mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-24 21:03:07 +00:00
Add files via upload
This commit is contained in:
parent
a8355326aa
commit
c5724db05c
1 changed files with 174 additions and 0 deletions
174
TryHackMe/Bad_Byte.md
Normal file
174
TryHackMe/Bad_Byte.md
Normal file
|
@ -0,0 +1,174 @@
|
|||
# TryHackMe-Bad Byte
|
||||
|
||||
## Rustscan
|
||||
|
||||
```java
|
||||
|
||||
rustscan -a 10.10.28.94 -- -A -sC -sV
|
||||
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
|
||||
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
|
||||
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
|
||||
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
|
||||
The Modern Day Port Scanner.
|
||||
________________________________________
|
||||
: https://discord.gg/GFrQsGy :
|
||||
: https://github.com/RustScan/RustScan :
|
||||
--------------------------------------
|
||||
😵 https://admin.tryhackme.com
|
||||
|
||||
[~] The config file is expected to be at "/root/.rustscan.toml"
|
||||
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
|
||||
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
|
||||
Open 10.10.28.94:22
|
||||
Open 10.10.28.94:30024
|
||||
|
||||
PORT STATE SERVICE REASON VERSION
|
||||
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 2048 f3:a2:ed:93:4b:9c:bf:bb:33:4d:48:0d:fe:a4:de:96 (RSA)
|
||||
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9/A7kkuN5E+SS1C6w1NfeY196Rj4Y1Yx7njNCwNaCgIv8m+V+7MTHsRn3txLXRTHXErMqW3ypCmmjuY3O40kAragZSgA/XhdesGxGVa0szH
|
||||
K7H4fB28uQiyZgkOfIt/12kGaHB3iGwOeex2Hdg6ct4FdxTWKgDvuKZSLVoPXG66R8SOHql2cXfUtzyUMNJTTqoUED69soEJVG2ctfPKXi4BfFqM3OK2HgKzbmcSPXlLUTNhlcvjPuTa0kMRqiNT
|
||||
MVdP0PjSFdoaMviXHiznW7Fn6NHe3R/vIQt8Ac05Mdvim21QjRpJ4pm7v5+q1wXCJxGG6Ov71yThKP6yZ4ByMl
|
||||
| 256 22:72:00:36:eb:37:12:9f:5a:cc:c2:73:e0:4f:f1:4e (ECDSA)
|
||||
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM9QUKykbzCSI7+PgoVzHNKOVIWf+zm0LN/f4n0VJc/P0J9TzLImkYHIOCnRFpNUPtiWGXbHXi
|
||||
67FQxEpgZMReo=
|
||||
| 256 78:1d:79:dc:8d:41:f6:77:60:65:f5:74:b6:cc:8b:6d (ED25519)
|
||||
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrvf1zJBhqU1RxUCYuTgoIy+7NzCqZeFWV67bt8+APV
|
||||
30024/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
|
||||
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|
||||
| -rw-r--r-- 1 ftp ftp 1743 Mar 23 20:03 id_rsa
|
||||
|_-rw-r--r-- 1 ftp ftp 78 Mar 23 20:09 note.txt
|
||||
| ftp-syst:
|
||||
| STAT:
|
||||
| FTP server status:
|
||||
| Connected to ::ffff:10.8.94.60
|
||||
| Logged in as ftp
|
||||
| TYPE: ASCII
|
||||
| No session bandwidth limit
|
||||
| Session timeout in seconds is 300
|
||||
| Control connection is plain text
|
||||
| Data connections will be plain text
|
||||
| At session startup, client count was 4
|
||||
| vsFTPd 3.0.3 - secure, fast, stable
|
||||
| At session startup, client count was 4
|
||||
| vsFTPd 3.0.3 - secure, fast, stable
|
||||
|_End of status
|
||||
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
|
||||
|
||||
```
|
||||
|
||||
We have two ports open , one is 22 (SSH) and the other one is 30024 (FTP)
|
||||
|
||||
## PORT 30024 (FTP)
|
||||
|
||||
<img src="https://imgur.com/InhrViT.png"/>
|
||||
|
||||
From the `note.txt`
|
||||
|
||||
```
|
||||
I always forget my password. Just let me store an ssh key here.
