: SELECT * from users where username=\””.$_REQUEST[“username”].”\””;. So this is SELECT * from users …