Skip to main content

HA Joker CTF




HA Joker CTF

Summary(Mentioned by creator):
  1. Enumerate Services
    - Nmap
  2. Bruteforce
    - Performing Bruteforce on files over http
    - Performing Bruteforce on Basic Authentication
  3. Hash Crack
    - Performing Bruteforce on hash to crack zip file
    - Performing Bruteforce on hash to crack mysql user
  4. Exploitation
    - Getting a reverse connection
    - Spawning a TTY Shell
  5. Privilege Escalation
    - Get root taking advantage of flaws in LXD
Rating: Medium

Walkthrough:

1. Enumeration:

Starting with nmap scan

So we can see port 80 and 8080 have http open but 8080 requires authentication

Alright here you go with webpage let's try out dirbuster


So we got phpinfo.php we can checkout which php version it is using.

we landed on one more file which seems a bit interesting


As we can see the potential username can be joker.
So let's move on brute force I will use hydra to get password for 8080 port.

With that you can now see another webpage.

Now here we can see joker used joomla cms let's try login with same password.

Nope...

Let's run nikto here with user and password


Here we can see archive and admin portal let's check archive for creds
with same passwords as of http we can unzip it.

Now we have superduper user
Let's login and get shell in joomla

From here let's change the template with php reverse shell


I used pwncat and got shell as we can see www-data is part of lxd we can privesc using lxd containers

check out this blog for getting better understanding of privesc using lxd


Comments

Post a Comment

Popular posts from this blog

Forensics

This is a memory dump of compromised system, do some forensics kung-fu to explore the inside. The Following Room is walkthrough of Forensics Machine of tryhackme
Post a Comment
Read more

Brooklyn 99

This is writeup of Brooklyn nine nine room in tryhackme.com Summary: Easy Room just required standard enum. The entry point is by bruteforcing through hydra and then using gtfo. Walkthrough: nmap -sC -sV <ip> We can see anonymous ftp login and a note. So we can see jake is username and we need to bruteforce for the password. ok. Now enum http port So here we have a clue. Nope maybe a rabbit hole. Let's do bruteforce in ssh port with hydra Alright got ssh pass Here we go simple gtfo and rooted Another rabbit hole. If you dirbust with jpg extension will result this pic This pic containes hidden data which turns out to be troll.
Post a Comment
Read more

Borderlands CTF

Let's start borderland In starting the machine doesn't look insane at all getting initial shell is not that hard but what new for me was pivoting the router and reading the Data. Walkthrough: Let's start with nmap scan nmap -sC -sV <ip> Okay so port 80 have http server I will run dirbuster to check for Directories with that we can check out the apk given by them. I took hint and the first key is in apk. Here we go we can already see something interesting lets extract out the source code with the .git. I used GitTools to extract all source code. https://github.com/internetwache/GitTools I checked out first commit to find out anything leaked within source code or not. According to hint the WEB key will be in webpage. So we got our first flag with it we can check out the first 20 letter of any key in api.php Let's search for GIT flag. grep -rn GIT So we got GIT flag but we can see 20 letter or AND flag only so i extracted the app using apktools apktool d mobile.apk g...
Post a Comment
Read more