THM: Get Smag Grotto

Hi All

Today i will Try to get Smag from THM :

I used to start with nmap :

Great we have ssh and a web server 80

so I m thinking directly to directory brute force  :

we have /mail directory here i m going to explore :

Another step n this box the pcap file :

Yes, you have to configure /etc/hosts :

that will give you access to login page :

login with credentials found in the pcap file :

so we have a possibility to run some system command to get shell :

After getting shell i used LinEnum script to enumerate the box i noticed :

so the authorized key are copied from another file just we have to check if we have writing right in this file :

Nice now it s piece of cake : i generated the public & private key with ssh-keygen

then transferred the content via netcat to the server finaly copied the public key into jake_id_rsa.pub.backup :

Yes I m in as jake user :

Let s try sudo -l :

GTFOBIN that all we have root access.

I hope that you enjoyed reading my write-up let's me a comment if you want.

Kind regards

 Abdel

THM : Get Brooklyn nine nine

Hi All

Today we are going to play with brooklyn from THM

I used to start with nmap the target :

Huuum Great , as nmap stat that i can access ftp  :

yeh their's a name of a user jake  ok maybe i will use it later

in the web page i found this comment :

HUmmm steganography maybe hint or rabbit hole : i tried to brute force with the strings found in the picture but not working so my last resort will be rookyou.txt

Nice, password found it was easy let's login

Now it s clear and easy to get the user and root flag with command less

less /home/holt/user.txt

less root/root.txt

I HOPE THAT YOU ENJYED READING DO NOT FORGET TO LET ME A COMMENT.

kind regards

 

Abdel

THM :Blog (Billy Joel made a Wordpress blog!)

Hi All ,

 Today we are going to play with Billy Jo in Tryhackme the blog room yes let s start :

I used to start my enumeration process by nmap the target :

so we have ssh http and samba services in this server oook great let s see what's in the web server

Powered by wordpress the first thing that came to my mind is wpscan to get some information about the version :

Yes it s version 5.0 so it suffer from an RCE if you have an author account so we need an account ok 😃 we have an samba service so let's move to see if their s any information that can help (enum4linux result):

HUuuum a directory that can be listed :

Let's explore those files : nothing found stupid hole not rabbit hole

So in the main page i noticed that we have two author bjoel and kwheel :

so i think i have to try a bruteforce and one of them will give me access

result (rockyou password list): for bjoel nothing found and for kwheel password found ,and now i have all the necessary to RCE

I googled a lots of resources about the vulnerability so as a security noob i m not going to make the exploit manually so i m going to use metasploit :

Yeees i m in the server ok let s look for user flag :

HHH ok joel nice message

so i can't find the user text from this position so i m thinking to enumerate get root directly

i used LinEnum.sh script and found something new :

it s the first time that i see a binary file like that so i decided to download it to my local machine to explore the file

I have a little experience with binary exploitation after disassemble :

so the binary call the C function getenv which return the value of an environment variable great in our case which variable :

so it look for an admin variable in the system as first test i tried to create an envi variable 'admin' without any value result :

so which value i have to give to this admin variable from analysis of the binary it seems 0 :

after the call of getenv function we have a comparison between 0 and a value in the stack to make decision in the jump intruction (je) :

Yeeees we did it :

Now reading root.txt and  user.txt is piece of cake

I hope that you enjoyed reading see you next time

Kind regards

Abdel

TryHackme:Jack-of-All-Trades

Hi All

This article will be about Jack-of-All-Trades room from TryHackme so let' s play with jack :

I used to start with Nmap scan result :

it seems that we have a web server in port 22 and ssh in port 80 cool after some modification in my navigator i have the first page where i found some information :

For the code is base64 you well get a name and password in the same time i have found another code in the recovery.php page

but their s some other information like johny graves will give us some hint for decoding the next cipher text just look for him in twitter

after using the indication of Mr Johny Graves in found a link to wiki page for stegosaurus dinosaur ok it s an indication to use steganalysis for the picture of the

dinosaur in the home page or another one in the assets folder :

Yes, thank to the creator of this VM i know i m in the right path anyway let s try the samething for jackinthebox pic : nothing found :

Let s try with the header.jpg picture :

OLaaa creds are here finally you have just to cat the file

Go Go motivating myself :)

After authentication in the recovery.php :

When i saw the first time i was thinking to test in command injection (get me a cmd)

Yes now it s easy to have a reverse shell to explore the VM :

i m in the server let s move directly to home folder :

yes some password of jack it s time to bruteforce :)

After using this list in hydra i found the necessary password for ssh access :

in the user folder /home/jack i have found  user.jpg picture :

the picture dowloaded to my machine :

and know i have used the command display user.jpg to the flag :

so let s move to root : sudo -l without any result move to suid file :

After i have noticed that root and jack are in the same group Dev (i used linenum.sh):

so it easy know gtfobin and the flag is found finally :

Yeees Finished IT

Thank you for visiting my blog don't forget to let me a comment.

Kind regards

AbdelMouhine Bouaouda