Add files via upload

2024-11-21 19:43:03 +00:00 · 2021-03-27 15:35:52 +05:00 · 2021-03-27 15:35:52 +05:00 · c5724db05c
commit c5724db05c
parent a8355326aa
1 changed files with 174 additions and 0 deletions
--- a/TryHackMe/Bad_Byte.md
+++ b/TryHackMe/Bad_Byte.md
@ -0,0 +1,174 @@
+# TryHackMe-Bad Byte
+
+## Rustscan
+
+```java
+
+rustscan -a 10.10.28.94 -- -A -sC -sV
+.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.             
+| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |             
+| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |              
+`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'                  
+The Modern Day Port Scanner.                                              
+________________________________________                                  
+: https://discord.gg/GFrQsGy           :                                                                                                            
+: https://github.com/RustScan/RustScan :                                                                                                            
+ --------------------------------------                                   
+😵 https://admin.tryhackme.com                                            
+
+[~] The config file is expected to be at "/root/.rustscan.toml"                                                                                     
+[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
+[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
+Open 10.10.28.94:22                  
+Open 10.10.28.94:30024               
+
+PORT      STATE SERVICE REASON         VERSION                            
+22/tcp    open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)                                                 
+| ssh-hostkey:                       
+|   2048 f3:a2:ed:93:4b:9c:bf:bb:33:4d:48:0d:fe:a4:de:96 (RSA)           
+| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9/A7kkuN5E+SS1C6w1NfeY196Rj4Y1Yx7njNCwNaCgIv8m+V+7MTHsRn3txLXRTHXErMqW3ypCmmjuY3O40kAragZSgA/XhdesGxGVa0szH
+K7H4fB28uQiyZgkOfIt/12kGaHB3iGwOeex2Hdg6ct4FdxTWKgDvuKZSLVoPXG66R8SOHql2cXfUtzyUMNJTTqoUED69soEJVG2ctfPKXi4BfFqM3OK2HgKzbmcSPXlLUTNhlcvjPuTa0kMRqiNT
+MVdP0PjSFdoaMviXHiznW7Fn6NHe3R/vIQt8Ac05Mdvim21QjRpJ4pm7v5+q1wXCJxGG6Ov71yThKP6yZ4ByMl
+|   256 22:72:00:36:eb:37:12:9f:5a:cc:c2:73:e0:4f:f1:4e (ECDSA)   
+| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM9QUKykbzCSI7+PgoVzHNKOVIWf+zm0LN/f4n0VJc/P0J9TzLImkYHIOCnRFpNUPtiWGXbHXi
+67FQxEpgZMReo=                       
+|   256 78:1d:79:dc:8d:41:f6:77:60:65:f5:74:b6:cc:8b:6d (ED25519)
+|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrvf1zJBhqU1RxUCYuTgoIy+7NzCqZeFWV67bt8+APV
+30024/tcp open  ftp     syn-ack ttl 63 vsftpd 3.0.3                       
+| ftp-anon: Anonymous FTP login allowed (FTP code 230)                    
+| -rw-r--r--    1 ftp      ftp          1743 Mar 23 20:03 id_rsa   
+|_-rw-r--r--    1 ftp      ftp            78 Mar 23 20:09 note.txt
+| ftp-syst:                          
+|   STAT:                            
+| FTP server status:                 
+|      Connected to ::ffff:10.8.94.60                                     
+|      Logged in as ftp              
+|      TYPE: ASCII                   
+|      No session bandwidth limit                                         
+|      Session timeout in seconds is 300                                  
+|      Control connection is plain text                                   
+|      Data connections will be plain text                                
+|      At session startup, client count was 4                             
+|      vsFTPd 3.0.3 - secure, fast, stable
+|      At session startup, client count was 4                             
+|      vsFTPd 3.0.3 - secure, fast, stable                                
+|_End of status                      
+Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port             
+
+```
+
+We have two ports open , one is 22 (SSH) and the other one is 30024 (FTP)
+
+## PORT 30024 (FTP)
+
+<img src="https://imgur.com/InhrViT.png"/>
+
+From the `note.txt` 
+
+```
+I always forget my password. Just let me store an ssh key here.
