writeups &mdash; drsh0's llog https://drsh0.writeas.com/tag:writeups my learning log; notes on cybersec activities, ctfs, and ill-equipped cyber adventures. Consume responsibly. Sun, 26 Apr 2026 19:21:27 +0000 https://i.snap.as/v7Oo2ci6.png writeups &mdash; drsh0's llog https://drsh0.writeas.com/tag:writeups TryHackMe | Advent of Cyber 2019 https://drsh0.writeas.com/tryhackme-advent-of-cyber-2019?pk_campaign=rss-feed <![CDATA[Link: https://tryhackme.com/room/25daysofchristmas Get started with Cyber Security in 25 Days - Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas Day 1 cookies that have fixed values are bad as it allows attackers to guess the pattern and values. a new cookie can be created from Firefox dev tools storage cookies add new Day 2 check source pages dir searching github search for website Day 3 for pcaps, the best thing to do is search for interesting activities e.g. telnet and ssh follow stream to export to txt johntheripper can work on /etc/shadow without needeing /etc/passwd. Day 4 to find text within all files: grep -Ril "text" to grep for all IP addresses: grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" file.txt It's wise to search for .bak files in case some world readable backups exist : find / -name .bak 2 /dev/null Day 5 OSINT required creative google searches, social media, and the use of waybackmachine. Day 6 Tools used: wireshark-gtk fcrackzip steghide Day 7 strange protocols running on weird ports are worth trying out via http. Day 8 if binaries such as find are running as another user you can usually use exec to execute something with that binary e.g.: find /home/igor -name flag1.txt -exec cat /home/igor/flag1.txt \; commonly used command to list all suid binaries: find / -user root -perm -4000 -exec ls -ldb {} \; 2 /dev/null Day 10: Metasploit After a quick nmap scan, there seems to be a tomcat server running on port 80. Version enumeration reveals that it may be prone to the struts2 vuln. Let's use the struts2contenttypeognl exploit via MSF and configure hosts, ports, and path (path = ""). exploit successful! Use meterpreter shell to exploit further and find a way to break out of the docker container. SSH creds are available -- this is how we break out. Day 11: Network Exploitation nmap -A $IP -oA filename We can see the following services open: ftp, nfs, mysql Anonymous login is allowed on FTP. Use ftp to login and retrieve file and credentials. NFS showmount -e $IP to check if NFS is present and directory path. cd /tmp && mkdir thm-nfs-11 sudo mount $IP:/opt/files thm-nfs-11 thm-nfs-11 contains a file with the flag. MySQL I'll be using mycli to connect to the msql database. mycli -h $IP -P 3306 -u root show databases use data show tables SELECT * FROM 'USERS' Creds are now retrieved from the table. Day 12 1) md5sum 2) gpg --decrypt note1.txt.gpg with supplied passphrase 3a) Decrypt private RSA key first with supplied passphrase openssl rsa -in private.key -out test.key 3b) Then use openssl rsautl -decrypt -inkey test.key -in note2encrypted.txt -out note2_decrypted.txt to obtain decrypted note. Day 14: AWS S3 Buckets Buckets can be accessed via bucketname.s3.amazonaws.com or bucketname.region-name.amazonaws.com Bucket contents can be accessed via bucketname.region-name.amazonaws.com/file-name Day 15: Local File Inclusion Webservers will often pull files from local locations to display on a webpage. It's best to have a look at the HTTP requests and start crafting potential LFI that way. Be sure to encode the / using %2F. Example payload: http://host/get-file/%2fetc%2fpasswd #writeups #ctf #tryhackme ]]> Link: https://tryhackme.com/room/25daysofchristmas

Get started with Cyber Security in 25 Days – Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas

Day 1

  • cookies that have fixed values are bad as it allows attackers to guess the pattern and values.
  • a new cookie can be created from Firefox dev tools > storage > cookies > add new

Day 2

  • check source pages
  • dir searching
  • github search for website

Day 3

  • for pcaps, the best thing to do is search for interesting activities e.g. telnet and ssh
  • follow stream to export to txt
  • johntheripper can work on /etc/shadow without needeing /etc/passwd.

Day 4

  • to find text within all files: grep -Ril "text"
    • to grep for all IP addresses: grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" file.txt
  • It's wise to search for *.bak files in case some world readable backups exist : find / -name *.bak 2>/dev/null

Day 5

  • OSINT required creative google searches, social media, and the use of waybackmachine.

Day 6

  • Tools used:
    • wireshark-gtk
    • fcrackzip
    • steghide

Day 7

  • strange protocols running on weird ports are worth trying out via http.

Day 8

  • if binaries such as find are running as another user you can usually use exec to execute something with that binary e.g.:
find /home/igor -name flag1.txt  -exec cat /home/igor/flag1.txt \;
  • commonly used command to list all suid binaries:
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Day 10: Metasploit

  • After a quick nmap scan, there seems to be a tomcat server running on port 80.
  • Version enumeration reveals that it may be prone to the struts2 vuln.
  • Let's use the struts2_content_type_ognl exploit via MSF and configure hosts, ports, and path (path = “”).
  • exploit successful! Use meterpreter shell to exploit further and find a way to break out of the docker container.
  • SSH creds are available —> this is how we break out.

Day 11: Network Exploitation

  • nmap -A $IP -oA <filename>
  • We can see the following services open: ftp, nfs, mysql
  • Anonymous login is allowed on FTP. Use ftp to login and retrieve file and credentials.

NFS

  • showmount -e $IP to check if NFS is present and directory path.
  • cd /tmp && mkdir thm-nfs-11
  • sudo mount $IP:/opt/files thm-nfs-11
  • thm-nfs-11 contains a file with the flag.

MySQL

  • I'll be using mycli to connect to the msql database.
  • mycli -h $IP -P 3306 -u root
  • show databases
  • use data
  • show tables
  • SELECT * FROM 'USERS'
  • Creds are now retrieved from the table.

Day 12

1) md5sum 2) gpg --decrypt note1.txt.gpg with supplied passphrase 3a) Decrypt private RSA key first with supplied passphrase openssl rsa -in private.key -out test.key 3b) Then use openssl rsautl -decrypt -inkey test.key -in note2_encrypted.txt -out note2_decrypted.txt to obtain decrypted note.

Day 14: AWS S3 Buckets

  • Buckets can be accessed via bucketname.s3.amazonaws.com or bucketname.region-name.amazonaws.com
  • Bucket contents can be accessed via bucketname.region-name.amazonaws.com/file-name

Day 15: Local File Inclusion

  • Webservers will often pull files from local locations to display on a webpage.
  • It's best to have a look at the HTTP requests and start crafting potential LFI that way.
  • Be sure to encode the / using %2F.
  • Example payload: http://host/get-file/%2fetc%2fpasswd

#writeups #ctf #tryhackme

]]> https://drsh0.writeas.com/tryhackme-advent-of-cyber-2019 Sun, 08 Dec 2019 23:40:33 +0000