All about CTF writeups

Here's  my solution for Odin:1. The machine can be downloaded from here. Service Discovery Using nmap to scan all TCP ports. $ nmap -sC -sV -p- 192.168.1.106 We find only 1 port open. Enumeration We map ip to host by editing the /etc/hosts file. Lets browse the web. We find that the web in built on CMS - Wordpress. Scrolling down, we see some base32 encoded text.    We can browse CyberChef to decode it.   This seems like a hint-  To use rockyou wordlist. We run wp-scan to enumerate all plugins and users. $ wp-scan --url http://odin -e ap,u No plugins were found but we found a user- odin. When we try to manually verify the user- odin, it says- unknown username. Now we enter a default user name - admin and a random password. After reading the error we confirm that the user- admin exits. Since we do not have the password for the user. We user wpscan to brute force the password. $ wpscan --url http://odin/ -U admin -P /usr/share/wordlists/rockyou.txt We get the password as- qwerty Let

Here's my solution for Kira:CTF. The machine can be downloaded from here. Service Discovery Using nmap to scan all TCP ports. $ nmap -sC -sV -p- 192.168.1.105 We find only 1 port open. Enumeration Browsing the web, We see an upload option, lets go for it. We try to upload the php reverse shell file. Seems there's some kind of validation which does not allows php files. Now we upload the same php reverse shell file by adding an image extension to it. i.e rshell.php > rshell.php.jpeg Seems that we have successfully upload the file. We navigate to /uploads and here we find the uploaded reverse shell file. Back to the main web page, here we find a language button. We click the language button. Again we click the language button. We find that the lang= parameter is vulnerable to LFI. Initial Access Now to run the php reverse shell file we simply browse the location of the file. And on the other hand we start the netcat listener. We get the shell. Privilege Escalation From www-dat

Here's my solution for Hemisphere:Gemini. The machine can be downloaded from here. Service Discovery Using Nmap for scanning all TCP ports. $ nmap -sC -sV -p- 192.168.1.132 We find 5 ports open. Enumeration Browsing the web. Using gobuster to scan directories. $ gobuster dir -w /usr/share/wordlists/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.1.132/ -t 100 -x php,txt,html Browsing /Portal We click on CONTACTO, we find that the view= parameter is vulnerable to LFI. By looking at the contents we find a user- william. By exploting the LFI we try to get the william's ssh key. We copy the ssh key to a file. Initial Access Before accessing ssh. We change the permission of the key file. $ chmod 600 key $ ssh -i key william@192.168.1.132 User Flag. Privilege Escalation Checking the permissions on /etc/passwd file, shows that we have full privileges. Lets change the root user password. On our machine we create the password as- pass On target machine we c