All about CTF writeups

Here's my solution for Kira:CTF. The machine can be downloaded from here. Service Discovery Using nmap to scan all TCP ports. $ nmap -sC -sV -p- 192.168.1.105 We find only 1 port open. Enumeration Browsing the web, We see an upload option, lets go for it. We try to upload the php reverse shell file. Seems there's some kind of validation which does not allows php files. Now we upload the same php reverse shell file by adding an image extension to it. i.e rshell.php > rshell.php.jpeg Seems that we have successfully upload the file. We navigate to /uploads and here we find the uploaded reverse shell file. Back to the main web page, here we find a language button. We click the language button. Again we click the language button. We find that the lang= parameter is vulnerable to LFI. Initial Access Now to run the php reverse shell file we simply browse the location of the file. And on the other hand we start the netcat listener. We get the shell. Privilege Escalation From www-dat...

Here's my solution for Hemisphere:Gemini. The machine can be downloaded from here. Service Discovery Using Nmap for scanning all TCP ports. $ nmap -sC -sV -p- 192.168.1.132 We find 5 ports open. Enumeration Browsing the web. Using gobuster to scan directories. $ gobuster dir -w /usr/share/wordlists/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.1.132/ -t 100 -x php,txt,html Browsing /Portal We click on CONTACTO, we find that the view= parameter is vulnerable to LFI. By looking at the contents we find a user- william. By exploting the LFI we try to get the william's ssh key. We copy the ssh key to a file. Initial Access Before accessing ssh. We change the permission of the key file. $ chmod 600 key $ ssh -i key william@192.168.1.132 User Flag. Privilege Escalation Checking the permissions on /etc/passwd file, shows that we have full privileges. Lets change the root user password. On our machine we create the password as- pass On target machine we c...

Here's my solution for MoneyHeist:1. The machine can be downloaded from here. Port Scanning Using nmap to scan all TCP ports. nmap -sC -sV -p- 192.168.1.104 We find 5 ports open. Enumeration Browsing the web. We see we have an option to register. After registering we login. The page says- No flag and only the admins will get it. We can guess this can be related with user id, user role, cookies etc. We start the Inspect Element and navigate to Storage Tab > Cookies. Interesting, here we find the presence of JWT tokens in cookies. Lets decode it. We browse the website JWT and decode the value. We find the token uses HS256 algorithm. Now we put the key into a file and run hashcat against it. $ hashcat -m 16500 key.hash /usr/share/wordlists/rockyou.txt We get the secret key as- professor. We again browse the JWT website and try to create a forge token. We place the secret key in the Verify Signature section and alter the email's value to- admin.   Now we copy this forged token...