Pages

Tuesday, June 23, 2020

TryHackme : Boiler CTF

HI All

Lets play another box in tryhackme and learn something new today it will be

Boiler CTF room

I used to start any box  enumeration with nmap tool :




the result of the nmap enumeration :




I think it sufficient to start attacking services:


As stated in nmap result we can connect to ftp with anonymous account :



Their 's a file let's discover :



it seems like a encrypted test i m thinking about ROT13 yes when decrypted text without any value


😂😂😂😂😂 i think the creator of this box is a joke maker also 😂😂

Let's move to the next service HTTP in port 80 using résult from nmap :



Another code , so i tried to decode Nothing found, ok let's bruteforce directories



Huuum a Joomla CMS :



i tried to visit every folder in joomla in found :


Yes sar2html app :



After looking at google this version suffer from Remote Command Execution so let's exploit:

it s so easy with ls the cat command of the file log.txt you are going to find some credential that will give you ssh access :


great in the backup.sh you are going to find the password for another user great
it s easy and then switch to (stoner) :


so the user flag is found so now i haveto look for root flag priv escalation time :



Huuum ok


I see find command let s see gtfobin to exploit this command :



i think now it s easy for root flag


It was funny box i enjoyed and learned many things

See you .. don t forget to drop me a comment

Kind regards
Abdel



at 2 comments:

Friday, June 19, 2020

HacktheBox: Admirer

Hi  All

lets play with admirer after namp i have foud 3 services :



i want to try access to ftp same time dir bruteforce in web

so anonymous acces not working in FTP




so brute force result was as follow :
Yes i found the file of credential so lets check :
Great lets see what i can find in the ftp server :


so let s download the two file and check what s inside :


let's verify those files to found more information :


also it s seems  that their s another website under utility-scripts:


ok , Great i have noticed that all file are accessible but except db_admin.php

their's a todo in the buttom of the file so i think it s done:


i found this simple interface i don't if it will be usefull for me :


I have tried to use passwords for waldo for ssh acces not working in the same time
still brute forcing file and directory that i have found in the server so after some hour i have found :


yes adminer let's look what's this file :


it s seems a known framework to connect to database adminer v4.6.2 huuuum now i have to look for any known vulnerability in google

https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool


as they said that i can connect to my mysql instance and then use LOAD DATA LOCAL INFILE statement to read file from the system great let s read a little about this command to understand :

https://dev.mysql.com/doc/refman/8.0/en/load-data.html

OK, great . firstly i have to configure my mysql instance to be accessible from outside so i have made some change in mysql configuration file then connected to my instance, next i have created a test database :



then i created a test table with test columun where i m going to store the result
of LOAD DATA LOCAL INFILE

Great ,then i executed this sql command :

Great now it s simple let s look at content of this file :


Nice the waldo password found i m in the right path so ssh to the server bingo
i have user acces

user flag found :


so let s move to get root acces i used to begin this by running sudo -l :


Here we are dealing with a python script inside a script shell beside that we have this Setenv in the sudo result as a offensive noob i have no idea about that what it mean so i googled a lots to understand huuum it mean that you can set environment variable for the execution of this script




this script call this python script backup.py


I think we can have privilege escalation using python lib hijacking using PYTHONPATH while executing the script , so i can give it a custom lib shutil.py lib with my custom function make_archive that do another thing like doing a reverse shell to my call machine


a simple nc to my kali machine and same time i have already nc -nlvp 12340 in my kali






After number 6 that lunch the python script it s done root flaag in the hand I have learned à lots in this box in the same time i have to advance my knowledge in linux

See you next time for another box do not forget to submit a comment for me

Kind regards
 Abdel



at No comments:

Sunday, June 7, 2020

Tryhackme : LazyAdmin

Now we are going to play with the lazy admin in tryhackme

so i m used to start with nmap : nmap -p 1-65535 -T4 -A -v $IP

two services found ssh in port 22 and web in port 80

Let's explore the web page :

the main page is about apache so i m going to try wfuzz to do a dir burteforce:

yes i found i webpage under /content beside  that i m dealing with sweetRice CMS
by looking in exploit db i found an authenticated exploit for arbitrary file upload in v1.5.1
but need some cred that i don't have until now plus i don't know if this is v1.5.1: great now i m thinking to see if their s any folder under this file : yes as expected /content/inc found

oooh juicy information :
lastest.txt confirm the information about the version
i found an .sql file maybe contain cred so let s explore:
as expeted i found the login and password hash in .sql file so it still one point i have to decrypt the hash
it was also very simple with online tool md5 decrypter
Now all the ingredient are here to start the exploit let s give a try
php reverse shell is here after understanding the exploit in the .py file from exploit-db i said that i will try it manually it'simple
in that's work i have shell as www-data user now it was very simple :

cat /home/itguy/user.txt to get user flag

for the root flag as usually i try to see sudo -l

yes i can see that i can execute a perl file in the itguy home folder great

so after checking the file i found that execute a shell file in /etc/ folder

checking the RW right for the shell file : it s writabe great now it simple i have added the line cat /root/root.txt then i have executed
the perl file and olaaa the root flag

Thank you for reading hint from lazyadmin in tryhackme

Abdel

at No comments:

Friday, June 5, 2020

TryHackme:Pickle Rick

Room : https://tryhackme.com/room/picklerick

after nmap -p 1-65535 -T4 -A -v $IP

found two services 22,80

let's explore the webpage:
i found in first page as comment Username: R1ckRul3s
let's try some directory bruteforce :

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer                        *
********************************************************

Target: http://10.10.191.238/FUZZ
Total requests: 950

==================================================================
ID      Response   Lines      Word         Chars          Payload
==================================================================

000098:  C=301      9 L       28 W          315 Ch        "assets"

Total time: 10.12029
Processed Requests: 950
Filtered Requests: 949
Requests/sec.: 93.87078


Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer                        *
********************************************************

Target: http://10.10.191.238/FUZZ.php
Total requests: 950

==================================================================
ID      Response   Lines      Word         Chars          Payload
==================================================================

000502:  C=200     25 L       61 W          882 Ch        "login"
000635:  C=302      0 L        0 W            0 Ch        "portal"

Total time: 9.943372
Processed Requests: 950
Filtered Requests: 948
Requests/sec.: 95.54102

also i have also checked the robots.txt,  i found some weird word blada.......
login page also found so i need the password brute forcing the login page take a lots of time i don't think it s the right path : no result
i have tried sql injection to bypass login page not working.

It was stupid the word in the robots.txt is the password. :(

after login a found some sort of login page i think we have command injection run commad ls and read the secret file with navigator

so lets have shell now :so the shell was easy with gotfbin bash after sudo -l then you can understand that you have the possibility to run all sort of command with sudo and read all the files for ingredient two and three

when i was in the box the web application suffer from reflected xss in the login page and if you try to run ping it will hung and you have to restart the box also i have found in the portal.php page a comment like a hash or base64 but not used : Maybe a rabit hole


Thank you for reading my blog i know it s not very detailled or beautifull but it give you what you need or you are missing during pentesting this box.

Kind regards
 Abdel







at No comments:
Subscribe to: Comments (Atom)

Offensive Lab : simple Format string challenge

 Hi All  Today i will write about a very easy challenge from Offensive LAB where you can solve it through using reverse engineering techniq...

  • Tryhackme : Dav
    Hi All I m trying to do Dav box in Tryhackme so here s my note during the process of pentesting : after a scan with nmap i found http port 8...
  • TryHackme : Boiler CTF
    HI All Lets play another box in tryhackme and learn something new today it will be Boiler CTF room I used to start any box  enumeration wi...