CTF

Hackthebox Bashed writeup

Byadmin April 26, 2020April 26, 2020

Introduction

It is a easy Linux machine from hack the box which has a little Dir enumeration followed by exploitation of a python file.

Steps involved

1-Port Scan

2-Directory enumeration

3-Getting user flag

4-Getting reverse shell

5-Changing user

6-Exploiting test.py

7-Getting root flag

Port Scan

Nmap 7.70 scan initiated Thu Apr 23 08:49:22 2020 as: nmap -sC -sV -O -v -oV 10.10.10.68
Increasing send delay for 10.10.10.68 from 0 to 5 due to 32 out of 106 dropped probes since last increase.
Nmap scan report for 10.10.10.68
Host is up (0.36s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870 | http-methods: | Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel’s Development Site
Aggressive OS guesses: Linux 3.18 (95%), Linux 3.2 – 4.9 (95%), Linux 3.16 (95%), ASUS RT-N56U WAP (Linux 3.4) (94%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.10 – 4.11 (93%), Linux 3.13 (92%), DD-WRT v3.0 (Linux 4.4.2) (92%), Linux 4.10 (92%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.000 days (since Thu Apr 23 08:51:41 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Thu Apr 23 08:52:13 2020 — 1 IP address (1 host up) scanned in 171.65 seconds

So the very first step is to visit the website.

Directory enumeration

Nothing interesting there so let’s run directory enumeration tools.

gobuster dir -u 10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt

Getting user flag

So let’s see what’s in there .So i got some thing in the /dev

When i clicked on one of the .php file it opened a shell as www-data.

And then i got the user flag through this.

Getting reverse shell

Let’s get a reverse shell now.

Changing user

Got a reverse shell.

When i show the output after sudo -l then i understood that we can run cmds as script manager

Then we switched into it.

Exploiting test.py

The name script manager was a hint for me .So i looked into the script section.

I saw that the output was having a root right so i wrote my reverse shell in test.py.

Getting root flag

And when it ran it gave me the root.

CTF

Passwords for the Active Hack the Box machines
Byadmin April 19, 2020June 6, 2020

New methods For linux -cat /etc/shadow Example this. root:$6$YIFGN9YscCV72BjFtx/tehbc7sQTJp09c5.:18277:0:99999:7:::So use the highlighted part as the password.So password = YIFGN9YscCV72BjFtx/ For Windows Use ntlm hash Example Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c::: password = 31d6cfe0d16ae931b73c59d7e0c Old methods For linux 1- cat /etc/shadow2-copy whole hash(root)root:$6$YIFGN9YscCV72BjFtx/tehbc7sQTJp09c5.:18277:0:99999:7:::3-Then find it’s MD5 sum and that’s your password for writeup For windows 1-Find root hash with hashdump.exe…

Read More Passwords for the Active Hack the Box machines
HTB | Retired

HackTheBox retired machine writeups
Byadmin April 19, 2022April 19, 2022

Hackthebox retired machine are those machines which are not active on the Hackthebox . But the good thing about the retired machines is that the writeups for hackthebox retired machines are available . So the beginners who are starting the CTF journey can read these writeups and get the idea how the machines are solved .

Read More HackTheBox retired machine writeups
CTF | HTB | Retired

Hack the box Lame(HTB) write up
Byadmin April 9, 2020November 12, 2020

Hack the box Lame writeup

Read More Hack the box Lame(HTB) write up
Cheatsheet | CTF | HTB

Getting Started with CTFs
Byadmin February 20, 2020April 19, 2021

CTF Competitions DEFCON CTF picoCTF Ghost in the Shellcode ROOTCON Campus Tour CTF ROOTCON CTF CSAW CTF HSCTF UCSB iCTF Smash the Stack Embedded Security CTF DefCamp CTF HITCON CTF CTF Guides and Resources Trail of Bits CTF Guide – one of the best guides for newbies Practice CTF List / Permanent CTF List –…

Read More Getting Started with CTFs
CTF | HTB | Retired

Hackthebox ServMon writeup
Byadmin April 19, 2020June 20, 2020

Basic Information Difficulty-EasyType -WindowsPoints-20Maker-dmw0ngUser Blood- sampriti:08 mins, 06 seconds. Root Blood-sampriti:34 mins, 10 seconds. Steps involved 1-Port Scanning2-Searching exploit for NVMS-10003-Directory Traversal(Using Burp just POC)4-FTP enumeration5-Extracting passwords Using Directory Traversal 6-SSH login into Nadine(user.tx)7-Revising FTP and Nmap enumerations8-Checking Service on port 84439-Local port forwarding through SSH10-Searching exploit for NSClient++11-Exploiting NSClient with CLI12-Getting Root.txt Commands involved…

Read More Hackthebox ServMon writeup
Active machines | CTF | HTB | Linux Boxes | Retired

Hackthebox buff writeup
Byadmin September 5, 2020November 22, 2020

Steps Involved 1-Port Scan 2-Enumerating Website 3-Exploiting Gym Management Software 1.0 4-Getting Web-shell 5-Getting full shell and user.txt 6-Privilege Escalation 7-Exploiting Cloudme.exe 8-Getting root flag Port Scan ┌─[nagendra@parrot]─[~/Desktop/hackthebox/buff] └──╼ $cat nmap Nmap 7.80 scan initiated Fri Aug 7 23:10:59 2020 as: nmap -Pn -sC -sV -v -oN nmap 10.10.10.198 Nmap scan report for 10.10.10.198 Host…

Read More Hackthebox buff writeup