From 861c46526579684a06ac7f1012fd35fae9f80ff4 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Wed, 17 Feb 2021 16:04:18 +0500
Subject: [PATCH] Add files via upload
---
TryHackMe/The_Great_Escape.md | 215 ++++++++++++++++++++++++++++++++++
1 file changed, 215 insertions(+)
create mode 100644 TryHackMe/The_Great_Escape.md
diff --git a/TryHackMe/The_Great_Escape.md b/TryHackMe/The_Great_Escape.md
new file mode 100644
index 0000000..125720a
--- /dev/null
+++ b/TryHackMe/The_Great_Escape.md
@@ -0,0 +1,215 @@
+# TryHackMe-The Great Escape
+
+## NMAP
+
+```
+nmap -sC -sV 10.10.108.159
+
+Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-15 16:17 PKT
+Stats: 0:02:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
+Service scan Timing: About 50.00% done; ETC: 16:21 (0:02:05 remaining)
+Stats: 0:02:13 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
+Service scan Timing: About 50.00% done; ETC: 16:22 (0:02:10 remaining)
+Nmap scan report for 10.10.108.159
+Host is up (0.16s latency).
+Not shown: 998 closed ports
+PORT STATE SERVICE VERSION
+22/tcp open ssh?
+| fingerprint-strings:
+| GenericLines:
+|_ uT9UNaD!^xFWU'tGL'-@"d2gE"Xd
+|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
+80/tcp open http nginx 1.19.6
+| http-robots.txt: 3 disallowed entries
+|_/api/ /exif-util /*.bak.txt$
+|_http-server-header: nginx/1.19.6
+|_http-title: docker-escape-nuxt
+1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+SF-Port22-TCP:V=7.80%I=7%D=2/15%Time=602A5867%P=x86_64-pc-linux-gnu%r(Gene
+SF:ricLines,1F,"uT9UNaD!\^xFWU'tGL\\'-@\"d2gE\"Xd\r\n");
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 195.11 seconds
+
+```
+
+## PORT 80 (HTTP)
+
+
+From the nmap scan we see 3 disallowed entries
+
+
+
+The first entry which is `/api/` gives 503 which we get when a server is currently unable to handle the request due to a temporary overloading or maintenance of the server.
+
+
+
+The second entry invloves uploading a image file
+
+
+
+And for the third I didn't know how to access `/\*.bak.txt$`
+
+
+
+## Dirsearch
+
+For fuzzing I used dirsearch but I was getting a lot of 503 status codes
+
+
+
+But I did saw `/api/` which was having 301 status code with a length of `169` bytes
+
+
+
+I also ran `nikto` and it found some cert and archive files but they were also giving 503 errors
+
+
+
+So there is some WAF (Web Application Firewall) that is implemented that we need to bypass so here automated tools may not work .
+
+For the web flag I looked at the hint which said about a "well-known file", I though about robots.txt , the javascript file but it was a dead end so started to guess it and eventually got there
+
+
+
+It says to make a request with a HEAD
+
+
+
+Going back to `robots.txt` I tried to combine two disallowed entries and got to somewhere
+
+
+
+
+
+If we focus on this part
+
+
+
+We can see that it's pointing at `/exif` and has a parameter `url`
+
+
+
+
+
+We can do LFI now , since it's a docker container you can tell as there aren't any usernames so we'll directly go `/root/` directory
+
+
+
+Reading the `dev-note.txt`
+
+
+
+So we got the password but not sure if it's for hydra. Visiting the `/root/.git/` folder
+
+
+
+
+I used this command to search for files
+
+```
+http://10.10.176.126/api/exif?url=http://api-dev-backup:8080/exif?url=;cd%20/root/.git/;pwd;ls%20-la%20objects
+```
+
+
+
+And found objects which could be recovered using `git show
+
+From the nmap scan we see 3 disallowed entries
+
+
+
+The first entry which is `/api/` gives 503 which we get when a server is currently unable to handle the request due to a temporary overloading or maintenance of the server.
+
+
+
+The second entry invloves uploading a image file
+
+
+
+And for the third I didn't know how to access `/\*.bak.txt$`
+
+
+
+## Dirsearch
+
+For fuzzing I used dirsearch but I was getting a lot of 503 status codes
+
+
+
+But I did saw `/api/` which was having 301 status code with a length of `169` bytes
+
+
+
+I also ran `nikto` and it found some cert and archive files but they were also giving 503 errors
+
+
+
+So there is some WAF (Web Application Firewall) that is implemented that we need to bypass so here automated tools may not work .
+
+For the web flag I looked at the hint which said about a "well-known file", I though about robots.txt , the javascript file but it was a dead end so started to guess it and eventually got there
+
+
+
+It says to make a request with a HEAD
+
+
+
+Going back to `robots.txt` I tried to combine two disallowed entries and got to somewhere
+
+
+
+
+
+If we focus on this part
+
+
+
+We can see that it's pointing at `/exif` and has a parameter `url`
+
+
+
+
+
+We can do LFI now , since it's a docker container you can tell as there aren't any usernames so we'll directly go `/root/` directory
+
+
+
+Reading the `dev-note.txt`
+
+
+
+So we got the password but not sure if it's for hydra. Visiting the `/root/.git/` folder
+
+
+
+
+I used this command to search for files
+
+```
+http://10.10.176.126/api/exif?url=http://api-dev-backup:8080/exif?url=;cd%20/root/.git/;pwd;ls%20-la%20objects
+```
+
+
+
+And found objects which could be recovered using `git show