+- errorcauser
+```
+
+So `errorcauser` might be a username and we have his `id_rsa` so we can now ssh into the machine
+
+## PORT 22 (SSH)
+
+As soon as we try to login with the private ,it's protected with a passphrase
+
+<img src="https://imgur.com/X96pV5y.png"/>
+
+So here we need `ssh2john` generate a hash for the key so we can crack it with `johntheripper` or `hashcat`
+
+<img src="https://imgur.com/FMD6iKy.png"/>
+
+And we successfully cracked the hash and got the passphrase so now we should be able to login
+
+
+<img src="https://imgur.com/uGWPD9w.png"/>
+
+We are logged in as `errorcauser` but we see another note which tells that there's a webserver running on local port
+
+<img src="https://imgur.com/uGWPD9w.png"/>
+
+Since there is no `ss` or `nestat` installed we have create a socks proxy on localhost to see which ports are open in order to that we will login through ssh using this command 
+
+`ssh errorcauser@10.10.28.94 -i id_rsa -D 1337`
+
+Also add socks5 proxy in `/etc/proxychains.conf`
+
+<img src="https://imgur.com/Qh1mR9Z.png"/>
+
+Now run a TCP scan on localhost
+
+<img src="https://imgur.com/JvNPSvZ.png"/>
+
+So we can see two more ports 80 and 3306 , so let's scan port 80 what's running on it
+
+<img src="https://imgur.com/d8JYgR2.png"/>
+
+Add proxy with `Foxyproxy` extension or you could manually add proxy setting
+
+<img src="https://imgur.com/bUULaQh.png"/>
+
+<img src="https://imgur.com/BbVshgg.png"/>
+
+Using `wpscan` I enumerated the user
+
+<img src="https://imgur.com/VWzkKvy.png"/>
+
+<img src="https://imgur.com/q8LXKHb.png"/>
+
+For some reason wpscan wasn't giving me plugins for wordpress so I decide to use nse (nmap scripting engine)
+
+<img src="https://imgur.com/jxWJvZg.png"/>
+
+This is the scipt I used to enumerate plugins also to note supply arguemnts to scan upto 1500 results from wordpress plugins script
+
+`proxychains nmap -sT -p 80 --script http-wordpress-enum --script-args search-limit=1500 127.
+0.0.1`
+
+
+<img src="https://imgur.com/FMUZEjS.png"/>
+
+So we have found these two plugins being used on wordpress and these both have exploits on `exploit-db`
+
+<img src="https://imgur.com/5gEmRWu.png"/>
+
+<img src="https://imgur.com/XsLxNnh.png"/>
+
+
+### Duplicator (Arbitary File Read)
+
+<img src="https://imgur.com/ZzvqaqX.png"/>
+
+<img src="https://imgur.com/jmo01JD.png"/>
+
+### Wp-File manager (RCE)
+
+<img src="https://imgur.com/OwF0kiA.png"/>
+
+<img src="https://imgur.com/WZR3fNK.png"/>
+
+<img src="https://imgur.com/jQ3DkgP.png"/>
+
+I don't like the meterpreter shell so and I can't get the bash through it so I decided to generate a payload that will give a me a reverse shell
+
+<img src="https://imgur.com/JNpk1H1.png"/>
+
+<img src="https://imgur.com/V3Kq8Gd.png"/>
+
+<img src="https://imgur.com/TwOv8Mn.png"/>
+
+Now the room tells that password was logged so by going to `/var/logs` I find `bash.log` belongs cth so we can read it
+
+<img src="https://imgur.com/3KTasuQ.png"/>
+
+Here it gives us the old password , for the current password we can guess that since the year is 2021 so the password must be `G00dP@$sw0rd2021`
+
+
+<img src="https://imgur.com/whlooza.png"/>
+
+And we guessed it right , we can run any command as sudo
+
+<img src="https://imgur.com/iN8ssj3.png"/>