CTF-Writeups/TryHackMe/Hygine.md
2021-11-05 00:28:06 +05:00

4.5 KiB

TryHackMe-Hygiene

NMAP


PORT      STATE SERVICE REASON         VERSION            
22/tcp    open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)                                                 
| ssh-hostkey:   
37652/tcp open  ftp     syn-ack ttl 63 ProFTPD 1.3.5e            
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 1000     1000          118 Oct 29 02:21 memo.txt                
Service Info: OSs: Linux, Unix; CPE: cpe:/o:lisnux:linux_kernel
8080/tcp  open  http-proxy                                                                                                                          
| fingerprint-strings:                                   
|   LDAPBindReq:                                           
|     HTTP/1.1 400                                                 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en                      
|     Content-Length: 2295                                       
|     Date: Thu, 04 Nov 2021 13:02:11 GMT                                        
|     Connection: close                         
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
|     Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-f
amily:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-c
olor:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;
color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name 
{color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><bod                                                          
|   LDAPSearchReq:                                                
|     HTTP/1.1 400                                               
|     Content-Type: text/html;charset=utf-8

PORT 37652 (FTP)

From the nmap scan we can see that anonymous ftp is enabled which means that we can login without specifying the password

from the memo.txt file we see that a user named joe has sent email with the password hash and on cracking the hash we get the password nightmare

PORT 8080 (HTTP)

On the webserver there's apache tomcat running

if we run stegcracker on the png image we can find a easter egg

Foothold

Un-inteded

We were told to find a username on the page but there wasn't any . All we know is that the username is of 5 characters so let's maybe try to brute force the username with 5 characters

We can now then get a shell as sally

Intended

Running gobuster we can find some directories

I tried using default creds on /manager , /host-manager but wasn't succesful so I did a recusive fuzz on admin

This returned us staging so again running gobuster on this

We don't see much here but if we look at the source we can find the username sally

We can now then get a shell through ssh

On doing sudo -l we can't do run any thing as root as other user since this user isn't in sudoers file

Privilege Escalation (Joe)

We can the find the user flag in Desktop folder of sally and can find another flag in /home/sally/.local/share/Trash/files

The hash can be cracked with either hashcat or john but I'll just use cracksation as I did earlier

Privilege Escalation (root)

Running sudo -l we can see that this user can run all commands

References