drsh0's llog

writeups

Link: https://tryhackme.com/room/25daysofchristmas

Get started with Cyber Security in 25 Days – Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas

Day 1

  • cookies that have fixed values are bad as it allows attackers to guess the pattern and values.
  • a new cookie can be created from Firefox dev tools > storage > cookies > add new

Day 2

  • check source pages
  • dir searching
  • github search for website

Day 3

  • for pcaps, the best thing to do is search for interesting activities e.g. telnet and ssh
  • follow stream to export to txt
  • johntheripper can work on /etc/shadow without needeing /etc/passwd.

Day 4

  • to find text within all files: grep -Ril "text"
    • to grep for all IP addresses: grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" file.txt
  • It's wise to search for *.bak files in case some world readable backups exist : find / -name *.bak 2>/dev/null

Day 5

  • OSINT required creative google searches, social media, and the use of waybackmachine.

Day 6

  • Tools used:
    • wireshark-gtk
    • fcrackzip
    • steghide

Day 7

  • strange protocols running on weird ports are worth trying out via http.

Day 8

  • if binaries such as find are running as another user you can usually use exec to execute something with that binary e.g.:
find /home/igor -name flag1.txt  -exec cat /home/igor/flag1.txt \;
  • commonly used command to list all suid binaries:
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Day 10: Metasploit

  • After a quick nmap scan, there seems to be a tomcat server running on port 80.
  • Version enumeration reveals that it may be prone to the struts2 vuln.
  • Let's use the struts2_content_type_ognl exploit via MSF and configure hosts, ports, and path (path = “”).
  • exploit successful! Use meterpreter shell to exploit further and find a way to break out of the docker container.
  • SSH creds are available —> this is how we break out.

Day 11: Network Exploitation

  • nmap -A $IP -oA <filename>
  • We can see the following services open: ftp, nfs, mysql
  • Anonymous login is allowed on FTP. Use ftp to login and retrieve file and credentials.

NFS

  • showmount -e $IP to check if NFS is present and directory path.
  • cd /tmp && mkdir thm-nfs-11
  • sudo mount $IP:/opt/files thm-nfs-11
  • thm-nfs-11 contains a file with the flag.

MySQL

  • I'll be using mycli to connect to the msql database.
  • mycli -h $IP -P 3306 -u root
  • show databases
  • use data
  • show tables
  • SELECT * FROM 'USERS'
  • Creds are now retrieved from the table.

Day 12

1) md5sum 2) gpg --decrypt note1.txt.gpg with supplied passphrase 3a) Decrypt private RSA key first with supplied passphrase openssl rsa -in private.key -out test.key 3b) Then use openssl rsautl -decrypt -inkey test.key -in note2_encrypted.txt -out note2_decrypted.txt to obtain decrypted note.

Day 14: AWS S3 Buckets

  • Buckets can be accessed via bucketname.s3.amazonaws.com or bucketname.region-name.amazonaws.com
  • Bucket contents can be accessed via bucketname.region-name.amazonaws.com/file-name

Day 15: Local File Inclusion

  • Webservers will often pull files from local locations to display on a webpage.
  • It's best to have a look at the HTTP requests and start crafting potential LFI that way.
  • Be sure to encode the / using %2F.
  • Example payload: http://host/get-file/%2fetc%2fpasswd

#writeups #ctf #tryhackme