Skip to main content

Borderlands CTF

Let's start borderland

In starting the machine doesn't look insane at all getting initial shell is not that hard but what new for me was pivoting the router and reading the Data.

Walkthrough:

Let's start with nmap scan
nmap -sC -sV <ip>



Okay so port 80 have http server

I will run dirbuster to check for Directories with that we can check out the apk given by them. I took hint and the first key is in apk.



Here we go we can already see something interesting lets extract out the source code with the .git.
I used GitTools to extract all source code. https://github.com/internetwache/GitTools

I checked out first commit to find out anything leaked within source code or not.
According to hint the WEB key will be in webpage.



So we got our first flag with it we can check out the first 20 letter of any key in api.php

Let's search for GIT flag.
grep -rn GIT


So we got GIT flag but we can see 20 letter or AND flag only so i extracted the app using apktools

apktool d mobile.apk
grep -rn api_key


Here we got encrypted key but we have plaintext to so let's see if viginere cipher works or not.



Alright it was a tedious task but got the API key.

Now we have web api key we can access web.


Here we go with our low hanging fruit SQLi

Let's try uploading a shell.
Finally uploaded after many unsuccesfull tries

Now i have to upload a reverse shell. I will use pentestmonkey php reverse shell
and pwncat

pwncat --listen --port 4444


Here we go with our webapp flag.
I spent few hours but ended without any privesc idea according to hint we need to portscan so i tried out the binary suggested by deskel.
Used pwncat to upload it

Damn I tried very hard approach 2mb file was not uploading so tried the same method split the file in 516k chunks and combine then scanned for the IP 172.16.1.128


So we can see ftp and bgp but the remote host have no client to get access to these services. Basically we need to portforward to get our local machine.

Here i got out of idea but didn;t worked tried using ncat but connection refused.
It wasted a few hour but i go with meterpreter method

so let's login into ftp

From here we can see an old version of ftp

All Hail msf.....


Here you go with root I forwarded another port since at first it was not working as local port forward

With that I will try other part someday.
No idea Again about moving forward.





Labels:

Comments

Post a Comment

Popular posts from this blog

Forensics

This is a memory dump of compromised system, do some forensics kung-fu to explore the inside. The Following Room is walkthrough of Forensics Machine of tryhackme
Post a Comment
Read more

Brooklyn 99

This is writeup of Brooklyn nine nine room in tryhackme.com Summary: Easy Room just required standard enum. The entry point is by bruteforcing through hydra and then using gtfo. Walkthrough: nmap -sC -sV <ip> We can see anonymous ftp login and a note. So we can see jake is username and we need to bruteforce for the password. ok. Now enum http port
Post a Comment
Read more