Defalt_

thm Chocolate Factory A Charlie And The Chocolate Factory themed room, revisit Willy Wonka’s chocolate factory! Always start with a nmap scan. # Nmap 7.91 scan initiated Tue Jun 8 13:13:29 2021 as: nmap -sC -sV -d -A -oN nmap/output 10.10.204.243 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- Nmap scan report for 10.10.204.243 Host is up, received syn-ack (0.16s latency). Scanned at 2021-06-08 13:13:29 +0530 for 380s Not shown: 989 closed ports Reason: 989 conn-refused PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-rw-r-- 1 1000 1000 208838 Sep 30 2020 gum_room.jpg | ftp-syst: | STAT: |

thm RootMe A ctf for beginners, can you root me? Task 2 First, let’s get information about the target. Here is the nmap scan. # Nmap 7.91 scan initiated Mon Jun 7 14:53:05 2021 as: nmap -sC -sV -A -oN nmap/scan 10.10.88.87 Nmap scan report for 10.10.88.87 Host is up (0.22s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA) | 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA) |_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: HackIT - Home Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap

thm Cat Pictures I made a forum where you can post cute cat pictures! Enumerations Let’s run a nmap scan see what we got. # Nmap 7.91 scan initiated Sat Jun 5 16:54:16 2021 as: nmap -sV -sC -oN nmap/scan 10.10.137.255 Nmap scan report for 10.10.137.255 Host is up (0.15s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 37:43:64:80:d3:5a:74:62:81:b7:80:6b:1a:23:d8:4a (RSA) | 256 53:c6:82:ef:d2:77:33:ef:c1:3d:9c:15:13:54:0e:b2 (ECDSA) |_ 256 ba:97:c3:23:d4:f2:cc:08:2c:e1:2b:30:06:18:95:41 (ED25519) 8080/tcp open ssl/http-proxy? Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Jun 5 16:55:55 2021 -- 1 IP address (1 host up) scanned in 98.59 seconds Looks like we got a website. Let’s poke aroun

thm Simple CTF Beginner level ctf How many services are running under port 1000? Let’s run the nmap scan to see what ports are open. # Nmap 7.91 scan initiated Sat Jun 5 17:31:14 2021 as: nmap -sV -sC -Pn -oN nmap/scan 10.10.225.250 Nmap scan report for 10.10.225.250 Host is up (0.22s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.2.48 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 2 disallowed entries

htb About What I learn from this machine ? Enumeration Malicious payload (template bin) Reverse Shell Privilege escalation Enumeration # Nmap 7.91 scan initiated Fri Jun 4 15:33:24 2021 as: nmap -sV -sC -oN nmap/scan.txt 10.10.10.226 Nmap scan report for 10.10.10.226 Host is up (0.15s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA) | 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA) |_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519) 5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5) |_http-title: k1d'5 h4ck3r t00l5 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jun 4 15:33:52 2021 -- 1 IP address (1 host up) sca

htb About the Delivery Delivery is an easy difficulty Linux machine that features the support ticketing system osTicket where it is possible by using a technique called TicketTrick, a non authenticated user to be granted with access to a temporary company email. This “feature” permits the registration at MatterMost and the join of internal team channel. It is revealed through that channel that users have been using same password variant “PleaseSubscribe!” for internal access. In channel it is also disclosed the credentials for the mail user which can give the initial foothold to the system. While enumerating the file system we come across the mattermost configuration file which reveals MySQL database credentials. By having access to the database a password hash can be extracted from Users table and crack it using the “PleaseSubscribe!” pattern. After cracking the hash it is possible to login as user root. Skills Required : Basic web enumeration / Brute force