drsh0's llog

Link: https://tryhackme.com/room/25daysofchristmas

Get started with Cyber Security in 25 Days – Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas

Day 1

• cookies that have fixed values are bad as it allows attackers to guess the pattern and values.
• a new cookie can be created from Firefox dev tools > storage > cookies > add new

Day 2

• check source pages
• dir searching
• github search for website

Day 3

• for pcaps, the best thing to do is search for interesting activities e.g. telnet and ssh
• follow stream to export to txt
• johntheripper can work on /etc/shadow without needeing /etc/passwd.

Day 4

• to find text within all files: grep -Ril "text"
  • to grep for all IP addresses: grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" file.txt
• It's wise to search for *.bak files in case some world readable backups exist : find / -name *.bak 2>/dev/null

Day 5

• OSINT required creative google searches, social media, and the use of waybackmachine.

Day 6

• Tools used:
  • wireshark-gtk
  • fcrackzip
  • steghide

Day 7

• strange protocols running on weird ports are worth trying out via http.

Day 8

• if binaries such as find are running as another user you can usually use exec to execute something with that binary e.g.:

find /home/igor -name flag1.txt  -exec cat /home/igor/flag1.txt \;

• commonly used command to list all suid binaries:

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Day 10: Metasploit

• After a quick nmap scan, there seems to be a tomcat server running on port 80.
• Version enumeration reveals that it may be prone to the struts2 vuln.
• Let's use the struts2_content_type_ognl exploit via MSF and configure hosts, ports, and path (path = “”).
• exploit successful! Use meterpreter shell to exploit further and find a way to break out of the docker container.
• SSH creds are available —> this is how we break out.

Day 11: Network Exploitation

• nmap -A $IP -oA <filename>
• We can see the following services open: ftp, nfs, mysql
• Anonymous login is allowed on FTP. Use ftp to login and retrieve file and credentials.

NFS

• showmount -e $IP to check if NFS is present and directory path.
• cd /tmp && mkdir thm-nfs-11
• sudo mount $IP:/opt/files thm-nfs-11
• thm-nfs-11 contains a file with the flag.

MySQL

• I'll be using mycli to connect to the msql database.
• mycli -h $IP -P 3306 -u root
• show databases
• use data
• show tables
• SELECT * FROM 'USERS'
• Creds are now retrieved from the table.

Day 12

1) md5sum 2) gpg --decrypt note1.txt.gpg with supplied passphrase 3a) Decrypt private RSA key first with supplied passphrase openssl rsa -in private.key -out test.key 3b) Then use openssl rsautl -decrypt -inkey test.key -in note2_encrypted.txt -out note2_decrypted.txt to obtain decrypted note.

Day 14: AWS S3 Buckets

• Buckets can be accessed via bucketname.s3.amazonaws.com or bucketname.region-name.amazonaws.com
• Bucket contents can be accessed via bucketname.region-name.amazonaws.com/file-name

Day 15: Local File Inclusion

• Webservers will often pull files from local locations to display on a webpage.
• It's best to have a look at the HTTP requests and start crafting potential LFI that way.
• Be sure to encode the / using %2F.
• Example payload: http://host/get-file/%2fetc%2fpasswd

#writeups #ctf #tryhackme