Day 24 - The Trial Before Christmas
Date: 24, December, 2020
Author: Dhilip Sanjay S
Bypassing client side filters using BurpSuite
Shell Upgrading and Stabilization
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
- this will give access to commands likeclear
.Finally press
Ctrl + Z
and then typestty raw -echo; fg
.
MYSql:
mysql -uUSERNAME -p
Online password cracking:
Solutions
Scan the machine. What ports are open?
Answer: 80, 65000
Steps to Reproduce:
What's the title of the hidden website? It's worthwhile looking recursively at all websites on the box for this step.
Answer: Light Cycle
Steps to Reproduce: Visit
http://<MACHINE_IP>:65000/
What is the name of the hidden php page?
Answer: uploads.php
Steps to Reproduce:
What is the name of the hidden directory where file uploads are saved?
Answer: grid
Steps to Reproduce: Gobuster output.
Bypass the filters. Upload and execute a reverse shell.
Steps to Reproduce:
Upload
reverseShell.png.php
with any code for reverse shell.Listen using netcat:
sudo nc -lvnp $port
What is the value of the web.txt flag?
Answer: THM{ENTER_THE_GRID}
Steps to Reproduce:
Upgrade and stabilize your shell
Steps to Reproduce:
Review the configuration files for the webserver to find some useful loot in the form of credentials. What credentials do you find? username:password
Answer: tron:IFightForTheUsers
Steps to Reproduce:
Access the database and discover the encrypted credentials. What is the name of the database you find these in?
Answer: tron
Steps to Reproduce:
Crack the password. What is it?
Answer: @computer@
Steps to Reproduce:
Use Hashes decrypt
edc621628f6d19a13a00fd683f5e3ff7:@computer@
Use su to login to the newly discovered user by exploiting password reuse.
Steps to Reproduce:
What is the value of the user.txt flag?
Answer: THM{IDENTITY_DISC_RECOGNISED}
Steps to Reproduce:
Check the user's groups. Which group can be leveraged to escalate privileges?
Answer: lxd
Steps to Reproduce:
Abuse this group to escalate privileges to root.
Steps to Reproduce:
In your attack machine:
In the victim machine:
What is the value of the root.txt flag?
Answer: THM{FLYNN_LIVES}
Steps to Reproduce:
Last updated