mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-22 03:53:03 +00:00
Add files via upload
This commit is contained in:
parent
b8708b229a
commit
c8bba2bc64
1 changed files with 256 additions and 0 deletions
256
TryHackMe/GottaCatchemAll.md
Normal file
256
TryHackMe/GottaCatchemAll.md
Normal file
|
@ -0,0 +1,256 @@
|
|||
# TryHackMe-Gotta Catch'Em All!
|
||||
|
||||
>Abdullah Rizwan | 08:54 PM , 24 October 2020
|
||||
|
||||
## NMAP
|
||||
|
||||
```
|
||||
nmap -sC -sV 10.10.122.194
|
||||
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-24 20:55 PKT
|
||||
Nmap scan report for 10.10.122.194
|
||||
Host is up (0.27s latency).
|
||||
Not shown: 998 closed ports
|
||||
PORT STATE SERVICE VERSION
|
||||
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 2048 58:14:75:69:1e:a9:59:5f:b2:3a:69:1c:6c:78:5c:27 (RSA)
|
||||
| 256 23:f5:fb:e7:57:c2:a5:3e:c2:26:29:0e:74:db:37:c2 (ECDSA)
|
||||
|_ 256 f1:9b:b5:8a:b9:29:aa:b6:aa:a2:52:4a:6e:65:95:c5 (ED25519)
|
||||
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|
||||
|_http-server-header: Apache/2.4.18 (Ubuntu)
|
||||
|_http-title: Can You Find Them All?
|
||||
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||||
|
||||
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 33.19 seconds
|
||||
|
||||
```
|
||||
## Gobuser
|
||||
|
||||
```
|
||||
Gobuster v3.0.1
|
||||
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
||||
===============================================================
|
||||
[+] Url: http://10.10.122.194
|
||||
[+] Threads: 10
|
||||
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
|
||||
[+] Status codes: 200,204,301,302,307,401,403
|
||||
[+] User Agent: gobuster/3.0.1
|
||||
[+] Timeout: 10s
|
||||
===============================================================
|
||||
2020/10/24 21:13:03 Starting gobuster
|
||||
===============================================================
|
||||
/.htaccess (Status: 403)
|
||||
/.hta (Status: 403)
|
||||
/.htpasswd (Status: 403)
|
||||
/index.html (Status: 200)
|
||||
/server-status (Status: 403)
|
||||
===============================================================
|
||||
2020/10/24 21:14:36 Finished
|
||||
===============================================================
|
||||
|
||||
```
|
||||
Running the gobuster , didn't find any directory
|
||||
|
||||
## PORT 80
|
||||
|
||||
Coming on to the web page we see a default apache server running
|
||||
|
||||
<img src="https://imgur.com/R9Ef1LC.png"/>
|
||||
|
||||
Going through the source of the web page we will find something interesting
|
||||
|
||||
|
||||
<img src="https://imgur.com/BmV9tVZ.png"/>
|
||||
|
||||
<img src="https://imgur.com/yJJa6Cv.png"/>
|
||||
|
||||
`<pokemon>:<hack_the_pokemon>` looks like username and password for ssh since port 22 is open.
|
||||
|
||||
## PORT 22
|
||||
|
||||
```
|
||||
root@kali:~/TryHackMe/Easy/GottaCatchemAll# ssh pokemon@10.10.122.194
|
||||
pokemon@10.10.122.194's password:
|
||||
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-112-generic x86_64)
|
||||
|
||||
* Documentation: https://help.ubuntu.com
|
||||
* Management: https://landscape.canonical.com
|
||||
* Support: https://ubuntu.com/advantage
|
||||
|
||||
84 packages can be updated.
|
||||
0 updates are security updates.
|
||||
|
||||
|
||||
The programs included with the Ubuntu system are free software;
|
||||
the exact distribution terms for each program are described in the
|
||||
individual files in /usr/share/doc/*/copyright.
|
||||
|
||||
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
|
||||
applicable law.
|
||||
|
||||
pokemon@root:~$
|
||||
|
||||
```
|
||||
And we got in but we this user is not in `sudoers` so it cannot run commands as root or doesn't have permissions to run privleged commands
|
||||
|
||||
```
|
||||
|
||||
pokemon@root:~$ whoami
|
||||
pokemon
|
||||
pokemon@root:~$ sudo -l
|
||||
[sudo] password for pokemon:
|
||||
Sorry, try again.
|
||||
[sudo] password for pokemon:
|
||||
sudo: 1 incorrect password attempt
|
||||
pokemon@root:~$ sudo -l
|
||||
[sudo] password for pokemon:
|
||||
Sorry, user pokemon may not run sudo on root.
|
||||
pokemon@root:~$
|
||||
|
||||
```
|
||||
We can find `roots-pokemon.txt` but cannot read it as only the user `ash` and `root ` are owners of it.
|
||||
|
||||
<img src="https://imgur.com/YWg2htw.png"/>
|
||||
|
||||
Going to `pokemon`'s directory we can see there is `P0kEmOn.zip`
|
||||
|
||||
<img src="https://imgur.com/nhjLvu1.png"/>
|
||||
|
||||
### Grass-Type Pokemon
|
||||
```
|
||||
pokemon@root:~/Desktop$ unzip P0kEmOn.zip
|
||||
Archive: P0kEmOn.zip
|
||||
creating: P0kEmOn/
|
||||
inflating: P0kEmOn/grass-type.txt
|
||||
pokemon@root:~/Desktop$ ls -la
|
||||
total 16
|
||||
drwxr-xr-x 3 pokemon pokemon 4096 Oct 24 12:52 .
|
||||
drwxr-xr-x 19 pokemon pokemon 4096 Oct 24 11:54 ..
