Skip to main content


HA Joker CTF




this room is medium rated 

first of all, as we used to do we will run Nmap scan against our target 

 

as we can see you have three ports open ssh and two HTTP services so let's take a look at web app that is running on port 80

 

we have here a web page with a lot of joker's quotes 
let's take a look at the page source to see if there any interesting info we can find 

 

hmm there is no useful info so let's visit the second service on port 8080



it requires a username and password to access this page
ok let's run gobuster against port 80 and what will we find 



great we found some directories and some answers also 
one of those files you will found contains a username, note it and now we have a username 
time to get its password we will use brute force attack to gain access to services on port 8080 
but the hint says that this username and password encoded with base64 so let's run burp and take a close look



by intercepting the request we notice that username and password encoded in base64 method so we need to use 
one of burp feature and encode our list while brute-forcing but before that, we need something important 
we need to make a new list with username:password in one line so I made a python script to put the username we found at the begging of each line I took a copy of my rockyou.txt file and named it as joker.txt coz this code
will replace the original one so take a copy first I used the following code 

import fileinput
import sys

for line in fileinput.input(['/root/joker.txt'], inplace=True):
    sys.stdout.write('username_you_found_here:{l}'.format(l=line))

save this code in a file and name it joker.py or whatever_you_want.py and run python3 joker.py and it will do all the work for you now check out the file joker.txt again you will find that username is at the beginning of each line
time to use this list in burp 

intercept the request and send it to intruder go-to positions tap and clear all tags and select only the encoded value as shown below 



and set attack type to sniper 

go to payloads tap go to payload processing press add and select encode and then base64 as shown below 



the last thing go to payload options section press load and select joker.txt that we made 



now the attack is ready and with these steps we did, every line in joker.txt will be encoded to base64 before being used 
now press start attack and chill until it found a success attempt



you can double click on the status to filter the result and grep any 200 ok at the top of the list 
now we have our username:password but in encoded copy this hash and decode it with any online crack platform as base64 decode method 

note: if you found another way to brute force that is great go and use it. 

we can now login to http://machine-IP:8080 



we could now run gobuster again but on port 8080 and see what we can get but here you have to specify username and password you can 

use: gobuster dir -U username -P password -u http://machine_IP:8080/ -x .bak,.tar,.gz,.tgz,.zip,.7z -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40



cool we got a great result and answers too one of the results is admin panel and backup file so let's first try
navigate to admin panel 



hmm we need a username and password again ok let download the backup file we found and see what we can get but it's protected with a password I tried the password we found before and it worked! so go ahead and unzip it
we have a database folder and site folder 
in the DB folder we have joomladb.sql file which may contain the admin username and password so let's try to find this out

use: grep CREATE TABLE joomladb.sql | grep user



ok we have a list of user tables let's find out what is in cc1gr_users table 

use: grep cc1gr_users joomladb.sql



nice we found the admin username and its password let's crack this hash now save it into a file pwd.hash and use john



we now have admin username and password so let's log in



we are in, now time to upload our reverse shell we have to find a place to upload it 
try to find it and come back if you can't 

you will find it under extensions > templates > templates 
then select first template available
on the left, you will see list of pages go ahead and edit index page and relace the content
with your PHP shell, you can find it here

replace the IP with yours and set the port you want and save
go to your local machine "kali" set Netcat listener at the port you choose 

use: nc -nvlp 444 

go back to the page you edit and press template preview at the top and here we go we have now a reverse shell 



use: /usr/bin/script -qc /bin/bash /dev/null 

to Spawn a tty shell

ok we now need to know some details about LXD 
LXD is a next-generation system container manager. It offers a user experience similar to virtual machines 
but using Linux containers instead

you need to keep learning about LXD you can read this 

now we need to list out the image installed on the lxd-service

use: lxc image list



now we got the wanted ALIAS 

as the question says The idea here is to mount the root of the OS file system on the container, 
this should give us access to the root directory

so we will use lxd to escalate out privilege you can see this for more information

so we ganna use those commands

lxc init myalpine joker -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh

now try id command 

we are root now!

go to /mnt/root/root and you will find the final answer!








 




Comments

Post a Comment

Popular posts from this blog

Jack-of-All-Trades

Jack-of-All-Trades TryHackMe | Jack-of-All-Trades First of all, this write up is quite long so be patient and stay tunned coz it's a fun box and you may  learn something new so take your notes and let's jump into this machine starting with enumeration we ganna use Nmap for that to see what ports and services are running as we can see there are web service and ssh but both of them running on different ports so keep that in mind  let's go to the website and check this out but first, we need to allow HTTP to run port 22 you need to follow these steps  1- Select and copy the following preference name network.security.ports.banned.override 2- In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful. 3- In the search box above the list, type or paste ports and pause while the list is filtered If the above-listed preference exists: 4- Double-click it and add a comma to the end of the list followed by the port numb
Post a Comment
Read more

Plethora

Plethora Tryhackme | Plethora   we will start with enumeration we ganna use Nmap to see what ports and services are running  as we can see we have a lot keep them in txt file we ganna use some of them later but for now we have port 80 is open which means wh have a web service up and running  as we can see we have a web page  let's take a look at the source page  ok let's open one by one of that machines let's start with DVWA ------------------------------------ DVWA DVWA is a well-known vul machine with username: admin and password: password  log in and go to command injection tap this vulnerability is about running a command on the server side so  we ganna use it to capture our flag  use: ping bing.com;cat /flag.txt flag 1 Done! ✌ ------------------------------------ XVWA as we did with DVWA we ganna do it here navigate to OS Command injection tap  and run this  use: ping bing.com;cat /flag.txt flag 2 Done! ✌ ------------------------------------ Mutillidae Mutillidae also
Post a Comment
Read more

Easy Steganography

Easy Steganography Tryhackme | Easy steganography First, you need to download the attached file and unzip it you will end up with 4 images each one contains its flag  Flag 1   if you open this image you will see a normal pic without any interesting info  and if you try to use "ExifTool" or "binwalk" you will get normal information  but if you use to try to take a look with "hexdump" you gonna earn your flag ✌ use :  hexdump -C flag1.jpeg | grep S   Flag 2 flag 2 is the same image as flag1 no interesting info so we will use "binwalk" here  use:   binwalk flag2.jpeg as you can see there is another image within the flag2 image so we need to extract it  use:  binwalk --dd '.*' flag2.jpeg as you can see after extracting a new folder came up navigate to that folder and you will see  a new image called 1326F just open it and you will get flag2 ✌ Flag 3 This one is so simple you just need to use strings command to capture the flag ✌ use: strings
Post a Comment
Read more