Ippsec ctf

Love is in the air and for the info-sec folks, vulns are in the machine.

Lg k7 frp bypass 2019

The main goal is to gain root access to the valentine Linux box and for now, we only know its IP address If you follow any of the previous CTF write-ups then you must know this that whenever we are presented with an IP address then scanning the machine for the open ports is the first step that we always need to carry out.

So, we run the above commands to figure out the open ports on the machine. The unique thing about the machine arises when we have a look at the version of the SSH and realise that the machine has an out-dated version of Ubuntu installed and so is the Apache version outdated as well. As soon as we confirm that the system is outdated by doing a normal google search, we check if this outdated version has some well-known vulnerability that can be exploited by us.

We run this script on the machine to figure out the well-known vulnerabilities. So, from now on at least we know which way we should move to gain root privilege on the machine.

Now, that we have the high probability that the machine is vulnerable to Heartbleed attack so we try to confirm this by using the SSLyze tool. Now, that we have confirmed that the machine is vulnerable to Heartbleed, we try to figure out other attack vectors to get into the system. Once, we run the above command in our Kali box we are shortly presented with the following directories. We visit these directories one after the another. This presented us with nothing more than an image of the Heartbleed logo.

The same image as the one above popped up when we open up this directory as well. This directory was interesting as it presented us with the following files. We first open the notes. Then I went over to the hype. We save the private RSA key in our current folder and change the permissions on the.

Once, we do that now we can use the private key file to ssh into the valentine box. So, we try to SSH into the machine, we type in the command. We terminate the connection and try to figure out the passphrase. Now, getting back to the basics we know right now that we can have shell access to the machine but we need a passphrase and the machine is vulnerable to Heartbleed, this all points in the direction that we need to carry out the heartbleed attack.

So this image is most easy to understand explanation of heartbleed, you ask the server to reply back potato 6 letters and it does that, then you ask it to return back bird 4 letters it does that but when you get creative and tell it to send back hat letters.Jeeves is a medium rated machine on HackTheBox platform which got retired last weekend Core of this machine revolves around pwnage of Jenkins.

Afterwards, I run Gobuster to search for any hidden content or directories, but find none. Not much one can do from here on… A dead end! This allows us to either upload a malicious. I chose the latter. This allows us to run arbitrary GroovyScript similar to java commands. Go and get it! Unfortunately, we still need to escalate our privileges in order to capture all the flags. There are two main methods of doing so - cracking of. Below, the first method will be described. Doing a bit of roaming around the file system, I find an interesting.

This file extension is associated with Keepass password manager. The mentiond. Thanks to netcatwe are able to transfer the. We can then proceed to generate a hash with keepass2john. This hash can be then cracked with usual programs like Hashcat or JohnTheRipper. The master password of the Keepass manager is moonshine1! By installing Keepass2 apt-get install keepass2we can view the.

The preview looks like this:. Does this look similar - aad3bbeeaad3bbee:e0fb1fbcffcbe81fe00? It is an NTLM hash which we can use for pass the hash attack!

However, retrieving the root flag is a bit tricky. The flag itself is hidden inside an alternate data stream. His content is great and I often learn many new methods from his tutorials :-! Thanks for reading. Introduction Jeeves is a medium rated machine on HackTheBox platform which got retired last weekend Nmap done: 1 IP address 1 host up scanned in Microsoft Windows [Version All rights reserved. Share this post with:.Enuerating the wordpress users on the target.

A small script to test all possible combinations would go like this:! So to isolate the locking combination and to discover what actually unlocks the additional ports I altered the script above as following:! Of course this is far from optimized code which would not be effective if there was an additional port added to the port knocking sequence, but in this case it works wonders.

Checking the contents of the notes. To get the password for the qsub program, run it through a debugger a choice like edb or gdb and follow the code. So the password of the application is actually the current value of the TERM environment variable in the environment where you run the script. After I tested the password with the value from the TERM environment variable and confirmed the findings are correct, the next step was to made a small test for command injection as the application is writing the user input to a file.

