mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-24 21:03:07 +00:00
Add files via upload
This commit is contained in:
parent
8967a30473
commit
60626ffc64
1 changed files with 139 additions and 0 deletions
139
VulnHub/DC-1.md
Normal file
139
VulnHub/DC-1.md
Normal file
|
@ -0,0 +1,139 @@
|
|||
# Vulnhub-DC 1
|
||||
|
||||
## Rustscan
|
||||
```bash
|
||||
rustscan -a 192.168.1.5 -- -A -sC -sV
|
||||
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
|
||||
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
|
||||
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
|
||||
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
|
||||
The Modern Day Port Scanner.
|
||||
________________________________________
|
||||
: https://discord.gg/GFrQsGy :
|
||||
: https://github.com/RustScan/RustScan :
|
||||
--------------------------------------
|
||||
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
|
||||
|
||||
Open 192.168.1.5:22
|
||||
Open 192.168.1.5:80
|
||||
Open 192.168.1.5:111
|
||||
Open 192.168.1.5:55928
|
||||
|
||||
PORT STATE SERVICE REASON VERSION
|
||||
22/tcp open ssh syn-ack ttl 64 OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|
||||
| ssh-dss AAAAB3NzaC1kc3MAAACBAI1NiSeZ5dkSttUT5BvkRgdQ0Ll7uF//UJCPnySOrC1vg62DWq/Dn1ktunFd09FT5Nm/ZP9BHlaW5hftzUdtYUQRKfazWfs6g5glPJQSVUqnlNwVUBA46q
|
||||
S65p4hXHkkl5QO0OHzs8dovwe3e+doYiHTRZ9nnlNGbkrg7yRFQLKPAAAAFQC5qj0MICUmhO3Gj+VCqf3aHsiRdQAAAIAoVp13EkVwBtQQJnS5mY4vPR5A9kK3DqAQmj4XP1GAn16r9rSLUFffz/
|
||||
ONrDWflFrmoPbxzRhpgNpHx9hZpyobSyOkEU3b/hnE/hdq3dygHLZ3adaFIdNVG4U8P9ZHuVUk0vHvsu2qYt5MJs0k1A+pXKFc9n06/DEU0rnNo+mMKwAAAIA/Y//BwzC2IlByd7g7eQiXgZC2pG
|
||||
E4RgO1pQCNo9IM4ZkV1MxH3/WVCdi27fjAbLQ+32cGIzjsgFhzFoJ+vfSYZTI+avqU0N86qT+mDCGCSeyAbOoNq52WtzWId1mqDoOzu7qG52HarRmxQlvbmtifYYTZCJWJcYla2GAsqUGFHw==
|
||||
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|
||||
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbDC/6BDEUIa7NP87jp5dQh/rJpDQz5JBGpFRHXa+jb5aEd/SgvWKIlMjUDoeIMjdzmsNhwCRYAoY7Qq2OrrRh2kIvQipyohWB8nImetQe52
|
||||
QG6+LHDKXiiEFJRHg9AtsgE2Mt9RAg2RvSlXfGbWXgobiKw3RqpFtk/gK66C0SJE4MkKZcQNNQeC5dzYtVQqfNh9uUb1FjQpvpEkOnCmiTqFxlqzHp/T1AKZ4RKED/ShumJcQknNe/WOD1ypeDeR
|
||||
+BUixiIoq+fR+grQB9GC3TcpWYI0IrC5ESe3mSyeHmR8yYTVIgbIN5RgEiOggWpeIPXgajILPkHThWdXf70fiv
|
||||
| 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
|
||||
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKUNN60T4EOFHGiGdFU1ljvBlREaVWgZvgWlkhSKutr8l75VBlGbgTaFBcTzWrPdRItKooYsej
|
||||
eC80l5nEnKkNU=
|
||||
80/tcp open http syn-ack ttl 64 Apache httpd 2.2.22 ((Debian))
|
||||
|_http-favicon: Unknown favicon MD5: B6341DFC213100C61DB4FB8775878CEC
|
||||
|_http-generator: Drupal 7 (http://drupal.org)
|
||||
| http-methods:
|
||||
|_ Supported Methods: GET HEAD POST OPTIONS
|
||||
| http-robots.txt: 36 disallowed entries
|
||||
| /includes/ /misc/ /modules/ /profiles/ /scripts/
|
||||
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
|
||||
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|
||||
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php
|
||||
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/
