All about CTF writeups

Here's my solution for KB-VULN:2. The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.108   We find 5 ports open. Enumeration From nmap's output we see ports 139 and 445 (SMB) are open, we enumerate smb shares. $ smbmap -H 192.168.1.108 We have access to share named as- Anonymous, so lets get the smb shell. $ smbclient //192.168.1.108/Anonymous and download the file- backup.zip. After unzipping, we get a file named as- remember_me.txt and a folder named as- wordpress. On viewing the contents of file- remember_me.txt, seems to be a credential. $ cat remember_.txt We keep this information, which can be used in further stage. Browsing the web, and checking the source did not reveal any hint. Using dirb to scan the directories. $ dirb http://192.168.1.108 -r Browsing /wordpress.   Checking the page source. We map the ip to host name- kb.vuln, by editing the /etc/hosts file. Browsing /wordpress/wp-login.php, here we enter the cred...

Here's my solution for KB-VULN: 1. The machine can be downloaded from here. Nmap Scanning for all TCP Ports. $ nmap -sC -sV -p- 192.168.1.108 We find 3 ports open. Enumeration Browsing the web and checking the source reveals us a hint- Username : sysadmin From the nmap's output we see that the ftp, allows anonymous login. $ ftp 192.168.1.108 Name: anonymous Password: anonymous We find a hidden file- .bash_history, lets get this. Viewing the contents of file- .bash_history. $ cat .bash_history We keep this as hint, which can be used in further stages. We known, while checking the source of the web page, we got the hint for the user name as- sysadmin, we can brute force ssh. $ hydra -l sysadmin -P /us r/share/wordlists/rockyou.txt 192.168.1.108 ssh   We get the password as- password1 Getting Access Accessing ssh. $ ssh sysadmin@192.168.1.108 Password: password1   User Flag. Privilege Escalation Before while accessing the ftp, we found a file- bash_history, which has interesting...

Here's my solution for OnSystem: ShellDredd #1 Hannah. The machine can be downloaded from here. Nmap Scanning for all TCP Ports. $ nmap -sC -sV -p- 192.168.1.109 We find 2 ports open. Enumeration From the nmap's output we see that the ftp, allows anonymous login. $ ftp 192.168.1.109 Name: anonymous Password: anonymous We find a hidden directory- .hannah, which contains a file- id_rsa. Lets get this file- id_rsa. Viewing the contents of file- id_rsa, seems to be a private key. $ cat id_rsa We know, we found a hidden directory named as- hannah, which sounds like a name of a person. Since we have the private key, We can try the name- hannah as the username. Getting Access We change the permission of the file- id_rsa. $ chmod 600 id_rsa $ ssh -i id_rsa hannah@192.168.1.109 -p 61000 User Flag. Privilege Escalation Checking for SUID permissions. Lets read the contents of file- /etc/shadow. Tried cracking the hashes, but no result. We edit the password for user- root, in the file- /et...