All about CTF writeups

Here's my solution for Hemisphere:Lynx. The machine can be downloaded from here. Port Scanning Using nmap to scan all TCP ports. $ nmap -sC -sV -p- 192.168.1.104 We find 5 ports open. Enumeration. Browsing the web and checking the source did not reveal any useful information. At this point tried brute forcing directories but no result. Since SMB ports are open we can use enum4linux against the host to find any useful information. $ enum4linux -a 192.168.1.104 And yes we find a user- johannes. Well the author of the machine has already given us a hint as- brute force   We use cewl to create a list of passwords. $ cewl http://192.168.1.104 > wordlist Now we have a username and list of passwords we use hydra to brute force ssh. $ hydra -l johannes -P wordlist 192.168.1.104 ssh We have the password as- constelaciones. Getting Access As we have the username as well as password we access ssh. $ ssh johannes@192.168.1.104 Password: constelaciones User Flag Privilege Escalation We navig...

Here's my solution for ColddBox:Easy The machine can be downloaded from here. Port Scanning Using nmap to scan all TCP ports. $ nmap -sC -sV -p- 192.168.1.103 We find 2 ports open. Enumeration. Browsing the web, we observe that it is built on CMS- Wordpress. We use wpscan to enumerate all plugins and users. $ wpscan --url http://192.168.1.103/ -e ap,u No plugins are found but wpscan did find users for us. Since we have usernames we try to brute force the password. $ wpscan --url http://192.168.1.103/ -U c0ldd -P /usr/share/wordlists/rockyou.txt  Lets us login with the found credential. Username: c0ldd Password: 9876543210 We navigate to Appearance > Editor and select the 404 Template to place the php reverse shell payload. Getting Access To run the exploit, we browse /wp-content/themes/twentyfifteen/404.php and on the other hand we start the netcat listener. We get the reverse shell. We find a file- wp-config.php under /var/www/html/ directory. On viewing the file we find databa...

Here's my solution for LemonSqueezy:1. The machine can be downloaded from here. Port Scanning Using nmap for scanning all TCP ports. $ nmap -sC -sV -p- 192.168.1.106 We find 1 port open. Enumeration Browsing the web, we see an apache2 default page. Using dirb for scanning directories. $ dirb http://192.168.1.106 -r Interesting, a /wordpress directory. Let us browse it. By looking the status bar seems we need to map the ip to host name. We can do this my editing the host file. Now we browse /wordpress again. We observe that it is build on CMS- Wordpress. We use wpscan to enumerate all plugins and users. $ wpscan --url http://lemonsqueezy/wordpress/ -e ap,u No plugins are found but wpscan did find users for us. As we have usernames we can try to brute force the password. $ wpscan --url http://lemonsqueezy/wordpress/ -U orange -P /usr/share/wordlists/rockyou.txt We have the password as- ginger for the user- orange. We browse the login page, and login with the below details. Username: ...

Here's my solution for Tiki:1 The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.102 We find 4 ports open. Enumeration Browsing the web, we see an apache2 default page. We scan for directories using dirb. $ dirb http://192.168.1.102/ -r Browsing /robots.txt. We browse /tiki, dirb too find it for us. The web is built on CMS- TikiWiki. Since SMB ports are open, lets enumerate it. $ smbmap -H 192.168.1.102 We have read only access to share- Notes, lets get the smb shell. $ smbclient //192.168.1.102/Notes A text file, lets get this and check what we got. Seems like we got credentials. We browse the web, and login with the found credential. Username: silky Password: 51lky571k1 We navigate to, Wiki > List Pages > Silkys Homepage. This seems like a hint. We again try to brute-force /tiki directory using gobuster with some file extensions. $ gobuster dir -u http://192.168.1.102/tiki/ -w /usr/share/wordlists/dirbuster/directory-list-...