Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-21 19:43:03 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add files via upload

Browse source
This commit is contained in:
AbdullahRizwan101 2020-11-13 03:36:50 +05:00 committed by GitHub
parent fb539c9d95
commit 71d7d8d4fb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 94 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

94
TryHackMe/Develpy.md Normal file
View file

@ -0,0 +1,94 @@
# TryHackMe-DevelPy
## NMAP
```
Host is up (0.15s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 78:c4:40:84:f4:42:13:8e:79:f8:6b:e4:6d:bf:d4:46 (RSA)
| 256 25:9d:f3:29:a2:62:4b:24:f2:83:36:cf:a7:75:bb:66 (ECDSA)
|_ 256 e7:a0:07:b0:b9:cb:74:e9:d6:16:7d:7a:67:fe:c1:1d (ED25519)
10000/tcp open snet-sensor-mgmt?
| fingerprint-strings:
| GenericLines:
| Private 0days
| Please enther number of exploits to send??: Traceback (most recent call last):
| File "./exploit.py", line 6, in <module>
| num_exploits = int(input(' Please enther number of exploits to send??: '))
| File "<string>", line 0
| SyntaxError: unexpected EOF while parsing
| GetRequest:
| Private 0days
| Please enther number of exploits to send??: Traceback (most recent call last):
| File "./exploit.py", line 6, in <module>
| num_exploits = int(input(' Please enther number of exploits to send??: '))
| File "<string>", line 1, in <module>
| NameError: name 'GET' is not defined
| HTTPOptions, RTSPRequest:
| Private 0days
| Please enther number of exploits to send??: Traceback (most recent call last):
| Please enther number of exploits to send??: Traceback (most recent call last):
| File "./exploit.py", line 6, in <module>
| num_exploits = int(input(' Please enther number of exploits to send??: '))
| File "<string>", line 0
| SyntaxError: unexpected EOF while parsing
| GetRequest:
| Private 0days
| Please enther number of exploits to send??: Traceback (most recent call last):
| File "./exploit.py", line 6, in <module>
| num_exploits = int(input(' Please enther number of exploits to send??: '))
| File "<string>", line 1, in <module>
| NameError: name 'GET' is not defined
| HTTPOptions, RTSPRequest:
| Private 0days
| Please enther number of exploits to send??: Traceback (most recent call last):
| File "./exploit.py", line 6, in <module>
| num_exploits = int(input(' Please enther number of exploits to send??: '))
| File "<string>", line 1, in <module>
| NameError: name 'OPTIONS' is not defined
| NULL:
| Private 0days
|_ Please enther number of exploits to send??:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerpri
nt at https://nmap.org/cgi-bin/submit.cgi?new-service :
```
## PORT 10000
<img src="https://imgur.com/J9ACAKN.png"/>
__import__() is not really necessary in everyday Python programming. Its direct use is rare. But sometimes, when there is a need of importing modules during the runtime, this function comes quite handy.
Now we can exploit and insert this line to import os module and run bash we could do this as assigning it to a variable
<img src="https://imgur.com/izJGYFf.png"/>
Save the `credentials.png` on your local machine
<img src="https://imgur.com/ogvUZML.png"/>
Now I had now idea what was that but I had heared of a lanaguage like that looking at the results of `exiftool` it pointed me towards `Mondrian` on googling I came to know that `Piet Mondrian` is a Dutch artist best known for his abstract paintings and googling it even more resulted in that `Piet` is some kind of programming langauge
<img src="https://imgur.com/aYEyzyJ.png"/>
<img src="https://imgur.com/WHG87ct.png"/>
I found online interpreter for `piet` programming lanaguage https://www.bertnase.de/npiet/npiet-execute.php
But this was a rabbithole
<img src="https://imgur.com/0eKYhSt.png"/>
Now `king`'s home directory has `run.sh` and `root.sh` what we want do is somehow put a reverse shell in root.sh because it is running as `root` user in cronbjobs everyminute so delete that file make a new one so we can edit it set up a netcat listener to capture it
You can use bash or netcat reverse shell , I used the netcat reverse shell
<img src="https://imgur.com/NIJe5m6.png"/>