hacking, mobile

#MobileSecMondays Video 7 – Solving CrackMe Challenge 2

Another day, another challenge.

In today’s post, we’re going to solve CrackMe Challenge 2.

In this challenge, we’re presented with a login screen with a email, and a secret. Can we find the necessary information to log into the app?

Watch the below video to find out!

Like my content? Buy me a coffee – http://buymeacoffee.com/thefluffy007

hacking, mobile

#MobileSecMondays Video 6 – Solving CrackMe Challenge 1

Another day, another challenge.

In this post, we’re going to solve the first CrackMe challenge.

After reading the instructions, we need to find the secret string using techniques such as decompiling an Android app, and try to reverse engineer the source code.


Watch the below video for more details and to find the secret string!

Like my content? Buy Me a Coffee!

Link: https://buymeacoffee.com/thefluffy007

hacking, mobile

#MobileSecMondays Video 4 – Solving IGLearner Level 2

Hello everyone!

Another day, another challenge.

In this post we’re going to solve this challenge by finding a world-writeable (a file that is writeable by everyone) in the application.

For this challenge we’re going to reverse engineer this app, and review the code to solve the challenge.

Without further ado, check out the video below.

Like my content? Buy me a coffee! buymeacoffee.com/thefluffy007

hacking, mobile

#MobileSecMondays Video 2 – Solving OWASP Mobile Security Testing Guide (MSTG) Uncrackable Level 1

Hello everyone!

Another day, another post.

Here’s the second video from MobileSecMondays.

In this video I’m solving the OWASP Mobile Security Testing Guide (MSTG) Uncrackable Level 1 challenge.

In this challenge we’re going to reverse engineer an app. Using Frida, a dynamic analysis tool to change values during runtime to find a secret message!

Want to learn more and do the challenge yourself? Well watch the video below!

Like the content? Buy me a coffee – buymeacoffee.com/thefluffy007

hacking, mobile

#MobileSecMondays Video 1 – Installing Mobile Apps Using ADB

Hello everyone,


I’m doing something a bit different…

I’ve created a new series where I solve Mobile Security challenges (Android Only). I’ve titled it, “Mobile Sec Mondays”.

With the first video, we’re going to get our feet wet with Android Debug Bridge (ADB). ADB is used for Android mobile hacking. In this video we’re going to install an app from our virtual machine (IntroToAndroidSecurity) to an Androidx86 emulator.

Without further ado, check out the video below!

Enjoy!

Like the content? Buy Me a Coffee! buymeacoffee.com/thefluffy007

mobile

Get Excited! IntroToAndroidSecurity Virtual Machine v2.1.0 is Here!!

Another day, another post.

In this post, I’m going to give to the updates and additions from version 2.0.1 to 2.1.0.

Without further ado, let me give updates on what is included in the version 2.1.0 of the virtual machine.

  1. Added Android Studio. I’ve had people send feedback that they would love to see Android Studio in the virtual machine, so I added it. NOTE: DO NOT use the emulator inside the virtual machine as it’s SUPER slow since Android Studio is inside of an emulator.
  2. Added more insecure apps. Crack Me challenges levels 1-10. These challenges are good for reverse engineering mobile apps. These challenges are about 6-7 years old, but they’re still GREAT for beginners.
  3. Included libraries to connect physical devices to the the virtual machine

It’s OK if you do not have the a physical device. I have an emulator Androidx86 that can be used to play with mobile apps.

If you want to download and play with version 2.1.0 go to this link and click on External Link.

Like the content you’re reading? Support me at – buymeacoffee.com/thefluffy007

mobile

Get Excited! IntroToAndroidSecurity Virtual Machine v2.1.0 is Here!!

Another day, another post.

In this post, I’m going to give to the updates and additions from version 2.0.1 to 2.1.0.

Without further ado, let me give updates on what is included in the version 2.1.0 of the virtual machine.

  1. Added Android Studio. I’ve had people send feedback that they would love to see Android Studio in the virtual machine, so I added it. NOTE: DO NOT use the emulator inside the virtual machine as it’s SUPER slow since Android Studio is inside of an emulator.
  2. Added more insecure apps. Crack Me challenges levels 1-10. These challenges are good for reverse engineering mobile apps. These challenges are about 6-7 years old, but they’re still GREAT for beginners.
  3. Included libraries to connect physical devices to the the virtual machine

It’s OK if you do not have the a physical device. I have an emulator Androidx86 that can be used to play with mobile apps.

