From 49923281f8a10dd6234106f55fd5a34830b4f2b4 Mon Sep 17 00:00:00 2001 From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com> Date: Mon, 8 Mar 2021 05:07:56 +0500 Subject: [PATCH] Add files via upload --- TryHackMe/Easy.md | 160 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 160 insertions(+) create mode 100644 TryHackMe/Easy.md diff --git a/TryHackMe/Easy.md b/TryHackMe/Easy.md new file mode 100644 index 0000000..ec4d54a --- /dev/null +++ b/TryHackMe/Easy.md @@ -0,0 +1,160 @@ +# TryHackMe-Hacker Of The Hill + +## Easy + +### Rustscan + +``` +rustscan -a 10.10.193.208 -- -A -sC -sV +.----. .-. .-. .----..---. .----. .---. .--. .-. .-. +| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | +| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | +`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' +The Modern Day Port Scanner. +________________________________________ +: https://discord.gg/GFrQsGy : +: https://github.com/RustScan/RustScan : + -------------------------------------- +🌍HACK THE PLANET🌍 + +[~] The config file is expected to be at "/root/.rustscan.toml" +[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers +[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. +Open 10.10.193.208:22 +Open 10.10.193.208:80 +Open 10.10.193.208:8001 +Open 10.10.193.208:8000 +Open 10.10.193.208:8002 +Open 10.10.193.208:9999 +PORT STATE SERVICE REASON VERSION + +PORT STATE SERVICE REASON VERSION [96/388] +22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 f7:75:95:c7:6d:f4:92:a0:0e:1e:60:b8:be:4d:92:b1 (RSA) +| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7FOhvQRnCoPOd/4kYKsFt1Z81Zn7/eHHCcC1aHXfWK3UskQJaeWDqPcjeXN+ceZbiyKXUBpvAIWlg5Gphn1iCJoWxsCibNzZlZczJmjM2L+ +fW/maaKRmiFL1fxxgkzNpssK3cF2dyNZ4uitwFhl5imMScEx/E1Lt86545ZxijjmlhUcbxvERh5nC+84RoIRr979qKWvOHgFyLXwOi+FGj5x1DZ0ZcmhsUORX8n9ZsqqUNM01R2MittszQr1CEa0 +QFvrRyJawV1vHerdaYKaFbwvfR2Ip9d8VI4MmhMqb9fnnwRSYGP3qDKoscJo6UF4wtIMT79/obcXP1GdvoROc7 +| 256 a2:11:fb:e8:c5:c6:f8:98:b3:f8:d3:e3:91:56:b2:34 (ECDSA) +| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCSG/mKt+u+M1pEEuYBYY/LTbDOftPdV5ZBYGyVS0aF5DiRbsYQaOtswUarmEbUO05LIlSUZG6 +dK88BSm2DjnAU= +| 256 72:19:b7:04:4c:df:18:be:6b:0f:9d:da:d5:14:68:c5 (ED25519) +|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3y6QxJnjq+vtxnKq2LJB1EIy+RSy5rZqltZulxj6RA +80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu)) +| http-methods: +|_ Supported Methods: GET POST OPTIONS HEAD +|_http-server-header: Apache/2.4.29 (Ubuntu) +|_http-title: Apache2 Ubuntu Default Page: It works +8000/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu)) +| http-methods: +|_ Supported Methods: GET POST +| http-robots.txt: 1 disallowed entry +|_/vbcms +|_http-server-header: Apache/2.4.29 (Ubuntu) +|_http-title: VeryBasicCMS - Home +8001/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu)) +| http-methods: +|_ Supported Methods: GET HEAD POST OPTIONS +|_http-server-header: Apache/2.4.29 (Ubuntu) +| http-title: My Website +|_Requested resource was /?page=home.php +8002/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu)) +| http-methods: +|_ Supported Methods: GET POST +|_http-server-header: Apache/2.4.29 (Ubuntu) +|_http-title: Learn PHP +9999/tcp open abyss? syn-ack ttl 63 +| fingerprint-strings: +| FourOhFourRequest, GetRequest, HTTPOptions: +| HTTP/1.0 200 OK +| Date: Sat, 20 Feb 2021 19:24:58 GMT +| Content-Length: 0 +| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie: +| HTTP/1.1 400 Bad Request +| Content-Type: text/plain; charset=utf-8 +| Connection: close +|_ Request + + +``` + +### PORT 22 (SSH) + +### PORT 80 (HTTP) + + + + +### PORT 8000 (HTTP) + + + +There wasn't anything on Home , About and Contact page. Running gobuster on the port 8000 + + + + + +But we did see an entry in `robots.txt` + + + +Logging in with `admin:admin` + + + + + +Here we can see these are html pages but we can include php code in between it + + + + + + + +And we have a RCE working so let's leverege this to get a reverse shell + + + + + +From the looks of it this a base64 ecoded text + + + +Doing a `cat /etc/crontab` to list system wide crontab we see a cronjob running as root + + + +We also see `secret.txt` in `/var/www/html/topSecretPrivescMethod` + + + +Reading `/var/lib/rary` from the hints + + + +This was the flag that we need to enter in the correct format + + +### PORT 8001 (HTTP) + + + + +### PORT 80002 (HTTP) + + + +To get a reverse shell paste the php reverse shell without having `php` tags in it + + + +Now we can edit that script which is running in crontab + + + +To get `root.txt` + + \ No newline at end of file