mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-21 19:43:03 +00:00
Add files via upload
This commit is contained in:
parent
6582771fae
commit
9d16e46348
1 changed files with 176 additions and 0 deletions
176
TryHackMe/Carnage.md
Normal file
176
TryHackMe/Carnage.md
Normal file
|
@ -0,0 +1,176 @@
|
|||
# TryHackMe-Carnage
|
||||
|
||||
|
||||
```
|
||||
Service scan Timing: About 83.33% done; ETC: 18:34 (0:00:06 remaining)
|
||||
Stats: 0:01:15 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
|
||||
Service scan Timing: About 83.33% done; ETC: 18:35 (0:00:13 remaining)
|
||||
Nmap scan report for 10.10.7.102
|
||||
Host is up (0.18s latency).
|
||||
Not shown: 994 closed ports
|
||||
PORT STATE SERVICE VERSION
|
||||
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 1024 b1:ac:a9:92:d3:2a:69:91:68:b4:6a:ac:45:43:fb:ed (DSA)
|
||||
| 2048 3a:3f:9f:59:29:c8:20:d7:3a:c5:04:aa:82:36:68:3f (RSA)
|
||||
| 256 f9:2f:bb:e3:ab:95:ee:9e:78:7c:91:18:7d:95:84:ab (ECDSA)
|
||||
|_ 256 49:0e:6f:cb:ec:6c:a5:97:67:cc:3c:31:ad:94:a4:54 (ED25519)
|
||||
80/tcp open http Apache httpd 2.4.10 ((Debian))
|
||||
|_http-server-header: Apache/2.4.10 (Debian)
|
||||
|_http-title: Hill Studios - Index
|
||||
81/tcp open http Apache httpd 2.4.10 ((Debian))
|
||||
|_http-server-header: Apache/2.4.10 (Debian)
|
||||
|_http-title: Hill Studios - Index
|
||||
82/tcp open http Apache httpd 2.4.10 ((Debian))
|
||||
|_http-server-header: Apache/2.4.10 (Debian)
|
||||
|_http-title: Hill Studios - Index
|
||||
83/tcp open http Apache httpd 2.4.10 ((Debian))
|
||||
|_http-server-header: Apache/2.4.10 (Debian)
|
||||
|_http-title: Site doesn't have a title (text/html).
|
||||
9999/tcp open abyss?
|
||||
| fingerprint-strings:
|
||||
| FourOhFourRequest, HTTPOptions:
|
||||
| HTTP/1.0 200 OK
|
||||
| Date: Tue, 29 Sep 2020 13:34:05 GMT
|
||||
| Content-Length: 0
|
||||
| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|
||||
| HTTP/1.1 400 Bad Request
|
||||
| Content-Type: text/plain; charset=utf-8
|
||||
| Connection: close
|
||||
| Request
|
||||
| GetRequest:
|
||||
| HTTP/1.0 200 OK
|
||||
| Date: Tue, 29 Sep 2020 13:34:04 GMT
|
||||
|_ Content-Length: 0
|
||||
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
|
||||
SF-Port9999-TCP:V=7.80%I=7%D=9/29%Time=5F7337CC%P=x86_64-pc-linux-gnu%r(Ge
|
||||
SF:tRequest,4B,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Tue,\x2029\x20Sep\x2020
|
||||
SF:20\x2013:34:04\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,4
|
||||
SF:B,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Tue,\x2029\x20Sep\x202020\x2013:3
|
||||
SF:4:05\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(FourOhFourRequest,4B,"H
|
||||
SF:TTP/1\.0\x20200\x20OK\r\nDate:\x20Tue,\x2029\x20Sep\x202020\x2013:34:05
|
||||
SF:\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(GenericLines,67,"HTTP/1\.1\
|
||||
SF:x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf
|
||||
SF:-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(RTSPRequest
|
||||
SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;
|
||||
SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request"
|
||||
SF:)%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex
|
||||
SF:t/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20
|
||||
SF:Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCon
|
||||
SF:tent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\
|
||||
SF:r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x20400\
|
||||
SF:x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nC
|
||||
SF:onnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,67,"
|
||||
SF:HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20c
|
||||
SF:harset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(K
|
||||
SF:erberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text
|
||||
SF:/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20R
|
||||
SF:equest")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-
|
||||
SF:Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n40
|
||||
SF:0\x20Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad\x20Re
|
||||
SF:quest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x
|
||||
SF:20close\r\n\r\n400\x20Bad\x20Request")%r(SIPOptions,67,"HTTP/1\.1\x2040
|
||||
SF:0\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\
|
||||
SF:nConnection:\x20close\r\n\r\n400\x20Bad\x20Request");
|
||||
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||||
|
||||
|
||||
|
||||
```
|
||||
# PORT 80
|
||||
|
||||
```
|
||||
gobuster dir -u http://10.10.7.102/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||||
===============================================================
|
||||
Gobuster v3.0.1
|
||||
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
||||
===============================================================
|
||||
[+] Url: http://10.10.7.102/
|
||||
[+] Threads: 10
|
||||
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||||
[+] Status codes: 200,204,301,302,307,401,403
|
||||
[+] User Agent: gobuster/3.0.1
|
||||
[+] Timeout: 10s
|
||||
===============================================================
|
||||
2020/09/29 18:35:58 Starting gobuster
|
||||
===============================================================
|
||||
/assets (Status: 301)
|
||||
/forms (Status: 301)
|
||||
/upload (Status: 301)
|
||||
Progress: 7391 / 220561 (3.35%)^C
|
||||
[!] Keyboard interrupt detected, terminating.
|
||||
===============================================================
|
||||
2020/09/29 18:38:11 Finished
|
||||
=====================================================
|
||||
```
|
||||
|
||||
# PORT 81
|
||||
|
||||
```
|
||||
gobuster dir -u http://10.10.7.102:81/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||||
===============================================================
|
||||
Gobuster v3.0.1
|
||||
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
||||
===============================================================
|
||||
[+] Url: http://10.10.7.102:81/
|
||||
[+] Threads: 10
|
||||
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||||
[+] Status codes: 200,204,301,302,307,401,403
|
||||
[+] User Agent: gobuster/3.0.1
|
||||
[+] Timeout: 10s
|
||||
===============================================================
|
||||
2020/09/29 18:38:31 Starting gobuster
|
||||
===============================================================
|
||||
/assets (Status: 301)
|
||||
/forms (Status: 301)
|
||||
/css (Status: 301)
|
||||
/script (Status: 301)
|
||||
Progress: 6547 / 220561 (2.97%)^C
|
||||
[!] Keyboard interrupt detected, terminating.
|
||||
|
||||
|
||||
```
|
||||
|
||||
Login form
|
||||
|
||||
user : admin' or 1=1 --
|
||||
password :
|
||||
|
||||
`Welcome bobba`
|
||||
|
||||
Nothing much can't be done from here.
|
||||
|
||||
# PORT 82
|
||||
|
||||
|
||||
We can upload a php file but will have to bypass filters
|
||||
```
|
||||
gobuster dir -u http://10.10.7.102:82/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||||
===============================================================
|
||||
Gobuster v3.0.1
|
||||
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
||||
===============================================================
|
||||
[+] Url: http://10.10.7.102:82/
|
||||
[+] Threads: 10
|
||||
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||||
[+] Status codes: 200,204,301,302,307,401,403
|
||||
[+] User Agent: gobuster/3.0.1
|
||||
[+] Timeout: 10s
|
||||
===============================================================
|
||||
2020/09/29 18:42:36 Starting gobuster
|
||||
===============================================================
|
||||
/images (Status: 301)
|
||||
/assets (Status: 301)
|
||||
/css (Status: 301)
|
||||
Progress: 10069 / 220561 (4.57%)^C
|
||||
|
||||
|
||||
```
|
||||
|
||||
Now open burp and upload reverse shell by changing it's extensions `shell.gif` , turn on intercept and before uploading it send it to `repeater` turn off intercept , after that `shell.gif` gets uploaded go to burp's `repeater` and add the extension `shell.gif.php` and the navigate to `/images/shell.gif.php`. If you have already setup netcat listener you get a reverse shell.
|
||||
|
||||
# PORT 83
|
||||
|
||||
```
|
||||
Nothing here
|
||||
```
|
Loading…
Reference in a new issue