|
||||
drwxrwxr-x 2 pokemon pokemon 4096 Jun 22 22:37 P0kEmOn
|
||||
-rw-rw-r-- 1 pokemon pokemon 383 Jun 22 22:40 P0kEmOn.zip
|
||||
pokemon@root:~/Desktop$
|
||||
|
||||
```
|
||||
On decompressing it you will get a folder, read the file `grass-type.txt` and find this hex encoded text
|
||||
|
||||
```
|
||||
50 6f 4b 65 4d 6f 4e 7b 42 75 6c 62 61 73 61 75 72 7d
|
||||
|
||||
```
|
||||
On decoding it you will get the flag : `PoKeMoN{Bulbasaur}`
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### Find
|
||||
|
||||
By running the find command to look for all .txt files we can find 3 files that we need
|
||||
```
|
||||
pokemon@root:/$ find / -type f -name "*.txt" 2>/dev/null
|
||||
/var/cache/dictionaries-common/ispell-dicts-list.txt
|
||||
/var/lib/nssdb/pkcs11.txt
|
||||
/var/www/html/water-type.txt
|
||||
/etc/X11/rgb.txt
|
||||
/etc/why_am_i_here?/fire-type.txt
|
||||
/etc/brltty/Input/bd/all.txt
|
||||
/etc/brltty/Input/vs/all.txt
|
||||
/etc/brltty/Input/eu/all.txt
|
||||
/etc/brltty/Input/tt/all.txt
|
||||
/etc/brltty/Input/lb/all.txt
|
||||
/etc/brltty/Input/vr/all.txt
|
||||
/etc/brltty/Input/tn/all.txt
|
||||
/etc/brltty/Input/mb/all.txt
|
||||
/etc/brltty/Input/mn/all.txt
|
||||
/etc/brltty/Input/vd/all.txt
|
||||
/etc/brltty/Input/bl/18.txt
|
||||
/etc/brltty/Input/bl/40_m20_m40.txt
|
||||
/etc/brltty/Input/ba/all.txt
|
||||
/etc/brltty/Input/ec/spanish.txt
|
||||
/etc/brltty/Input/ec/all.txt
|
||||
.....
|
||||
|
||||
```
|
||||
```
|
||||
/var/www/html/water-type.txt
|
||||
/etc/why_am_i_here?/fire-type.txt
|
||||
/home/roots-pokemon.txt
|
||||
```
|
||||
But we already found `roots-pokemon.txt` we just don't have permissions to view it
|
||||
|
||||
|
||||
### Water-Type Pokemon
|
||||
```
|
||||
pokemon@root:/$ cat /var/www/html/water-type.txt
|
||||
Ecgudfxq_EcGmP{Ecgudfxq}
|
||||
```
|
||||
This gives us a rot13(shift cipher) encoded text , by changing the key of rot13 we can get the flag
|
||||
|
||||
|
||||
<img src="https://imgur.com/Ms1lu4Z.png"/>
|
||||
|
||||
flag `Squirtle_SqUaD{Squirtle}`
|
||||
|
||||
|
||||
### Fire-Type Pokemon
|
||||
|
||||
```
|
||||
pokemon@root:/$ cat /etc/why_am_i_here?/fire-type.txt
|
||||
UDBrM20wbntDaGFybWFuZGVyfQ==
|
||||
|
||||
```
|
||||
|
||||
By looking at two equal signs(=) we can say that this is a base64 encoded text on decoding it
|
||||
|
||||
flag `P0k3m0n{Charmander}`
|
||||
|
||||
|
||||
### Root's Favorite Pokemon
|
||||
|
||||
Now only thing which is left is to root the box and read that `/home/roots-pokemon.txt`
|
||||
|
||||
I found another interesting thing in `~/Vidoes`
|
||||
|
||||
```
|
||||
pokemon@root:~$ cd Videos/
|
||||
pokemon@root:~/Videos$ ls -la
|
||||
total 12
|
||||
drwxr-xr-x 3 pokemon pokemon 4096 Jun 22 23:10 .
|
||||
drwxr-xr-x 19 pokemon pokemon 4096 Oct 24 11:54 ..
|
||||
drwxrwxr-x 3 pokemon pokemon 4096 Jun 22 23:10 Gotta
|
||||
pokemon@root:~/Videos$ cd Gotta/
|
||||
pokemon@root:~/Videos/Gotta$ ls
|
||||
Catch
|
||||
pokemon@root:~/Videos/Gotta$ cd Catch/
|
||||
pokemon@root:~/Videos/Gotta/Catch$ ls
|
||||
Them
|
||||
pokemon@root:~/Videos/Gotta/Catch$ cd Them/
|
||||
pokemon@root:~/Videos/Gotta/Catch/Them$ ls
|
||||
ALL!
|
||||
pokemon@root:~/Videos/Gotta/Catch/Them$ cd ALL\!/
|
||||
pokemon@root:~/Videos/Gotta/Catch/Them/ALL!$ ls
|
||||
Could_this_be_what_Im_looking_for?.cplusplus
|
||||
pokemon@root:~/Videos/Gotta/Catch/Them/ALL!$
|
||||
|
||||
```
|
||||
Now on reading that c++ source code
|
||||
|
||||
```
|
||||
int main() {
|
||||
std::cout << "ash : pikapika"
|
||||
return 0;
|
||||
|
||||
```
|
||||
This will give us password for user `ash`
|
||||
|
||||
|
||||
|
||||
<img src="https://imgur.com/JJpAryg.png"/>
|
||||
|
||||
Now we can bascially run everything
|
||||
|
||||
```
|
||||
ash@root:/home$ sudo bash
|
||||
root@root:/home#
|
||||
```
|
Loading…
Reference in a new issue