Scribd
Upload
151 views10 pages

Revenge CTF

The document outlines a penetration testing process for a target IP, detailing steps such as reconnaissance using Nmap, enumeration through Gobuster and SQL queries, and exploitation via SQL injection with sqlmap. It describes privilege escalation by cracking hashes with John and gaining root access through service manipulation. The final steps include altering an index.html file to capture the last flag.

Uploaded by

jigneshunagar05
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
151 views10 pages

Revenge CTF

The document outlines a penetration testing process for a target IP, detailing steps such as reconnaissance using Nmap, enumeration through Gobuster and SQL queries, and exploitation via SQL injection with sqlmap. It describes privilege escalation by cracking hashes with John and gaining root access through service manipulation. The final steps include altering an index.html file to capture the last flag.

Uploaded by

jigneshunagar05
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

TryHackMe

Revenge
I P:- 10.201.20.220
Penetration Testing Methods
• Reconnaissance
Nmap

• Enumeration
Gobuster/dirsearch
Trying SQL Queries

• Exploiting
SQL Injection using sqlmap

• Privilege Escalation
Cracking Hash with John
Gaining root access
Capturing the flag
1. Reconnaissance
Starting with the network mapping we found 2 ports open
that are 80 that hosts a website and 22 which is of ssh.
Lets check the content of the website.

There are many technologies being used in the website.


2. Enumeration
Moving forward with the enumeration any of the 2 can be used
for directory bruteforce.

Not the output we needed for further enumeration.


Moreover, we could try some sql queries on the webpage seeing
rather it is applicable or not.
Some common are ‘, “, ==, ‘ ==1, and etc
The thing noticed on website in the product directory is that if
we type 1 the first page of product opens and also with 2,3,4.
From here we could consider that we can try sql injection using
sqlmap on the target.
3. Exploiting
Starting with sqlmap
For displaying database use –batch –dbs.
For displaying table in a specific database use -D database name
and –table and table name.
For getting the output of the table you can use –dump.

The databases are:-

There are total 5 databases in total


In which the information schema and performance schema are
created by default so its not worth to check.
As given in the lab we have to break into the ducky.inc so we
should go ahead with the first database we found.
Now, to fetch the table in the database

And we have found 3 tables in the duckinc database

Now we have to dump all the output from the table.

Here we have got many interesting things after we dumped the


database.
We have found some many username and hashes that we could
crack and use it to login with the ssh.
Now its time to crack the hash using john.
It is simple , just create a txt file of all the hashes and run it
with john.

Here it has given the cracked hash for the first user.

As of now that we have got the username and the cracked hash
from john we could use it to login with ssh.
And here we have got the access to the normal user and the other
flag just by using some common command.
4. Privilege Escalation

Though we have the password for the normal user we have the
access to use sudo.
Above are some command that we can use as root.
/bin/systemctl start duckyinc.service,
/bin/systemctl enable duckyinc.service,
/bin/systemctl restart duckyinc.service,
/bin/systemctl daemon-reload,
sudoedit /etc/systemd/system/duckyinc.service
And it means that to have the root access we have to
Start the duckyinc.service
Enable the duckyinc.service
Restart the duckyinc.service
Reload the systemd manager configuration
Edit the duckyinc.service file using sudoedit.

This has the bash file that has copied to tmp and has given all suid
permission that runs with root.
Now just we need to restart the service.
After restarting the duckyinc service and running the bash file we
have got the root access.
NOTE:- For the third flag you just need to locate the index.html
and alter it with any other and doing so it will give the flag.

Here we have our index.html and now need to alter it in the


Header one h1.

And now after altering the file we have got the last flag.

You might also like