mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-24 13:03:01 +00:00
176 lines
No EOL
7.9 KiB
Markdown
176 lines
No EOL
7.9 KiB
Markdown
# TryHackMe-Carnage
|
|
|
|
|
|
```
|
|
Service scan Timing: About 83.33% done; ETC: 18:34 (0:00:06 remaining)
|
|
Stats: 0:01:15 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
|
|
Service scan Timing: About 83.33% done; ETC: 18:35 (0:00:13 remaining)
|
|
Nmap scan report for 10.10.7.102
|
|
Host is up (0.18s latency).
|
|
Not shown: 994 closed ports
|
|
PORT STATE SERVICE VERSION
|
|
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
|
|
| ssh-hostkey:
|
|
| 1024 b1:ac:a9:92:d3:2a:69:91:68:b4:6a:ac:45:43:fb:ed (DSA)
|
|
| 2048 3a:3f:9f:59:29:c8:20:d7:3a:c5:04:aa:82:36:68:3f (RSA)
|
|
| 256 f9:2f:bb:e3:ab:95:ee:9e:78:7c:91:18:7d:95:84:ab (ECDSA)
|
|
|_ 256 49:0e:6f:cb:ec:6c:a5:97:67:cc:3c:31:ad:94:a4:54 (ED25519)
|
|
80/tcp open http Apache httpd 2.4.10 ((Debian))
|
|
|_http-server-header: Apache/2.4.10 (Debian)
|
|
|_http-title: Hill Studios - Index
|
|
81/tcp open http Apache httpd 2.4.10 ((Debian))
|
|
|_http-server-header: Apache/2.4.10 (Debian)
|
|
|_http-title: Hill Studios - Index
|
|
82/tcp open http Apache httpd 2.4.10 ((Debian))
|
|
|_http-server-header: Apache/2.4.10 (Debian)
|
|
|_http-title: Hill Studios - Index
|
|
83/tcp open http Apache httpd 2.4.10 ((Debian))
|
|
|_http-server-header: Apache/2.4.10 (Debian)
|
|
|_http-title: Site doesn't have a title (text/html).
|
|
9999/tcp open abyss?
|
|
| fingerprint-strings:
|
|
| FourOhFourRequest, HTTPOptions:
|
|
| HTTP/1.0 200 OK
|
|
| Date: Tue, 29 Sep 2020 13:34:05 GMT
|
|
| Content-Length: 0
|
|
| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|
|
| HTTP/1.1 400 Bad Request
|
|
| Content-Type: text/plain; charset=utf-8
|
|
| Connection: close
|
|
| Request
|
|
| GetRequest:
|
|
| HTTP/1.0 200 OK
|
|
| Date: Tue, 29 Sep 2020 13:34:04 GMT
|
|
|_ Content-Length: 0
|
|
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
|
|
SF-Port9999-TCP:V=7.80%I=7%D=9/29%Time=5F7337CC%P=x86_64-pc-linux-gnu%r(Ge
|
|
SF:tRequest,4B,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Tue,\x2029\x20Sep\x2020
|
|
SF:20\x2013:34:04\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,4
|
|
SF:B,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Tue,\x2029\x20Sep\x202020\x2013:3
|
|
SF:4:05\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(FourOhFourRequest,4B,"H
|
|
SF:TTP/1\.0\x20200\x20OK\r\nDate:\x20Tue,\x2029\x20Sep\x202020\x2013:34:05
|
|
SF:\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(GenericLines,67,"HTTP/1\.1\
|
|
SF:x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf
|
|
SF:-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(RTSPRequest
|
|
SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;
|
|
SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request"
|
|
SF:)%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex
|
|
SF:t/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20
|
|
SF:Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCon
|
|
SF:tent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\
|
|
SF:r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x20400\
|
|
SF:x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nC
|
|
SF:onnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,67,"
|
|
SF:HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20c
|
|
SF:harset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(K
|
|
SF:erberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text
|
|
SF:/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20R
|
|
SF:equest")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-
|
|
SF:Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n40
|
|
SF:0\x20Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad\x20Re
|
|
