Posts

Image
  Try-hack-me Agent Sudo : Walkthrough Agent Sudo is an Easy room on Tryhackme created by Deskel. This machine requires enumeration, hash cracking, steganography, and Privilege Escalation. Alright the room has a total of 5 tasks, or 4 if you just want to count the actual tasks. Task 1 has a note from the room author DesKel to have fun! Deploy the machine, wait a few minutes for it to boot and we will dive right in. Enumerate Everyone has got to be familiar with the first step after getting a machine IP by now, I hope? We do some port scanning and recon using our favorite tool Nmap #nmap -sS -sV -A -T4 -vv <target ip> Looks like we have some open ports running on the machine. A web server is running on port 80. Let's open it and investigate further. We get a html page that tells us that agents should use their own codename as user-agent to access the site. We see an announcement for the Agents from Agent R. The tryhackme hint was to change the “User-agent” with “C”. So we sta
Image
  Try-hack-me PICKLE-RICK : Walkthrough Today I completed an other room on tryhackme with a Rick and Morty theme to it! Let's go and complete the room Pickle Rick from try Hack Me! Scanning & Enumeration A good rule of thumb is to start by scanning your machine for any open ports.  #nmap -T4 -sC -sV -A -p- <target IP> Enumerating Services Port 22- ssh Here we are able to see that our SSH port is open. This port isn't too vulnerable unless we have found some credentials. So we will not mess with it. Port 80- http It's here where we find a webservice. Lets see if there is anything interesting. This webpage comes up on port 80. There’s no useful data in here. But what if we check the page source? Checking out the source code of a page can reveal all sorts of things.  Great it looks like we have found a user name!!!  Most websites will have a robots.txt file that will tell a browser what is and isn't allowed to index. So lets see if there is one for this site. Su
Image
  Try-hack-me THOMPSON : Walkthrough Description Thompson is a boot2root CTF on TryHackMe. It has “Easy” difficulty. Initial access has been done through uploading a reverse shell. Privilege escalation to root could be done through a misconfigured cronjob. Enumeration After running a Nmap scan we can see that port 22, 8009 and 8080 is running. On port 8080 Tomcat 8.5.5 is running. #nmap -sS -sV -A <target IP> The landing page of the Tomcat server shows us the default Tomcat page. As expected, the webpage is simply a default tomcat webpage.  From this we want some sort of login portal so we can test some default credentials.  Tomcat is usually configured with default credentials.  So I was actually just guessing some easy ones, then I was forwarded to this page: Seeing that, I decided to try those credentials and voila! We are now in the app! Navigating around the app, we see that we have the ability to upload WAR files: What that means, for us, is that if we upload a payload, and
Image
  Try-hack-me ANTHEM : Walkthrough In this writeup, we are going to solve a CTF room called “Anthem” created by Chevalier. I’ve taken a hint-only approach so you can enjoy this room as much as I did, but I am sure that this would be enough to eliminate any of your questions and difficulties. Task 1 – Website Analysis As being said in the task, we need to run a nmap scan and identify open ports. Since it’s a CTF room, a really quick scan of all ports would be enough here. #nmap -p- -vv <target IP> -Pn We look at the above nmap scan and figure out which is the correct port for the webserver We look at the above nmap scan and figure out which is the correct port for the Remote Desktop Service Let’s open the website in our browser. Let’s check website’s “/robots.txt” directory, & we find some interesting stuff there. Including a possible password. Now we can retrieve both password and CMS name through above step. Answer for questions six is located on the webserver port (see ques
Image
  Try-hack-me LIBRARY : Walkthrough Today we are going to take a new challenge Library. It is a boot2root challenge where we have to root the server to complete the challenge. You redirect this VM here . Scanning: Let’s start off with the scanning process.  We used our favorite tool Nmap for port scanning. We found that port 22 and 80 are open. #nmap -A -sC -sV <target IP> Enumeration: As we can see port 80 is open, we opened the IP address in our browser. We got username: meliodas Let's explore robots.txt as well. Little hint as rockyou can be seen. Exploitation: Let's hit it (bruteforcing) using hydra.. #hydra -l meliodas -p /usr/share/wordlists/rockyou.txt <target IP> -t 64 we found the password as iloveyou1 . Time for action, as port 22 ssh is open lets get the shell: #ssh meliodas@<target IP> Now getting the user flag To get the root.txt we need to get the root shell of the machine, for this privilege escalation we need to see the permissions: #sudo -l