After overriding the contents of the backup. The application though spawns another child process and waits for a connection. So now we have to find a return address, which we would then put after to offset in order to jump to the beginning of the string sent over, which is actually stored into the RSP register. Usually we would want to override the RIP register which contains the next instruction, but in this case the RBP is something like a temporary location to it, which is again explained in the video below.

So we actually override the contents of RBP with a return address which would point to the beginning of RSP, where we could put our shellcode.GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together. If nothing happens, download GitHub Desktop and try again.

If nothing happens, download Xcode and try again. If nothing happens, download the GitHub extension for Visual Studio and try again. Machines writeups until March are protected with the corresponding root flag. But since this date, HTB flags are dynamic and different for every user, so is not possible for us to maintain this kind of system.

So from now we will accept only password protected challenges and retired machines that machine write-ups don't need password. It is totally forbidden to unprotect remove the password and distribute the pdf files of active machines, if we detect any misuse will be reported immediately to the HTB admins. Anyway, all the authors of the writeups of active machines in this repository are not responsible for the misuse that can be given to the corresponding documents.

Please think that this is done to share techniques not for spoilers. In this way, you will be added to our top contributors list see below and you will also receive an invitation link to an exclusive Telegram group where several hints not spoilers are discussed for the HacktheBox machines. Please consider protecting the text of your writeup e.

Of course, if someone leaks a writeup of an active machine it is not the responsibility of the author. If we detect someone who does it, they will immediately report to the HTB Staff so they can take the appropriate measures.

Note: the minimum requirement to enter the "special" Telegram group is also to have a hacker level or higher no script kiddies. Hack the Box is a superb platform to learn pentesting, there are many challenges and machines of different levels and with each one you manage to pass you learn a new thing.

But talking among ourselves we realized that many times there are several ways to get rooting a machine, get a flag That's why we created this repository, as a site to share different unofficial writeups to see different techniques and acquire even more knowledge. That is our goal and our passion, to share to learn together. Some people have been distrustful because in this repository there are writeups of active machines, even knowing that absolutely each one of them is protected with the corresponding password root flag or challenge.

But We did not want to give up this because we think the most interesting thing for a HTB player is to check other users' walkthroughs right after they get it, that is, not wait for weeks or months afterwards. For this reason, we have asked the HTB admins and they have given us a pleasant surprise: in the future, they are going to add the ability for users to submit writeups directly to HTB which can automatically be unlocked after owning a machine.

And also, they merge in all of the writeups from this github page. Simply great! Therefore it is a real pride that they have decided to include the functionality of this repo directly on their platform.

When this is done, this Github will be migrated and will be inactive but with a pleasantly fulfilled mission. Until then, Keep pushing! Skip to content. Dismiss Join GitHub today GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.This is a Linux based CTF challenge where you can use your basic pentest skill to compromise this VM to escalate the root privilege shell.

The difficulty level of the lab is set easy to intermediate at the phase of initial foothold and once the machine is get compromised the privilege escalation phase is very easy. To capture the flag, you need to find user. This CTF is started to run on a virtual box, so use a virtual box to run this machine. Time to identify the IP of the host machine with the help of netdiscover.

Here we have Using an aggressive nmap scan, we only found two open ports, i. Then we go to the web directory listing and use the starting directory brute force with the help of dirb. The secret. So we try to navigate the following URL as per hint, and this approach works as shown in the image below. At the end of the web page, the author left us with a comment as a hint. We have been able to access the file location.

What is omadmdaemon

Also, location. To get the password file we try to explore the following URL:. After login into WordPress, we try to inject malicious php script via theme templates or by installing new plugin, but all of them fail because they have no writable permission. We, therefore, write use msfvenom following command for generating malicious php code in raw format.

Then copy the highlighted code for injected inside secret.