SF:quest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x
|
|
SF:20close\r\n\r\n400\x20Bad\x20Request")%r(SIPOptions,67,"HTTP/1\.1\x2040
|
|
SF:0\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\
|
|
SF:nConnection:\x20close\r\n\r\n400\x20Bad\x20Request");
|
|
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
|
|
|
|
|
|
|
```
|
|
# PORT 80
|
|
|
|
```
|
|
gobuster dir -u http://10.10.7.102/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
|
===============================================================
|
|
Gobuster v3.0.1
|
|
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
|
===============================================================
|
|
[+] Url: http://10.10.7.102/
|
|
[+] Threads: 10
|
|
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
|
[+] Status codes: 200,204,301,302,307,401,403
|
|
[+] User Agent: gobuster/3.0.1
|
|
[+] Timeout: 10s
|
|
===============================================================
|
|
2020/09/29 18:35:58 Starting gobuster
|
|
===============================================================
|
|
/assets (Status: 301)
|
|
/forms (Status: 301)
|
|
/upload (Status: 301)
|
|
Progress: 7391 / 220561 (3.35%)^C
|
|
[!] Keyboard interrupt detected, terminating.
|
|
===============================================================
|
|
2020/09/29 18:38:11 Finished
|
|
=====================================================
|
|
```
|
|
|
|
# PORT 81
|
|
|
|
```
|
|
gobuster dir -u http://10.10.7.102:81/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
|
===============================================================
|
|
Gobuster v3.0.1
|
|
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
|
===============================================================
|
|
[+] Url: http://10.10.7.102:81/
|
|
[+] Threads: 10
|
|
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
|
[+] Status codes: 200,204,301,302,307,401,403
|
|
[+] User Agent: gobuster/3.0.1
|
|
[+] Timeout: 10s
|
|
===============================================================
|
|
2020/09/29 18:38:31 Starting gobuster
|
|
===============================================================
|
|
/assets (Status: 301)
|
|
/forms (Status: 301)
|
|
/css (Status: 301)
|
|
/script (Status: 301)
|
|
Progress: 6547 / 220561 (2.97%)^C
|
|
[!] Keyboard interrupt detected, terminating.
|
|
|
|
|
|
```
|
|
|
|
Login form
|
|
|
|
user : admin' or 1=1 --
|
|
password :
|
|
|
|
`Welcome bobba`
|
|
|
|
Nothing much can't be done from here.
|
|
|
|
# PORT 82
|
|
|
|
|
|
We can upload a php file but will have to bypass filters
|
|
```
|
|
gobuster dir -u http://10.10.7.102:82/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
|
===============================================================
|
|
Gobuster v3.0.1
|
|
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
|
===============================================================
|
|
[+] Url: http://10.10.7.102:82/
|
|
[+] Threads: 10
|
|
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
|
[+] Status codes: 200,204,301,302,307,401,403
|
|
[+] User Agent: gobuster/3.0.1
|
|
[+] Timeout: 10s
|
|
===============================================================
|
|
2020/09/29 18:42:36 Starting gobuster
|
|
===============================================================
|
|
/images (Status: 301)
|
|
/assets (Status: 301)
|
|
/css (Status: 301)
|
|
Progress: 10069 / 220561 (4.57%)^C
|
|
|
|
|
|
```
|
|
|
|
Now open burp and upload reverse shell by changing it's extensions `shell.gif` , turn on intercept and before uploading it send it to `repeater` turn off intercept , after that `shell.gif` gets uploaded go to burp's `repeater` and add the extension `shell.gif.php` and the navigate to `/images/shell.gif.php`. If you have already setup netcat listener you get a reverse shell.
|
|
|
|
# PORT 83
|
|
|
|
```
|
|
Nothing here
|
|
``` |