Joker

May 12, 2021•364 words

HA Joker CTF - THM

Run your favourite scan, there should be three ports open on this machine. At first, port 80 is the only viable option (the others are SSH and a web server on 8080 that requires a password). If you are a Batman fan, take the time to check out all the quotes, including the ones in the source code. They are pointless CTF-wise, but they are awesome. Find the secret directory using a buster (add common extensions so you are sure not to miss it, as I did). That file gives you a username (two actually, but it's an easy guess). No sight of a password, so brute forcing must be the way in. Here is a possible command to brute force HTTP basic authentication:

hydra -l <username> -P /usr/share/wordlists/rockyou.txt -s 8080 -f <ip> http-get /

Once you have the password, login. The CMS is fairly empty, you should have no trouble running another bust to find the directories that interest you (one gives you a zip file, one would allow you to access the management dashboard if you had proper credentials).

Download the zip, it's password protected. You must use zip2john or something similar to crack it.

Restore the database from the file: if it's your first time, the steps are to first create a new database, and then pull the file into it to be able to use it. As always, Google gives you more than enough HOW-TOs to survive on your own. Once you are done, navigate to the "users" table and extract the hash, then crack it.

Once you have access to the administrator dashboard, it's almost the same as the usual Wordpress trick. Navigate to a template, select one and write a reverse shell code onto it. Then, on the website, trigger its activation by navigating to the page you modified.

You should get a reverse shell as a user that is in the lxd group. If it has already happened to you, you might remember that this is going to mean instant root with a few basic steps. If this is the first time you see something like this, check out https://www.hackingarticles.in/lxd-privilege-escalation/ or search "LXD local privesc" on Google.

👍❤️🫶👏👌🤯🤔😂😍😭😢😡😮

Subscribe to the author

You'll only receive email when they publish something new.

More from emacab98
All posts

Jack

May 11, 2021•345 words

Jack - THM It's a Wordpress blog, so usual user enumeration vulnerability due to the error message. Wp-scan identifies three users (jack, danny & wendy). Look around a while, but it seems clear very quickly that you should try your hand at brute forcing (not a fan, don't like this in challenges). I don't know if there is a different intended way to gain access, but this worked (although it took some time). I would suggest a brute force against Xmlrpc, and don't use a huge wordlist (rockyo...

Read post

Thompson

May 16, 2021•138 words