HackTheBox - Canape write-up

When everything is set up, we try to trigger our malicious php script by running the following URL:. As we already know the kernel version of the host therefore without wasting time we look for a kernel exploit in the google and found the Metasploit module for exploiting the kernel.

12 keys of music

A good blog as always I got from hacking articles. But this machine has an intended solution at root part without kernel exploit.

ippsec ctf

And this was not easy. So please can you attach that intended part. Hello Dear I know there are multiple ways to root this lab but as this post help us to complete the cheatsheet of CTFs of vulnhub writeup, therefore I go for the shortest way. But surely we will extend this post by adding another method to root as this was an interesting lab for us and we enjoy it.

I am trying the enc route without success I might add. Any advise? I though before he got image. I entered the password as given here, then also it shows the msg of invalid password… Please help. Your email address will not be published.

Notify me of follow-up comments by email.

ippsec ctf

Notify me of new posts by email. Like this: Like Loading Leave a Comment Cancel Reply Your email address will not be published.Traverxec was a relatively easy box that involved enumerating and exploiting a less popular webserver, Nostromo. After I put out a Lame write-up yesterday, it was pointed out that I skipped an access path entirely - distcc.

Yet another vulnerable service on this box, which, unlike the Samba exploit, provides a shell as a user, providing the opportunity to look for PrivEsc paths. It does throw one head-fake with a VSFTPd server that is a vulnerable version, but with the box configured to not allow remote exploitation.

As www-data, I can access the Restic backup agent as root, and exploit that to get both the root flag and a root ssh key. I recently ran into a challenge where I was given a Java Jar file that I needed to analyze and patch to exploit.

Sniper involved utilizing a relatively obvious file include vulnerability in a web page to get code execution and then a shell. The first privesc was a common credential reuse issue. The second involved poisoning a. Most of the time, this is managed by the package management system. When you run apt install x, it may do some of this behind the scenes for you.

But there are times when it is really useful to know how to interact with this yourself. Forest is a great example of that.

Wiccan altar set up for beginners

Then I can take advantage of the permissions and accesses of that user to get DCSycn capabilities, allowing me to dump hashes for the administrator user and get a shell as the admin. Postman was a good mix of easy challenges providing a chance to play with Redis and exploit Webmin.

Prime: 1 Vulnhub Walkthrough

That same password provides access to the Webmin instance, which is running as root, and can be exploited to get a shell. BankRobber was neat because it required exploiting the same exploit twice.

I can overwrite that myself to get a shell. Scavenger required a ton of enumeration, and I was able to solve it without ever getting a typical shell.


The box is all about enumerating the different sites on the box and using an SQL injection in whois to get them alland finding one is hacked and a webshell is left behind. Json involved exploiting a. NET deserialization vulnerability to get initial access, and then going one of three ways to get root. Still, it got patched, and two unintended paths came about as well, and everything turned out ok.

ippsec ctf

This has now been patched, but I thought it was interesting to see what was configured that allowed this non-admin user to get a shell with PSExec. AI was a really clever box themed after smart speakers like Echo and Google Home. Player involved a lot of recon, and pulling together pieces to go down multiple different paths to user and root. I can use that information to get credentials where I can SSH, but only with a very limited shell.Find service and version.

Find known service bugs. Find configuration issues. Every error message. Every URL path. Every version exploit db. Every version vulnerability. User enumeration. Password bruteforce. Default credentials google search. MSF Aux Modules. Download software Gather version numbers. Default Creds. Creds previously gathered. Download the software. List of exploits. Copy proof.

Dump hashes. Dump SSH Keys. Delete files. Reset Machine. Rowbot's PenTest Notes. General methodology. OSCP Templates. Attack Types. Transferring files. Password cracking. Useful Linux Commands. Buffer Overflow. TCP Dump Commands. Privilege Escalation.

One thought on “Ippsec ctf

Leave a Reply

Your email address will not be published. Required fields are marked *