mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-24 13:03:01 +00:00
136 lines
3.7 KiB
Markdown
136 lines
3.7 KiB
Markdown
|
# TryHackMe-Lian_YU CTF
|
||
|
Abdullah Rizwan , 1 spetember , 12:09 PM
|
||
|
|
||
|
## NMAP
|
||
|
|
||
|
```
|
||
|
export IP=10.10.209.95
|
||
|
```
|
||
|
|
||
|
```
|
||
|
nmap -sC -sV $IP
|
||
|
|
||
|
```
|
||
|
|
||
|
|
||
|
```
|
||
|
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-01 12:09 EDT
|
||
|
Nmap scan report for 10.10.209.95
|
||
|
Host is up (0.18s latency).
|
||
|
Not shown: 996 closed ports
|
||
|
PORT STATE SERVICE VERSION
|
||
|
21/tcp open ftp vsftpd 3.0.2
|
||
|
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
|
||
|
| ssh-hostkey:
|
||
|
| 1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
|
||
|
| 2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
|
||
|
| 256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
|
||
|
|_ 256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (ED25519)
|
||
|
80/tcp open http Apache httpd
|
||
|
|_http-server-header: Apache
|
||
|
|_http-title: Purgatory
|
||
|
111/tcp open rpcbind 2-4 (RPC #100000)
|
||
|
| rpcinfo:
|
||
|
| program version port/proto service
|
||
|
| 100000 2,3,4 111/tcp rpcbind
|
||
|
| 100000 2,3,4 111/udp rpcbind
|
||
|
| 100000 3,4 111/tcp6 rpcbind
|
||
|
| 100000 3,4 111/udp6 rpcbind
|
||
|
| 100024 1 37515/tcp status
|
||
|
| 100024 1 40883/udp status
|
||
|
| 100024 1 45950/tcp6 status
|
||
|
|_ 100024 1 59637/udp6 status
|
||
|
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
|
||
|
```
|
||
|
|
||
|
<img src = "https://i.imgur.com/rF974M7.png" />
|
||
|
|
||
|
There wasn't anything useful on the web page but when I did directory force I found some interesting directories.
|
||
|
|
||
|
|
||
|
## Dirbuster
|
||
|
|
||
|
|
||
|
<img src = "https://i.imgur.com/pBVxwCR.png"/>
|
||
|
|
||
|
When we visit that page we see nothing but text but if we select all the text or look at the source we can find the code word `vigilante`.
|
||
|
|
||
|
<img src = "https://i.imgur.com/pBVxwCR.png"/>
|
||
|
|
||
|
<img src = "https://i.imgur.com/GADOifV.png"/>
|
||
|
|
||
|
Then continuing directory brute force i was able to find `/island/2100` directory
|
||
|
|
||
|
<img src ="https://i.imgur.com/FSxzDVf.png"/>
|
||
|
|
||
|
<img src = "https://i.imgur.com/k7KMl73.png"/>
|
||
|
|
||
|
Now it's giving us a hint that there is a `.ticket` file so we can again do directory busting but this time I'll use `gobuster`
|
||
|
|
||
|
## Gobuster
|
||
|
|
||
|
<img src ="https://i.imgur.com/amDxyjb.png"/>
|
||
|
|
||
|
<img src ="https://i.imgur.com/ui60A9L.png"/>
|
||
|
|
||
|
we can see an encoded message `RTy8yhBQdscX` also a name `Gambit`.
|
||
|
|
||
|
By searching this encoded text on google we will come up with the result telling us that this is base58 encoded
|
||
|
|
||
|
<img src="https://i.imgur.com/sCaR5pV.png"/>
|
||
|
|
||
|
## FTP
|
||
|
|
||
|
We logged in to ftp with user name `vigilante` and password `!#th3h00d`.
|
||
|
|
||
|
<img src="https://i.imgur.com/0tXp8su.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/ecnlNV3.png"/>
|
||
|
|
||
|
Here we can find 3 images.
|
||
|
|
||
|
<img src="https://i.imgur.com/nZarsYG.png"/>
|
||
|
|
||
|
on looking at `Leave_Me_Alone.png` it gives us an error.
|
||
|
|
||
|
<img src="https://i.imgur.com/YifTluj.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/rJAT3rD.png"/>
|
||
|
|
||
|
Here the header of png file is incorrect. Change the header of the image by using `hexedit`.
|
||
|
Then press `ctrl+x` to save.
|
||
|
|
||
|
<img src="https://i.imgur.com/48Xl2Tx.png"/>
|
||
|
|
||
|
Now the file format is correct and now let's the image.
|
||
|
|
||
|
<img src="https://i.imgur.com/0JJfqFW.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/xlTOwHc.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/AgmzlEm.png"/>
|
||
|
|
||
|
We can also find another user named `slade` so that `Password` can be of that user.
|
||
|
|
||
|
<img src="https://i.imgur.com/zZntQfC.png"/>
|
||
|
|
||
|
I tried to use `stegcracker` to view if there was any fild hidden with any of the images.
|
||
|
|
||
|
<img src="https://i.imgur.com/1jOV6SY.png"/>
|
||
|
|
||
|
I got two text files from `aa.png`.
|
||
|
|
||
|
<img src="https://i.imgur.com/1eescpT.png"/>
|
||
|
|
||
|
And we logged in with `slade` with the password from `shado` file.
|
||
|
|
||
|
## Privilege Escalation
|
||
|
|
||
|
<img src="https://i.imgur.com/lq2kLzB.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/Y0pWC0X.png"/>
|
||
|
|
||
|
We got root
|
||
|
|
||
|
<img src="https://i.imgur.com/4o0I9ow.png"/>
|