All about CTF writeups

Here's my solution for Sunset:Decoy. The Machine can be downloaded from here. Nmap Lets start by scanning all TCP ports. nmap -sC -sV -p- 192.168.1.106 We find 2 TCP ports open. Enumeration Browsing the web, shows up with a zip file. Download save.zip file. We see that the zip file is protected with password. Lets crack it, extracting the hashes from zip file. Brute forcing against the hashes. We get the password as- manuel As we have the password, unzip it. The shadow file, contains the encrypted password for user- 296640a3b825115a47b68fc44501c828 Lets crack it. Now we have user and password. User: 296640a3b825115a47b68fc44501c828 Password: server Getting Access ssh 296640a3b825115a47b68fc44501c828@192.168.1.106 password: server We get the access, but we see that we are in restricted bash, lets escape this. Connecting again, ssh 296640a3b825115a47b68fc44501c828@192.168.1.106 -t "bash --noprofile" password: server Adding /usr/bin to PATH Privilege Escalation Transfer the...

Here's my solution for Pwned. The Machine can be downloaded from here. Nmap Let start with nmap, scanning for all TCP Port. nmap -sC -sV -p- 192.168.1.106 We find 3 port open. Directory Scan Browsing the website and checking the source, shows some sort of hint. Using gobuster for scanning directories. gobuster dir -u http://192.168.1.106/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r -e We find an interesting directory, /hidden_text which shows up with secret.dic Browsing http://192.168.1.106/hidden_text/secret.dic, viewing the pattern of secret.dic, we can guess that it might be the name of a directory. Downloaded the file and imported in gobuster. We find one, /pwned.vuln Browsing http://192.168.1.106/pwned.vuln and checking the source gives us the ftp credential. User: ftpuser Password: B0ss_B!TcH Login into ftp, a directory named as share, has two files note.txt and id_rsa. Lets get them. Message in note.txt The id_rsa, its a private key of user ariana. Get...

Here's my solution for CyberSploit:2. The Machine can be downloaded from here Nmap Starting with nmap scanning for all TCP open ports. nmap -sC -sV -p- 192.168.1.103 We find only 2 open ports. Enumeration Browsing the website, show list of usernames and passwords. Checking the source code reveal us a hint- ROT47. While browsing the website, we see a strange username- D92:=6?5C2 and its associated password as- 4J36CDA=@:E` From the hint we can guess that the username and password can be ROT47 encoded. Browsed Decode.fr to decode it, and we get the credentials as- username: shailendra password: cybersploit1 Getting Access Tried ssh with credential, and we get the access. ssh shailendra@192.168.1.1 password: cybersploit1 Found a file named as hint.txt, which gives a hint as docker, it can be used for privilege escalation, also the user is a member of docker group. Privilege Escalation docker run -v /:/mnt --rm -it alpine chroot /mnt sh And we get the flag

Here's my solution for CyberSploit:1. The Machine can be downloaded from here. Nmap Starting with nmap scanning for all TCP open ports. nmap -sC -sV -p- 192.168.1.109 we find only 2 ports open. Directory Scanning Browsing the website, checking the source gives us a hint. username: itsskv Tried brute forcing ssh, but did not get the result. Scanning directories with dirb. dirb http://192.168.1.109/ The robots.txt, has base64 encoded strings. Lets decode And we get the first flag- Flag1: cybersploit{youtube.com/c/cybersploit} which also happens to be the password for user itsskv. Getting Access ssh itsskv@192.168.1.109 password: cybersploit{youtube.com/c/cybersploit} Getting the second flag. Seems the second flag has a hint which is in binary format. Lets decode, browsed RapidTables. And we get the second flag- flag2: cybersploit{https:t.me/cybersploit1} Privilege Escalation Checking the kernel version, reveals an older version. Searching for kernal exploit. Lets get this 37292.c fi...