All about CTF writeups

Here's my solution for Misdirection:1. The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.109 We find 4 ports open. Directory Scan Browsing the web and checking the source did not reveal any hints. From nmap's output we see that http service is also running on port 8080, lets browse it. Still did not find any hints. Using dirb to perform directory scanning. $ dirb http://192.168.1.109:8080/ -r Browsing /debug directory, we find a web-cli and we see that commands are running fine. Getting Access We encode the bash reverse shell payload in base64 format. Before running it, on the other hand we start the net cat listener.   We get the reverse shell. Privilege Escalation From www-data > brexit We check for sudo rights. We see that, we can run /bin/bash as user- brexit. User Flag. We have full permission on file- /etc/passwd. We can change the password for user- root. On our machine we create a password as- password. On target m...

Here's my solution for FunBox:1. The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.106   We find 4 ports open. Lets map the ip to domain, by editing the file- /etc/hosts. Enumeration Browsing the web, checking the source did not reveal any hint but we find that it is built on CMS- Wordpress. Using wpscan to enumerate all plugins and users. $ wpscan --url http://funbox.fritz.box/ -e ap,u No plugins we found, but we find 2 users- admin and joe. Using hydra to brute force the password for user- joe, on ssh. $ hydra -l joe -P /usr/share/wordlists/rockyou.txt funbox.fritz.box ssh We get the password as- 12345. Getting Access Accessing SSH. $ ssh joe@funbox.fritz.box Password: 12345   We see that we are in restricted bash, lets escape it. Connecting again. $ ssh joe@funbox.fritz.box -t "bash --noprofile" Password: 12345 We get a hint in file- mbox Privilege Escalation We find a hint in a hidden file- .reminder.sh, under /hom...

Here's my solution for Prime:1. The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.105   We find 2 ports open. Directory Scanning Browsing the web and checking the source, we did not find any hints. Using dirb to scan for directories. $ dirb http://192.168.1.105 -r Browsing /wordpress, we find that it is build on CMS- Wordpress. We can also see a post, made by the author- victor.   Using wp-scan to enumerate all plugins and users. $ wp-scan --url http://192.168.1.105/wordpress -e ap,u   We did not find any plugins, but found a user- victor, which we already know. At this point, tried brute forcing the login as well as the ssh, but no result. Seems that we need to enumerate more. Lets use dirb again, but this time we include the extensions. $ dirb http://192.168.1.105 -X .php,.txt,.html Browsing /secret.txt, gives us the hint that there is a hidden parameter on php page, and if we get the right parameter, we have to follo...