All about CTF writeups

Here's my solution for HackathonCTF:1. The machine can be downloaded from here. Port Scanning Using nmap to scan all TCP ports. $ nmap -sC -sV -p- 192.168.1.106 We find 4 ports open. Enumeration Browsing the web.   From nmap's output we see that robot.txt file is present, lets check it out.   Down the page we see a base64 encode data, we decode it. This seems like a hint- to brute force the ssh. Using gobuster to scan the directories and also we include some file extensions $ gobuster dir -u http://192.168.1.106/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,txt,php Browsing /ftc.html.   Checking the source page. We browse  Cryptii to decode the decimal values. Seems to be another hint- to use rockyou word list. Browsing /sudo.html. Checking the source page reveal a username- test.   Using hydra to brute force SSH. $ hydra -l test -P /usr/share/wordlists/rockyou.txt 192.168.1.106 ssh -s 7223 We get the password as jordan23. Initial Access Accessing SS

Here's my solution for FishyMail:1 The machine can be downloaded from here. Port Scanning Using nmap to scan all TCP ports. $ nmap -sC -sV -p- 192.168.1.106 We find 3 ports open. Enumeration Browsing the web hosted on port 8080. Checking the source page did not reveal any useful information/hint. Using dirb to scan directories. $ dirb http://192.168.1.106:8080 -r Having a look at /robots.txt Interesting, browsing /dataentry. Again using dirb to brute force /dataentry directory. $ dirb http://192.168.1.106:8080/dataentry/ Browsing / dataentry/backup/admin/files, still no any useful information. Again we try to brute force but this time with some extension. $ gobus ter dir -u http://192.168.1.106:8080/dataentry/backup/admin/files/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt Interesting, Browsing the /dir.txt After decoding the double base64 encoded data the output seems to be like credentials. We can try these over ssh.  Getting Access Accessing S

Here's my solution for KB-VULN:3. The machine can be downloaded from here. Port Scanning Using nmap to scan all TCP ports. $ nmap -sC -sV -p- 192.168.1.105 We find 4 ports open. Enumeration Browsing the web and checking the source page did not reveal much information or any hint. As SMB ports are open lets enumerate it. Lets get the smbshell. We download the zip file- website.zip While unzipping the file, it asks for password. As we do not the password we can try to brute force. After unzipping we get one of the file named as README.txt which contains credential and a website named as kb.vuln So, we map ip to hostname by editing the /etc/hosts file. Now lets again browse the web with domain name. We see that the website is built on CMS- Sitemagic. We search for the exploit and we find it here. After reading the exploit we login with the found credential. Username: admin Password: jesse And navigate to Content > Files > Images We click on upload to upload the php reverse shell