Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2025-02-16 20:18:24 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/TryHackMe/Throwback/THROWBACK-MAIL.md
ARZ 547c0e4481
Add files via upload
2021-03-16 22:13:44 +05:00

3.6 KiB
Raw Blame History

TryHackMe-THROWBACK-MAIL (10.200.34.232 )

NMAP

Nmap scan report for 10.200.34.232                                                                                     
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                            
|   2048 3b:b1:4c:b7:3f:fc:3e:ec:83:0f:0e:db:bf:25:9a:01 (RSA)
|   256 76:62:f3:eb:94:08:bc:a8:34:53:44:4d:ec:ac:87:f1 (ECDSA)
|_  256 0b:80:aa:78:66:34:43:09:db:99:98:e1:99:7e:a8:b0 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Throwback Hacks - Login                                     
|_Requested resource was src/login.php                                    
143/tcp open  imap     Dovecot imapd (Ubuntu)                             
|_imap-capabilities: Pre-login IDLE LOGINDISABLEDA0001 SASL-IR more capabilities have ID post-login listed OK IMAP4rev1 STARTTLS ENABLE LOGIN-REFERR
ALS LITERAL+                         
| ssl-cert: Subject: commonName=ip-10-40-119-232.eu-west-1.compute.internal
| Subject Alternative Name: DNS:ip-10-40-119-232.eu-west-1.compute.internal
| Not valid before: 2020-07-25T15:51:57                                   
|_Not valid after:  2030-07-23T15:51:57                                   
|_ssl-date: TLS randomness does not represent time                        
993/tcp open  ssl/imap Dovecot imapd (Ubuntu)                             
|_imap-capabilities: Pre-login IDLE SASL-IR more capabilities have ID post-login IMAP4rev1 OK AUTH=PLAINA0001 listed ENABLE LOGIN-REFERRALS LITERAL+
| ssl-cert: Subject: commonName=ip-10-40-119-232.eu-west-1.compute.internal
| Subject Alternative Name: DNS:ip-10-40-119-232.eu-west-1.compute.internal
| Not valid before: 2020-07-25T15:51:57                                   
|_Not valid after:  2030-07-23T15:51:57                                   
|_ssl-date: TLS randomness does not represent time

PORT 80 (HTTP)

We can login with the guest credentials which are

tbhguest:WelcomeTBH1!

We can get our first flag form the inbox

Going to Addresses tab we can see a list of usernames and emails

Now intercept the login request in order to start bruteforce attack so we can use these parameters in hyda

We have the usernames but don't have the passwords but it was told that some accounts might use weak credentials so I crafted some passwords

Summer2020
Management2020
Management2018
Password2020
ThrowbackHacks2020
Throwback202
Password123
Winter2020
Winter2018
Spring2020
Winter2019
Summer2018
Summer2019

login: PeanutbutterM   password: Summer2020
login: DaviesJ   password: Management2018
login: GongoH   password: Summer2020
login: MurphyF   password: Summer2020
login: JeffersD   password: Summer2020

We logged in as guest again because it had the email addresses of all users and we wanted to send to everyone

Generate a staged payload for catching reverse shell through metasploit

Attatched the payload in email

After sending the email I wait for some time a got a metepreter session