Avengers Write up

-
Hello there fellow avenger, today I will help you walk through the Avengers Machine on TryHackMe:- https://tryhackme.com/room/avengers

It is a fairly easy machine, So let's begin



Avengers Assemble!!

Problem 1:- Cookies

There were 2 ways to get this flag;

  •  Checked the page source and got a hint:-





and then we can open the /js/script.js URL to get flag1:-









  • Another alternate to this problem was using the inspect element(F12) feature in Firefox browser:-






Problem 2:- HTTP headers

Alright, for this problem we simply have to navigate to the Network tab of the developer's tool as done in the previous problem and look for the HTTP response header:-


After gathering the 2 flags I snooped around the website in order to find something of value;

and interestingly we found something that can be used somewhere:-




Looks like rocket left groot's password openly on the homepage

Problem 3:- Enumeration and FTP

After footprinting around the website a little we get into the next phase of hacking i.e. scanning and enumeration;
For this we will use our trusty friendly scanner called nmap

nmap -sC -sV <machine's IP> -oA <filename>

-sC - will do a script scan
-sV - will probe for open ports and services running on the machine
-oA will save the output of the scan in all formats

This is my personal preference for this machine, you can play around with nmap and try all different types of combinations

So, the output of our nmap scan looks something like this:-


We found that there are 3 ports open on this machine,

port 21- FTP
port 22 - SSH
port 80- HTTP

we login to FTP using the command:-
ftp <machine's IP>
We are asked for a login ID and password;

As we found Groot's password on the homepage we can try it to login on the FTP share

ID:groot
password: ********

and voila! We have access to the FTP shares of the machine

Navigate around the share and you can find flag3.



















Problem 4:- Gobuster

Further enumeration requires us to list the directories hosted on the machine, for this, we'll use a fast and handy directory discovery tool called Gobuster.

Gobuster will brute force directories on the machine. It is a fast command-line tool.

the following command is used to perform directory discovery operation:-

gobuster dir -u http://<machine' IP>/ -w <preferred wordlist>

dir -  dir tag is used to tell gobuster that we want to perform directory discovery
-u - this tag specifies the URL on which we want to perform an operation
-w - this tag specifies the wordlist we want to use 

the output will look something like this:-


On checking out the all the URL's discovered by GoBuster;
/portal seems to be the one which has a login portal:-


Problem 5:- SQL Injection

SQL (Structured Query Language) is a database query language and SQL injection is a type of attack in which we manipulate SQL queries to reveal database name, table name, data present in the table columns such as usernames and passwords or we can simply manipulate the query to login on a website as we will do in this situation.

We will use the query 
' OR 1=1 --

for username field as well as the password

This query will read out by the browser in the database as:-

select * from USERS where username = " 'OR 1=1 -- " and password = " 'OR 1=1 --"
which can be translated as "Hey database as you know 1=1 condition will always be true so let me login through this portal".



Problem 6:- Remote Code Execution and Linux


As we can see in the home page that we have a field that will execute commands remotely on the machine for us

We will check what directory are we working in using the pwd command:-






ls command will give the following output:-


ls command will display the files and folder present in our current directory i.e avengers directory

to check for all the hidden files and folder use ls -la command

The flag doesn't seem to be in this directory;

So we'll use cd command to change directories and concatenate it with ls command:-








Looks like we found flag5, now all we have to do is read it's contents.

But wait this machine has disabled cat command which is used to read the contents of a text file;







To overcome this problem we can use 2 ways;

1. cat command in reverse tac:-








 2. We can also use less command which is an alternate to cat:-














Hence, this way we found the 5th flag and completed the box!!!


Comments

Post a Comment

Popular posts from this blog

Blog write-up THM

-
Image
Another week, another write-up Blog is a medium difficulty room created by Nameless0ne on tryhackme.com :- https://tryhackme.com/room/blog I'll try my best to explain about all the tools and methodologies, The goal of this room is to teach:- Wordpress Enumeration Gaining a shell using a unique vulnerability for a specific Wordpress version Getting root privileges using a very creative vulnerability So let's get started. So, after starting up the room, the first thing we always do is to run an nmap scan to see all the open ports and services running on the machine. nmap -sC -sV <machine-IP> -oN nmapscan -sC:- is used for a script scan -sV:- Shows us the version of all the services running -oN:- stores the result in a file with .nmap format And by the result we can see:- PORT     STATE      SERVICE 22           open          ssh          80      ...
Read more

Daily Bugle Write up

-
Image
Hello fellow hacker, today I'm going to help you solve the machine Daily bugle on TryHackMe:- https://tryhackme.com/room/dailybugle So let's begin. The main objectives of this machine is to:- Compromise joomla CMS via SQL injection vulnerability Cracking hash using a tool called john the ripper. And taking advantage of a b inary called 'yum' that allowed for privilege escalation # First step we begin by running an nmap scan against the target machine:- nmap -sC -sV <target-machine-IP> -oN nmapscans -sC :- this tag runs a script scan on target machine -sV :- this tag detects services and versions of services running on the machine -oN :- this tag allows us to save the result for future reading. As the result shows there's:- PORT       STATE SERVICE ------------------------------------------ 22/tcp       open     ssh 80/tcp       open     http 3306 /tcp   open   ...
Read more

Undiscovered Write-up THM

-
Image
 Hello fellow hackers, I am back with another write-up for you all so let's get started.  Today we are doing Undiscovered box on tryhackme.com created by ch4rm .  The topics we are going to cover are:- Virtual hosts enumeration CMS bruteforcing Getting reverse-shell using an exploit from exploit-db Mounting file system and accessing data of victim machine on our local machine Horizontal privilege escalation using a script on victim machine And finally privilege escalation using vim.basic capabilities So let's get started, Virtual Hosts Enumeration As our general methodology goes, we'll start with an nmap scan # Nmap 7.80 scan initiated Tue Nov 10 01:56:45 2020 as: nmap -sC -sV -oN nmapscans 10.10.122.39 Nmap scan report for undiscovered . thm ( 10.10 . 122.39 ) Host is up ( 0.40 s latency) . Not shown: 996 closed ports PORT STATE SERVICE VERSION 22 / tcp open ssh OpenSSH 7.2 p2 Ubuntu 4 ubuntu2 . 10 (Ubuntu Linux; protocol 2.0 ) | ssh - hostkey: | ...
Read more