CTF-Writeups/TryHackMe/All_In_One.md
2020-12-10 03:33:48 +05:00

4.5 KiB

TryHackMe-All In One

NMAP

Nmap scan report for 10.10.6.115                                                                                                              [3/26]
Host is up (0.45s latency).                                               
Not shown: 997 closed ports                                               
PORT   STATE SERVICE VERSION                                                                                                                        
21/tcp open  ftp     vsftpd 3.0.3                                         
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)                                                                                              
| ftp-syst:                          
|   STAT:                            
| FTP server status:                 
|      Connected to ::ffff:10.2.54.209                                    
|      Logged in as ftp              
|      TYPE: ASCII                   
|      No session bandwidth limit                                         
|      Session timeout in seconds is 300                                  
|      Control connection is plain text                                   
|      Data connections will be plain text                                
|      At session startup, client count was 2                             
|      vsFTPd 3.0.3 - secure, fast, stable                                
|_End of status                      
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)                                                                   
| ssh-hostkey:                       
|   2048 e2:5c:33:22:76:5c:93:66:cd:96:9c:16:6a:b3:17:a4 (RSA)                                                                                      
|   256 1b:6a:36:e1:8e:b4:96:5e:c6:ef:0d:91:37:58:59:b6 (ECDSA)                                                                                     
|_  256 fb:fa:db:ea:4e:ed:20:2b:91:18:9d:58:a0:6a:50:ec (ED25519)                                                                                   
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))                       
|_http-server-header: Apache/2.4.29 (Ubuntu)                              
|_http-title: Apache2 Ubuntu Default Page: It works                       
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel            
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                      
Nmap done: 1 IP address (1 host up) scanned in 48.55 seconds      

PORT 21 (FTP)

There wasn't anythin on ftp so this was a rabbit hole

PORT 80

Visting the web page we don't find that much than a default apache web page

Now on ruuning gobuster we can find a directory wordpress and hackathons

On ruuning wpscan for finding any users

We find elyana as a registered user on wordpress

For finiding the plugins that this wordpress is using

mail-masta and reflex-gallery are the two plugins that this wordpress is using

That's all we can find on the wordpress directory let's see if there is anything on hackathons

Looking at the source code

We find some ecnrypted text and after trying different encryption techniques we found that this a vigenere encoded text

We logged in with the password H@ckme@123 removing Try from it ( :

Now we can edit the 404 page on theme Twenty Twenty

Pasting a php reverse shell from pentestmonkey

Then setup a netcat listener

Running a find command to look for files for user elyana

Here elyana is in groups sudo and lxd , so lxd may have privilege escalation technique

Checking for sudo -l

We 'll find that we can run socat as root