CTF-Writeups/TryHackMe/Bad_Byte.md
2021-03-27 15:35:52 +05:00

7.1 KiB

TryHackMe-Bad Byte

Rustscan


rustscan -a 10.10.28.94 -- -A -sC -sV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.             
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |             
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |              
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'                  
The Modern Day Port Scanner.                                              
________________________________________                                  
: https://discord.gg/GFrQsGy           :                                                                                                            
: https://github.com/RustScan/RustScan :                                                                                                            
 --------------------------------------                                   
😵 https://admin.tryhackme.com                                            

[~] The config file is expected to be at "/root/.rustscan.toml"                                                                                     
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.28.94:22                  
Open 10.10.28.94:30024               

PORT      STATE SERVICE REASON         VERSION                            
22/tcp    open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)                                                 
| ssh-hostkey:                       
|   2048 f3:a2:ed:93:4b:9c:bf:bb:33:4d:48:0d:fe:a4:de:96 (RSA)           
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9/A7kkuN5E+SS1C6w1NfeY196Rj4Y1Yx7njNCwNaCgIv8m+V+7MTHsRn3txLXRTHXErMqW3ypCmmjuY3O40kAragZSgA/XhdesGxGVa0szH
K7H4fB28uQiyZgkOfIt/12kGaHB3iGwOeex2Hdg6ct4FdxTWKgDvuKZSLVoPXG66R8SOHql2cXfUtzyUMNJTTqoUED69soEJVG2ctfPKXi4BfFqM3OK2HgKzbmcSPXlLUTNhlcvjPuTa0kMRqiNT
MVdP0PjSFdoaMviXHiznW7Fn6NHe3R/vIQt8Ac05Mdvim21QjRpJ4pm7v5+q1wXCJxGG6Ov71yThKP6yZ4ByMl
|   256 22:72:00:36:eb:37:12:9f:5a:cc:c2:73:e0:4f:f1:4e (ECDSA)   
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM9QUKykbzCSI7+PgoVzHNKOVIWf+zm0LN/f4n0VJc/P0J9TzLImkYHIOCnRFpNUPtiWGXbHXi
67FQxEpgZMReo=                       
|   256 78:1d:79:dc:8d:41:f6:77:60:65:f5:74:b6:cc:8b:6d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrvf1zJBhqU1RxUCYuTgoIy+7NzCqZeFWV67bt8+APV
30024/tcp open  ftp     syn-ack ttl 63 vsftpd 3.0.3                       
| ftp-anon: Anonymous FTP login allowed (FTP code 230)                    
| -rw-r--r--    1 ftp      ftp          1743 Mar 23 20:03 id_rsa   
|_-rw-r--r--    1 ftp      ftp            78 Mar 23 20:09 note.txt
| ftp-syst:                          
|   STAT:                            
| FTP server status:                 
|      Connected to ::ffff:10.8.94.60                                     
|      Logged in as ftp              
|      TYPE: ASCII                   
|      No session bandwidth limit                                         
|      Session timeout in seconds is 300                                  
|      Control connection is plain text                                   
|      Data connections will be plain text                                
|      At session startup, client count was 4                             
|      vsFTPd 3.0.3 - secure, fast, stable
|      At session startup, client count was 4                             
|      vsFTPd 3.0.3 - secure, fast, stable                                
|_End of status                      
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port             

We have two ports open , one is 22 (SSH) and the other one is 30024 (FTP)

PORT 30024 (FTP)

From the note.txt

I always forget my password. Just let me store an ssh key here.
- errorcauser

So errorcauser might be a username and we have his id_rsa so we can now ssh into the machine

PORT 22 (SSH)

As soon as we try to login with the private ,it's protected with a passphrase

So here we need ssh2john generate a hash for the key so we can crack it with johntheripper or hashcat

And we successfully cracked the hash and got the passphrase so now we should be able to login

We are logged in as errorcauser but we see another note which tells that there's a webserver running on local port

Since there is no ss or nestat installed we have create a socks proxy on localhost to see which ports are open in order to that we will login through ssh using this command

ssh errorcauser@10.10.28.94 -i id_rsa -D 1337

Also add socks5 proxy in /etc/proxychains.conf

Now run a TCP scan on localhost

So we can see two more ports 80 and 3306 , so let's scan port 80 what's running on it

Add proxy with Foxyproxy extension or you could manually add proxy setting

Using wpscan I enumerated the user

For some reason wpscan wasn't giving me plugins for wordpress so I decide to use nse (nmap scripting engine)

This is the scipt I used to enumerate plugins also to note supply arguemnts to scan upto 1500 results from wordpress plugins script

proxychains nmap -sT -p 80 --script http-wordpress-enum --script-args search-limit=1500 127. 0.0.1

So we have found these two plugins being used on wordpress and these both have exploits on exploit-db

Duplicator (Arbitary File Read)

Wp-File manager (RCE)

I don't like the meterpreter shell so and I can't get the bash through it so I decided to generate a payload that will give a me a reverse shell

Now the room tells that password was logged so by going to /var/logs I find bash.log belongs cth so we can read it

Here it gives us the old password , for the current password we can guess that since the year is 2021 so the password must be G00dP@$sw0rd2021

And we guessed it right , we can run any command as sudo