mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-14 16:27:18 +00:00
174 lines
7.1 KiB
Markdown
174 lines
7.1 KiB
Markdown
|
# TryHackMe-Bad Byte
|
||
|
|
||
|
## Rustscan
|
||
|
|
||
|
```java
|
||
|
|
||
|
rustscan -a 10.10.28.94 -- -A -sC -sV
|
||
|
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
|
||
|
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
|
||
|
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
|
||
|
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
|
||
|
The Modern Day Port Scanner.
|
||
|
________________________________________
|
||
|
: https://discord.gg/GFrQsGy :
|
||
|
: https://github.com/RustScan/RustScan :
|
||
|
--------------------------------------
|
||
|
😵 https://admin.tryhackme.com
|
||
|
|
||
|
[~] The config file is expected to be at "/root/.rustscan.toml"
|
||
|
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
|
||
|
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
|
||
|
Open 10.10.28.94:22
|
||
|
Open 10.10.28.94:30024
|
||
|
|
||
|
PORT STATE SERVICE REASON VERSION
|
||
|
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
|
||
|
| ssh-hostkey:
|
||
|
| 2048 f3:a2:ed:93:4b:9c:bf:bb:33:4d:48:0d:fe:a4:de:96 (RSA)
|
||
|
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9/A7kkuN5E+SS1C6w1NfeY196Rj4Y1Yx7njNCwNaCgIv8m+V+7MTHsRn3txLXRTHXErMqW3ypCmmjuY3O40kAragZSgA/XhdesGxGVa0szH
|
||
|
K7H4fB28uQiyZgkOfIt/12kGaHB3iGwOeex2Hdg6ct4FdxTWKgDvuKZSLVoPXG66R8SOHql2cXfUtzyUMNJTTqoUED69soEJVG2ctfPKXi4BfFqM3OK2HgKzbmcSPXlLUTNhlcvjPuTa0kMRqiNT
|
||
|
MVdP0PjSFdoaMviXHiznW7Fn6NHe3R/vIQt8Ac05Mdvim21QjRpJ4pm7v5+q1wXCJxGG6Ov71yThKP6yZ4ByMl
|
||
|
| 256 22:72:00:36:eb:37:12:9f:5a:cc:c2:73:e0:4f:f1:4e (ECDSA)
|
||
|
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM9QUKykbzCSI7+PgoVzHNKOVIWf+zm0LN/f4n0VJc/P0J9TzLImkYHIOCnRFpNUPtiWGXbHXi
|
||
|
67FQxEpgZMReo=
|
||
|
| 256 78:1d:79:dc:8d:41:f6:77:60:65:f5:74:b6:cc:8b:6d (ED25519)
|
||
|
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrvf1zJBhqU1RxUCYuTgoIy+7NzCqZeFWV67bt8+APV
|
||
|
30024/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
|
||
|
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|
||
|
| -rw-r--r-- 1 ftp ftp 1743 Mar 23 20:03 id_rsa
|
||
|
|_-rw-r--r-- 1 ftp ftp 78 Mar 23 20:09 note.txt
|
||
|
| ftp-syst:
|
||
|
| STAT:
|
||
|
| FTP server status:
|
||
|
| Connected to ::ffff:10.8.94.60
|
||
|
| Logged in as ftp
|
||
|
| TYPE: ASCII
|
||
|
| No session bandwidth limit
|
||
|
| Session timeout in seconds is 300
|
||
|
| Control connection is plain text
|
||
|
| Data connections will be plain text
|
||
|
| At session startup, client count was 4
|
||
|
| vsFTPd 3.0.3 - secure, fast, stable
|
||
|
| At session startup, client count was 4
|
||
|
| vsFTPd 3.0.3 - secure, fast, stable
|
||
|
|_End of status
|
||
|
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
|
||
|
|
||
|
```
|
||
|
|
||
|
We have two ports open , one is 22 (SSH) and the other one is 30024 (FTP)
|
||
|
|
||
|
## PORT 30024 (FTP)
|
||
|
|
||
|
<img src="https://imgur.com/InhrViT.png"/>
|
||
|
|
||
|
From the `note.txt`
|
||
|
|
||
|
```
|
||
|
I always forget my password. Just let me store an ssh key here.