If you want to download and play with version 2.1.0 go to this link and click on External Link.

Like the content you’re reading? Support me at – buymeacoffee.com/thefluffy007

capture the flag, hacking, web application security

Solving @TryHackMe – Brooklyn Nine Nine

Another day, another challenge.

In this blog post, we’re going to solve the Brooklyn Nine Nine boot 2 root.

Let’s get started.

Going to the room, and pressing the start machine we get our IP address.

Here’s a screenshot of my IP address:

Next, let’s fire a terminal and see if we can enumerate the machine.

Going to the terminal let’s enter the command nmap -sV <IP address> in my case it will be nmap -sV 10.10.188.95

Doing this we get the following:

We see there’s an open port of FTP.

What can we do with FTP?

FTP can be configured where we can enter a username as anonymous with any password. Of course, this is NOT good security as there should be a valid username and password combination.

Let’s try it.

Going back to the terminal and enter ftp press Enter

Next enter open <ip address> in my case it will be open 10.10.164.245

Doing this we see:

We were able to login!

Next, let’s use the ls or list command to see what files/directories (folders) are on the FTP server.

We have one file – note_to_jake.txt

How can we download this file onto our terminal? We can use the GET command

enter get note_to_jake.txt to download the file onto our computer.

Afterwards, enter the command exit to exit the FTP server.

Now we’re back to our terminal on our machine. Enter the command ls -la which will do a long listing showing hidden files as well.

Doing this we see our file – note_to_jake.txt!

Now let’s open the file with cat note_to_jake.txt

We see:

OK – Amy is telling Jake his password is weak. This is good for us as we will need to use Jake’s login information to get into the system.

We’ll keep this in our toolbox.

Going back to the open ports, we now have SSH (22) and HTTP (80).

Let’s try the HTTP server and see what we find.

We’re going to use the brute force program – dirb

Let’s enter the command dir http://<IP address> in my case it will be dirb http://10.10.188.95

Doing this we have:

We didn’t find much.

Let’s move to the SSH server.

We can brute force the password using the hydra command. We’re going to enter the command hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh://<IP address> -t 4

In my case it will be hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh:/10.10.188.95 -t 4

Let’s break it down

hydra – command

-l jake – the user we want to brute force

-P /usr/share/wordlists/rockyou.txt – The wordlists (rockyou.txt) we want to brute force the SSH server with

-t 4 – we’re specifying to hydra that we want use 4 threads (more threads make hydra complete faster)

We found the password for jake’s login credentials for SSH. As you can see the password is not secure.

Now we’re going to log into the SSH server with the following ssh jake@<IP address> in my case it will be ssh jake@10.10.188.95

Doing this we’re prompted to enter our password which is 987654321.

After pressing Enter we’re in!

Now we need to find the user.txt.

How are we going to find this file?

Using the find command

In the terminal let’s enter: find / -name user.txt 2>/dev/null

Let’s break this down

find – the find command

/ – start at the root file system

-name – want to find a file by name

user.txt – the name of the file

2> – redirect errors from standard output (screen)

/dev/null – move the errors (from the 2>) to the /dev/null

Doing this we see:

We found the user.txt

Let’s open the file.

We found the user.txt code.

Now we have one more question – we need to find the root.txt

How are we going to do this?

Let’s see if we can do an escalation of privilege.

One of the first thing we can do is see if the user (jake) can execute any files or directories as root.

How do we check this?

Execute the command sudo -l

Let’s break this command down.

If the user (jake) is in the /etc/sudoers file then the above command will let us know what commands we can execute to get to root.

Entering the command we see:

There’s a command we can enter as to execute our privileges – less.

Let’s see how we can do this.

Doing a google search of less privilege escalation we see the following link.

Click the above link and scrolling down we see how we can do an escalation privilege under the sudo section.

Going back to our terminal let’s enter: sudo less /etc/profile (press) Enter) then enter !/bin/sh

Doing this we see:

Once we press Enter we’re back to the terminal

but if you notice the prompt has changed to a #

doing a whoami we see that we’re root!

Now let’s navigate to the root home directory (/root) to see if the root.txt is located there.

Enter the command cd /root to navigate to the root home directory

Doing a long list to show everything (ls -la) we see there’s a root.txt file!

Now let’s open the root.txt file

Enter the command cat root.txt we see: