From 9d16e463485c9e474ab24b0b8e48c5ed2896521a Mon Sep 17 00:00:00 2001 From: AbdullahRizwan101 <60057481+AbdullahRizwan101@users.noreply.github.com> Date: Thu, 10 Dec 2020 00:40:28 +0500 Subject: [PATCH] Add files via upload --- TryHackMe/Carnage.md | 176 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 176 insertions(+) create mode 100644 TryHackMe/Carnage.md diff --git a/TryHackMe/Carnage.md b/TryHackMe/Carnage.md new file mode 100644 index 0000000..bbb1f65 --- /dev/null +++ b/TryHackMe/Carnage.md @@ -0,0 +1,176 @@ +# TryHackMe-Carnage + + +``` +Service scan Timing: About 83.33% done; ETC: 18:34 (0:00:06 remaining) +Stats: 0:01:15 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan +Service scan Timing: About 83.33% done; ETC: 18:35 (0:00:13 remaining) +Nmap scan report for 10.10.7.102 +Host is up (0.18s latency). +Not shown: 994 closed ports +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0) +| ssh-hostkey: +| 1024 b1:ac:a9:92:d3:2a:69:91:68:b4:6a:ac:45:43:fb:ed (DSA) +| 2048 3a:3f:9f:59:29:c8:20:d7:3a:c5:04:aa:82:36:68:3f (RSA) +| 256 f9:2f:bb:e3:ab:95:ee:9e:78:7c:91:18:7d:95:84:ab (ECDSA) +|_ 256 49:0e:6f:cb:ec:6c:a5:97:67:cc:3c:31:ad:94:a4:54 (ED25519) +80/tcp open http Apache httpd 2.4.10 ((Debian)) +|_http-server-header: Apache/2.4.10 (Debian) +|_http-title: Hill Studios - Index +81/tcp open http Apache httpd 2.4.10 ((Debian)) +|_http-server-header: Apache/2.4.10 (Debian) +|_http-title: Hill Studios - Index +82/tcp open http Apache httpd 2.4.10 ((Debian)) +|_http-server-header: Apache/2.4.10 (Debian) +|_http-title: Hill Studios - Index +83/tcp open http Apache httpd 2.4.10 ((Debian)) +|_http-server-header: Apache/2.4.10 (Debian) +|_http-title: Site doesn't have a title (text/html). +9999/tcp open abyss? +| fingerprint-strings: +| FourOhFourRequest, HTTPOptions: +| HTTP/1.0 200 OK +| Date: Tue, 29 Sep 2020 13:34:05 GMT +| Content-Length: 0 +| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie: +| HTTP/1.1 400 Bad Request +| Content-Type: text/plain; charset=utf-8 +| Connection: close +| Request +| GetRequest: +| HTTP/1.0 200 OK +| Date: Tue, 29 Sep 2020 13:34:04 GMT +|_ Content-Length: 0 +1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : +SF-Port9999-TCP:V=7.80%I=7%D=9/29%Time=5F7337CC%P=x86_64-pc-linux-gnu%r(Ge +SF:tRequest,4B,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Tue,\x2029\x20Sep\x2020 +SF:20\x2013:34:04\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,4 +SF:B,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Tue,\x2029\x20Sep\x202020\x2013:3 +SF:4:05\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(FourOhFourRequest,4B,"H +SF:TTP/1\.0\x20200\x20OK\r\nDate:\x20Tue,\x2029\x20Sep\x202020\x2013:34:05 +SF:\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(GenericLines,67,"HTTP/1\.1\ +SF:x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf +SF:-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(RTSPRequest +SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain; +SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request" +SF:)%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex +SF:t/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20 +SF:Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCon +SF:tent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\ +SF:r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x20400\ +SF:x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nC +SF:onnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,67," +SF:HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20c +SF:harset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(K +SF:erberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text +SF:/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20R +SF:equest")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent- +SF:Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n40 +SF:0\x20Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad\x20Re +SF:quest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x +SF:20close\r\n\r\n400\x20Bad\x20Request")%r(SIPOptions,67,"HTTP/1\.1\x2040 +SF:0\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\ +SF:nConnection:\x20close\r\n\r\n400\x20Bad\x20Request"); +Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel + + + +``` +# PORT 80 + +``` +gobuster dir -u http://10.10.7.102/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt +=============================================================== +Gobuster v3.0.1 +by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) +=============================================================== +[+] Url: http://10.10.7.102/ +[+] Threads: 10 +[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt +[+] Status codes: 200,204,301,302,307,401,403 +[+] User Agent: gobuster/3.0.1 +[+] Timeout: 10s +=============================================================== +2020/09/29 18:35:58 Starting gobuster +=============================================================== +/assets (Status: 301) +/forms (Status: 301) +/upload (Status: 301) +Progress: 7391 / 220561 (3.35%)^C +[!] Keyboard interrupt detected, terminating. +=============================================================== +2020/09/29 18:38:11 Finished +===================================================== +``` + +# PORT 81 + +``` +gobuster dir -u http://10.10.7.102:81/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt +=============================================================== +Gobuster v3.0.1 +by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) +=============================================================== +[+] Url: http://10.10.7.102:81/ +[+] Threads: 10 +[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt +[+] Status codes: 200,204,301,302,307,401,403 +[+] User Agent: gobuster/3.0.1 +[+] Timeout: 10s +=============================================================== +2020/09/29 18:38:31 Starting gobuster +=============================================================== +/assets (Status: 301) +/forms (Status: 301) +/css (Status: 301) +/script (Status: 301) +Progress: 6547 / 220561 (2.97%)^C +[!] Keyboard interrupt detected, terminating. + + +``` + +Login form + +user : admin' or 1=1 -- +password : + +`Welcome bobba` + +Nothing much can't be done from here. + +# PORT 82 + + +We can upload a php file but will have to bypass filters +``` +gobuster dir -u http://10.10.7.102:82/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt +=============================================================== +Gobuster v3.0.1 +by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) +=============================================================== +[+] Url: http://10.10.7.102:82/ +[+] Threads: 10 +[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt +[+] Status codes: 200,204,301,302,307,401,403 +[+] User Agent: gobuster/3.0.1 +[+] Timeout: 10s +=============================================================== +2020/09/29 18:42:36 Starting gobuster +=============================================================== +/images (Status: 301) +/assets (Status: 301) +/css (Status: 301) +Progress: 10069 / 220561 (4.57%)^C + + +``` + +Now open burp and upload reverse shell by changing it's extensions `shell.gif` , turn on intercept and before uploading it send it to `repeater` turn off intercept , after that `shell.gif` gets uploaded go to burp's `repeater` and add the extension `shell.gif.php` and the navigate to `/images/shell.gif.php`. If you have already setup netcat listener you get a reverse shell. + +# PORT 83 + +``` +Nothing here +``` \ No newline at end of file