|
||
|
- errorcauser
|
||
|
```
|
||
|
|
||
|
So `errorcauser` might be a username and we have his `id_rsa` so we can now ssh into the machine
|
||
|
|
||
|
## PORT 22 (SSH)
|
||
|
|
||
|
As soon as we try to login with the private ,it's protected with a passphrase
|
||
|
|
||
|
<img src="https://imgur.com/X96pV5y.png"/>
|
||
|
|
||
|
So here we need `ssh2john` generate a hash for the key so we can crack it with `johntheripper` or `hashcat`
|
||
|
|
||
|
<img src="https://imgur.com/FMD6iKy.png"/>
|
||
|
|
||
|
And we successfully cracked the hash and got the passphrase so now we should be able to login
|
||
|
|
||
|
|
||
|
<img src="https://imgur.com/uGWPD9w.png"/>
|
||
|
|
||
|
We are logged in as `errorcauser` but we see another note which tells that there's a webserver running on local port
|
||
|
|
||
|
<img src="https://imgur.com/uGWPD9w.png"/>
|
||
|
|
||
|
Since there is no `ss` or `nestat` installed we have create a socks proxy on localhost to see which ports are open in order to that we will login through ssh using this command
|
||
|
|
||
|
`ssh errorcauser@10.10.28.94 -i id_rsa -D 1337`
|
||
|
|
||
|
Also add socks5 proxy in `/etc/proxychains.conf`
|
||
|
|
||
|
<img src="https://imgur.com/Qh1mR9Z.png"/>
|
||
|
|
||
|
Now run a TCP scan on localhost
|
||
|
|
||
|
<img src="https://imgur.com/JvNPSvZ.png"/>
|
||
|
|
||
|
So we can see two more ports 80 and 3306 , so let's scan port 80 what's running on it
|
||
|
|
||
|
<img src="https://imgur.com/d8JYgR2.png"/>
|
||
|
|
||
|
Add proxy with `Foxyproxy` extension or you could manually add proxy setting
|
||
|
|
||
|
<img src="https://imgur.com/bUULaQh.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/BbVshgg.png"/>
|
||
|
|
||
|
Using `wpscan` I enumerated the user
|
||
|
|
||
|
<img src="https://imgur.com/VWzkKvy.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/q8LXKHb.png"/>
|
||
|
|
||
|
For some reason wpscan wasn't giving me plugins for wordpress so I decide to use nse (nmap scripting engine)
|
||
|
|
||
|
<img src="https://imgur.com/jxWJvZg.png"/>
|
||
|
|
||
|
This is the scipt I used to enumerate plugins also to note supply arguemnts to scan upto 1500 results from wordpress plugins script
|
||
|
|
||
|
`proxychains nmap -sT -p 80 --script http-wordpress-enum --script-args search-limit=1500 127.
|
||
|
0.0.1`
|
||
|
|
||
|
|
||
|
<img src="https://imgur.com/FMUZEjS.png"/>
|
||
|
|
||
|
So we have found these two plugins being used on wordpress and these both have exploits on `exploit-db`
|
||
|
|
||
|
<img src="https://imgur.com/5gEmRWu.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/XsLxNnh.png"/>
|
||
|
|
||
|
|
||
|
### Duplicator (Arbitary File Read)
|
||
|
|
||
|
<img src="https://imgur.com/ZzvqaqX.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/jmo01JD.png"/>
|
||
|
|
||
|
### Wp-File manager (RCE)
|
||
|
|
||
|
<img src="https://imgur.com/OwF0kiA.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/WZR3fNK.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/jQ3DkgP.png"/>
|
||
|
|
||
|
I don't like the meterpreter shell so and I can't get the bash through it so I decided to generate a payload that will give a me a reverse shell
|
||
|
|
||
|
<img src="https://imgur.com/JNpk1H1.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/V3Kq8Gd.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/TwOv8Mn.png"/>
|
||
|
|
||
|
Now the room tells that password was logged so by going to `/var/logs` I find `bash.log` belongs cth so we can read it
|
||
|
|
||
|
<img src="https://imgur.com/3KTasuQ.png"/>
|
||
|
|
||
|
Here it gives us the old password , for the current password we can guess that since the year is 2021 so the password must be `G00dP@$sw0rd2021`
|
||
|
|
||
|
|
||
|
<img src="https://imgur.com/whlooza.png"/>
|
||
|
|
||
|
And we guessed it right , we can run any command as sudo
|
||
|
|
||
|
<img src="https://imgur.com/iN8ssj3.png"/>
|