Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2025-02-26 03:47:12 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/TryHackMe/Throwback/THROWBACK-FW01.md
ARZ 547c0e4481
Add files via upload
2021-03-16 22:13:44 +05:00

3.8 KiB
Raw Blame History

TryHackMe-THROWBACK-FW01(10.200.34.138)

NMAP

Nmap scan report for 10.200.34.138
Host is up, received echo-reply ttl 63 (0.18s latency).
Scanned at 2021-02-20 14:40:52 PKT for 219s
Not shown: 65531 filtered ports
Reason: 65531 no-responses
PORT    STATE SERVICE  REASON         VERSION
22/tcp  open  ssh      syn-ack ttl 63 OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey: 
|   4096 38:04:a0:a1:d0:e6:ab:d9:7d:c0:da:f3:66:bf:77:15 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDN6yAJkDf3ePS4Etb1KKfEe6Az22BPADTvyCijKGexA0/xVVqwbhlLdXRf8lsGIyxOrEA/VZx7yq+iYL+tW8fnItuLaco6YTDJbtK8V0FQCFTyfCINNKH/jYABwG1i6TkZnaneAXKby8snChez7+r1Bz1fPzxne4PTrvBazH58jHV5A3y+xgskcZct8LnGnaib4LoAtXgd+t1sVjv+BHbpevCbSHNxhqb4S/Vsja2XTr37U1SXnst6xRTqRHal1ziq08Ijzxm17I5bUY6wRZRv01IZCWdE9JHaoVbkHtMOPMAsOsg99fXnb8I++jruuFWJbNQ26/1rwMqeaIslpAsKsFijCe5IbXwvKuzI6A9sM0IYObV+CevgYraQ7G4zx+WeBUIqu8dOt16n4suz33kaI17jbBdfSR6GxdT3ysqEsSkLd6p0HIR0JxIk5t7qGhG9KSvfsk42JUMyoocbK3tO8O/xInXPSuBWiohcGz0aJckVIOJuQSm8dkGRj62yOfzSyh9utWWu8Zi/dngRR6qOCMz538aQ/DReNEgqXl0Zn2roj42scFhidj4VgO0vhClotAmOZrFhu3wXc91ImkTdvApK7XcAQ4NGIt8kf0TylvHkV8T39zOB2uoFgITShRqHUQ6AnxwivFkdbdALT2IWh3CJRVD4Vwwog5L4ohsDjw==
53/tcp  open  domain   syn-ack ttl 63 (generic dns response: REFUSED)
80/tcp  open  http     syn-ack ttl 63 nginx
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://10.200.34.138/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open  ssl/http syn-ack ttl 63 nginx
|_http-favicon: Unknown favicon MD5: 5567E9CE23E5549E0FCD7195F3882816
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-title: pfSense - Login
| ssl-cert: Subject: commonName=pfSense-5f099cf870c18/organizationName=pfSense webConfigurator Self-Signed Certificate
| Subject Alternative Name: DNS:pfSense-5f099cf870c18
| Issuer: commonName=pfSense-5f099cf870c18/organizationName=pfSense webConfigurator Self-Signed Certificate
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-07-11T11:05:28
| Not valid after:  2021-08-13T11:05:28
| MD5:   fe06 fa47 4d83 8454 e67a 1840 7ea8 d101
| SHA-1: 672e 5f8f 9b28 7cad 5789 c5be cb1c f3f2 6c63 dfb2
|_-----END CERTIFICATE-----

PORT 80 (HTTP)

We can see that there is a login page to pfsense control panel. I decided to try default credentials

These credentials logged us in

When logged in we can see Diagnostics tab and we see menu Command Prompt

We can see that commands will be executed as root

Also php commands can be executed. I uploaded a phpbash which is like a backdoor having a full interactivev shell

https://github.com/Arrexel/phpbash

We can get the root flag in /root/root.txt

We can find logs for in /usr/local/www

And we can get this this username and hash

HumphreyW:1c13639dba96c7b53d26f7d00956a364

I search for the log flag by running recusrive find command in /var/log

Now the hash that we got for the user HumphreyW we need to crack it but we need to know what type of hash it is so I went to Name That Hash

It gave me a bunch of hash type for it so I checked for MD5 and MD4 that was a negative

I started hashcat for NTLM (1000)

And it was cracked