|
||||
- errorcauser
|
||||
```
|
||||
|
||||
So `errorcauser` might be a username and we have his `id_rsa` so we can now ssh into the machine
|
||||
|
||||
## PORT 22 (SSH)
|
||||
|
||||
As soon as we try to login with the private ,it's protected with a passphrase
|
||||
|
||||
<img src="https://imgur.com/X96pV5y.png"/>
|
||||
|
||||
So here we need `ssh2john` generate a hash for the key so we can crack it with `johntheripper` or `hashcat`
|
||||
|
||||
<img src="https://imgur.com/FMD6iKy.png"/>
|
||||
|
||||
And we successfully cracked the hash and got the passphrase so now we should be able to login
|
||||
|
||||
|
||||
<img src="https://imgur.com/uGWPD9w.png"/>
|
||||
|
||||
We are logged in as `errorcauser` but we see another note which tells that there's a webserver running on local port
|
||||
|
||||
<img src="https://imgur.com/uGWPD9w.png"/>
|
||||
|
||||
Since there is no `ss` or `nestat` installed we have create a socks proxy on localhost to see which ports are open in order to that we will login through ssh using this command
|
||||
|
||||
`ssh errorcauser@10.10.28.94 -i id_rsa -D 1337`
|
||||
|
||||
Also add socks5 proxy in `/etc/proxychains.conf`
|
||||
|
||||
<img src="https://imgur.com/Qh1mR9Z.png"/>
|
||||
|
||||
Now run a TCP scan on localhost
|
||||
|
||||
<img src="https://imgur.com/JvNPSvZ.png"/>
|
||||
|
||||
So we can see two more ports 80 and 3306 , so let's scan port 80 what's running on it
|
||||
|
||||
<img src="https://imgur.com/d8JYgR2.png"/>
|
||||
|
||||
Add proxy with `Foxyproxy` extension or you could manually add proxy setting
|
||||
|
||||
<img src="https://imgur.com/bUULaQh.png"/>
|
||||
|
||||
<img src="https://imgur.com/BbVshgg.png"/>
|
||||
|
||||
Using `wpscan` I enumerated the user
|
||||
|
||||
<img src="https://imgur.com/VWzkKvy.png"/>
|
||||
|
||||
<img src="https://imgur.com/q8LXKHb.png"/>
|
||||
|
||||
For some reason wpscan wasn't giving me plugins for wordpress so I decide to use nse (nmap scripting engine)
|
||||
|
||||
<img src="https://imgur.com/jxWJvZg.png"/>
|
||||
|
||||
This is the scipt I used to enumerate plugins also to note supply arguemnts to scan upto 1500 results from wordpress plugins script
|
||||
|
||||
`proxychains nmap -sT -p 80 --script http-wordpress-enum --script-args search-limit=1500 127.
|
||||
0.0.1`
|
||||
|
||||
|
||||
<img src="https://imgur.com/FMUZEjS.png"/>
|
||||
|
||||
So we have found these two plugins being used on wordpress and these both have exploits on `exploit-db`
|
||||
|
||||
<img src="https://imgur.com/5gEmRWu.png"/>
|
||||
|
||||
<img src="https://imgur.com/XsLxNnh.png"/>
|
||||
|
||||
|
||||
### Duplicator (Arbitary File Read)
|
||||
|
||||
<img src="https://imgur.com/ZzvqaqX.png"/>
|
||||
|
||||
<img src="https://imgur.com/jmo01JD.png"/>
|
||||
|
||||
### Wp-File manager (RCE)
|
||||
|
||||
<img src="https://imgur.com/OwF0kiA.png"/>
|
||||
|
||||
<img src="https://imgur.com/WZR3fNK.png"/>
|
||||
|
||||
<img src="https://imgur.com/jQ3DkgP.png"/>
|
||||
|
||||
I don't like the meterpreter shell so and I can't get the bash through it so I decided to generate a payload that will give a me a reverse shell
|
||||
|
||||
<img src="https://imgur.com/JNpk1H1.png"/>
|
||||
|
||||
<img src="https://imgur.com/V3Kq8Gd.png"/>
|
||||
|
||||
<img src="https://imgur.com/TwOv8Mn.png"/>
|
||||
|
||||
Now the room tells that password was logged so by going to `/var/logs` I find `bash.log` belongs cth so we can read it
|
||||
|
||||
<img src="https://imgur.com/3KTasuQ.png"/>
|
||||
|
||||
Here it gives us the old password , for the current password we can guess that since the year is 2021 so the password must be `G00dP@$sw0rd2021`
|
||||
|
||||
|
||||
<img src="https://imgur.com/whlooza.png"/>
|
||||
|
||||
And we guessed it right , we can run any command as sudo
|
||||
|
||||
<img src="https://imgur.com/iN8ssj3.png"/>
|
Loading…
Reference in a new issue