|
||||
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/
|
||||
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/
|
||||
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|
||||
|_http-server-header: Apache/2.2.22 (Debian)
|
||||
|_http-title: Welcome to Drupal Site | Drupal Site
|
||||
111/tcp open rpcbind syn-ack ttl 64 2-4 (RPC #100000)
|
||||
| rpcinfo:
|
||||
| program version port/proto service
|
||||
| 100000 2,3,4 111/tcp rpcbind
|
||||
| 100000 2,3,4 111/udp rpcbind
|
||||
| 100000 3,4 111/tcp6 rpcbind
|
||||
| 100000 3,4 111/udp6 rpcbind
|
||||
| 100024 1 34128/udp status
|
||||
| 100024 1 48408/tcp6 status
|
||||
| 100024 1 50078/udp6 status
|
||||
|_ 100024 1 55928/tcp status
|
||||
55928/tcp open status syn-ack ttl 64 1 (RPC #100024)
|
||||
```
|
||||
|
||||
## PORT 80 (HTTP)
|
||||
|
||||
<img src="https://imgur.com/7XAgdo4.png"/>
|
||||
|
||||
Using wappalyzer I can see the version of druapl CMS which is `Durpal 7`
|
||||
|
||||
So here we can try creating an account
|
||||
|
||||
<img src="https://imgur.com/gW9Hqmb.png"/>
|
||||
|
||||
And we get this message
|
||||
|
||||
<img src="https://imgur.com/Hd2HALh.png"/>
|
||||
|
||||
So we can search for druapl 7 exploits , and I found an exploit on metasploit
|
||||
|
||||
<img src="https://imgur.com/vyBBLcu.png"/>
|
||||
|
||||
<img src="https://imgur.com/SaorVUT.png"/>
|
||||
|
||||
<img src="https://imgur.com/uCqTEIZ.png"/>
|
||||
|
||||
So for stabilizing the shell I used bash reverse shell to get a shell and this stabilize it using `python`
|
||||
|
||||
<img src="https://imgur.com/KuyFHNV.png"/>
|
||||
|
||||
We see a `flag1.txt` file
|
||||
|
||||
<img src="https://imgur.com/JAOxalU.png"/>
|
||||
|
||||
Maybe this refers to a database config file for druapl so I googled for druapl cms config file
|
||||
|
||||
<img src="https://imgur.com/dPnBbtO.png"/>
|
||||
|
||||
<img src="https://imgur.com/ajZPgZD.png"/>
|
||||
|
||||
And we got the mysql creds
|
||||
|
||||
<img src="https://imgur.com/L11hBby.png"/>
|
||||
|
||||
So let's try these credentials
|
||||
|
||||
<img src="https://imgur.com/WcmSany.png"/>
|
||||
|
||||
<img src="https://imgur.com/acoqgok.png"/>
|
||||
|
||||
<img src="https://imgur.com/AkxHs5h.png"/>
|
||||
|
||||
We can see which hash is this by going to hashcat examples
|
||||
|
||||
<img src="https://imgur.com/7hiJEWd.png"/>
|
||||
|
||||
Tried to crack those hashes but it was taking too long
|
||||
|
||||
<img src="https://imgur.com/OjMQQnt.png"/>
|
||||
|
||||
So I moved on to `/home` directory, there I saw a user `flag4` having a text file which hints to getting a flag in root's directory
|
||||
|
||||
<img src="https://imgur.com/E21ZUpH.png"/>
|
||||
|
||||
Running a find command to look for SUID we saw that `find` has a SUID bit on
|
||||
|
||||
<img src="https://imgur.com/Mr9VB69.png"/>
|
||||
|
||||
Going to GTFOBINS
|
||||
|
||||
<img src="https://imgur.com/r73L7jb.png"/>
|
||||
|
||||
<img src="https://imgur.com/bf70kuI.png"/>
|
||||
|
||||
We are root
|
||||
|
||||
<img src="https://imgur.com/3gUznaK.png"/>
|
Loading…
Reference in a new issue